The Defense Department is accelerating by two months its plans to implement changes to the Cybersecurity Maturity Model Certification program, with the release of two interim final rules now expected in March 2023 and requirements to start showing up in contracts 60 days after the rules are published under a three-year rollout plan.
DOD is in the process of updating the original CMMC rulemaking which amended Title 48 of the Code of Federal Regulations. Following an internal review of the CMMC program, the CMMC program management office has been working on a new interim final rule for Title 32 of the CFR.
“The thought process is that we will complete our documentations by July and submit it into the [OMB] process. We are thinking, hoping and praying that by next March we will be approved to get an interim rule. There will be a 60-comment period which will put us at the end of May 2023,” CMMC director Stacy Bostjanick said at the CMMC Day conference on Monday.
Bostjanick said, “May 2023 is the critical point. That’s when we think we will be able to start putting the requirement in contracts. … You are probably going to see RFIs, RFPs coming out in the summer of 2023.”
The expected timeline is two months earlier than DOD’s plan announced in April to release the interim final rules by May 2023. DOD’s expectation to submit the 32 CFR rule to OMB’s Office of Information and Regulatory Affairs in July 2022 remains unchanged.
The rollout will happen under a “phased approach,” Bostjanick said. Once the rules go into effect, Bostjanick said we are thinking “day one everyone will be required to do the self-assessment, the positive affirmation and then we will move into the RFPs with the third party certifications from that point.”
Bostjanick said the Pentagon is encouraging companies to do “an early adoption of CMMC” through getting an assessment completed by an approved certified third party assessment organization before the rulemakings go into effect. “We are currently working on a capability for the [Defense Contract Management Agency’s] DIBCAC to utilize a C3PAO’s assessment as part of their DIBCAC High assessment,” Bostjanick said.
The DIBCAC will need to “do some oversight” to make the C3PAO assessment equivalent to the DIBCAC High, Bostjanick said. If a company passes, they would get their DIBCAC High assessment recorded into DOD’s Supplier Performance Risk System.
Bostjanick said, “Our intent is to recognize that certification for an additional three years once CMMC becomes a thing. Everyone will still be required to do an annual affirmation that they are still compliant” and show they are still doing what they are supposed to do meet the certification requirements.
The Defense Department is conducting a tabletop exercise concerning the handling of controlled unclassified information to better understand how to help DOD contracting officers determine what CMMC level requirements should be included in their contract solicitations.
Bostjanick told conference attendees, “Half of your program managers today tell you that you have CUI today and it is not well defined. So I’ve worked for the last few years to put together a CUI guide for the acquisition workforce and now with this tabletop exercise I hope to tweak it and make sure it is something that is actually useable.”
Bostjanick said she wants to avoid producing a guide that is difficult to “weed through” for program managers. “I want it to be quick and easy and understandable and the rule of thumb for them to go by,” she said.
In addition, Bostjanick said she expects CMMC will generate “a lot more communication” primes and their subcontractors on CUI. She said, “Everyone is going to have understand the data they are handling and who they handle it to.”
“We are also doing another tabletop exercise with the DIB [sector coordinating council] representatives in June to walk through a CMMC level three procurement and how it would work” to determine where the “stumbling blocks are,” Bostjanick said.
NIST’s Victoria Pillitteri spoke in a separate conference session on her agency’s plan to update NIST Special Publication 800-171. NIST plans to put out a “pre-call” for comments on the NIST 800-171 series in 2022.
NIST 800-171 is foundational to the Defense Department’s Cybersecurity Maturity Model Certification program. As part of the CMMC 2.0 revamp, the Pentagon decided to make CMMC level two align more closely with the 110 controls in NIST 800-171.
Bostjanick said companies who receive a CMMC certification prior to the update to NIST 800-171 would only need to meet the requirements in the current standard, NIST 800-171 Rev. 2. -- Sara Friedman (firstname.lastname@example.org)