Inside Cybersecurity

July 2, 2022

Daily News

Pentagon waivers for CMMC requirements to be determined based on DOD contract needs

By Sara Friedman / April 13, 2022

The use of waivers for the Pentagon’s Cybersecurity Maturity Model Certification program will be determined based on the needs of acquisition officials for specific contracts, not the qualifications of a company bidding for contract selection, according to CMMC director Stacy Bostjanick.

The Defense Department is in the rulemaking process to implement significant changes to the CMMC program and will allow waivers for the first time under CMMC 2.0. Bostjanick provided an update on what’s next at a cyber event last week hosted by the New England chapter of the National Defense Industrial Association.

In a follow up email to Inside Cybersecurity, she clarified her remarks on how the waiver process will work.

Stacy Bostjanick

Stacy Bostjanick, Chief of Implementation and Policy, Office of the DoD Chief Information Officer

The waiver request will need to be approved by the DOD service acquisition executive responsible for approving acquisition decisions at each military service or DOD agency.

Bostjanick said, “The [DOD] Program Manager would be the one requesting the waiver from the SAE prior to RFP release. This will allow the contract to be awarded and then the contractor would pursue a certification. The contractor would not be involved in getting a waiver.”

At the event, Bostjanick said, “The company that gets the contract is going to have to pursue and close out their CMMC certification. We are thinking the 180-day timeline again and we are going to expect the program and contractor to have some sort of risk mitigation plan for that data while it is exposed because [they] don’t have the CMMC requirements in place.”

The Pentagon plans to require companies to close all waivers and fill assessments gaps identified in a plan of action and milestones (POA&M) within 180 days.

Contracting attorney Robert Metzger commented, “That is very high-level authority to require for waivers. Undoubtedly, there will be various documentation, determination and finding requirements before an SAE would approve such a waiver, and the approval will be supported by such documentation. It should come as no surprise that waivers will be subject to high level approval and demanding documentation and process requirements. DoD projects 80,000 companies will be subject to CMMC Level 2.”

Metzger said, “Waiver requests from any more than a very tiny fraction of that universe could not be handled administratively. And DoD will have good reason not to allow the waiver process to become a general ‘license’ to avoid cyber requirements. Only in exceptional cases, and where DoD and not just the contractor benefits from the waiver, are waivers likely to be granted.”

Metzger is the co-chair of law firm Rogers Joseph O’Donnell’s Cybersecurity and Privacy Practice Group, and a co-author of MITRE’s “Deliver Uncompromised” report.

Since POA&Ms are “more technical in character,” Metzger said he doesn’t expect that their authorizing authority will be the SAE.” He pointed to an approval from the Office of the Under Secretary of Defense for Acquisition and Sustainment or the Defense Contract Management Agency as entities that could be responsible for approving a POA&M request. -- Sara Friedman (