Pentagon cyber chief David McKeown says there are ongoing discussions to create a “cyber secure framework” for the defense industrial base that will go beyond the CMMC program and be based on the NIST cybersecurity framework.
The Defense Department is taking on several projects to work with DIB partners in response to the Ukraine invasion, including through CISA’s “Shields Up” initiative. McKeown said the Pentagon is in regular contact with only one percent of its DIB partners, which presents a problem when it comes to notifying companies about potential threats and building resiliency.
“As we go forward, we are partnering with the DIB sector coordinating [council] and CISA and trying to work on how we develop a cyber secure DIB framework. We think it will be based on NIST cybersecurity framework,” McKeown said at a Friday event on the Pentagon’s Cybersecurity Maturity Model Certification program.
McKeown said the Defense government coordinating council and SCC met Friday at Boeing to work through “some of the issues so we can start to get after not just protecting the data but protecting your whole supply chain and making sure it is up and operational and available when needed.”
The CMMC program is focused on protecting sensitive DOD data held by government contractors. CMMC level two requires companies to meet 110 controls on handling controlled unclassified information from NIST Special Publication 800-171.
McKeown and CMMC director Stacy Bostjanick provided updates on the CMMC program at the Friday event hosted by PreVeil. They discussed major program changes announced in November 2021 and rulemaking plans.
Bosjtanick said DOD plans to send the new CMMC rulemaking to the Office of Management and Budget for review in “mid-July to early August.” Their intent is to release an “interim rule” in March 2023 that will go into effect 60 days after publication, Bostjanick said.
“Day one not everybody’s going to be required to have a certification to handle CUI, it’s going to be a phased in approach,” Bostjanick said. “We have promised to make sure companies would not end up in a scenario where [they] can’t get a certification but [they] want to participate in a contract.”
Bosjtanick said, “We are going to make sure that we meter it out to the point where we don’t have anyone that fails to be able to get certified and is unable to participate in a contract that they wish to participate on.”
“If OMB doesn’t grant us an interim rule, everything would shift later out by another year. It would be March 2024 before we could get a final rule. That would mean you see it in contracts in May 2024,” Bostjanick said.
The CMMC program management office is currently working on a plan to help contractors reach CMMC compliance with help from managed service providers.
Bosjtanick said, “There’s an approach we are going to put forth to see if we can get an agreement on which would be a hybrid between [GSA’s] FedRAMP [program] and CMMC. It will clearly outline what the requirements are that each partner in the agreement would have to meet as part of the requirement.”
MSPs would have to fill out a “customer responsibility matrix,” Bostjanick said, adding companies have “struggled with it so far” in getting the necessary documents completed and taking care of “what needs to be done.”
Bosjtanick provided an update on the voluntary interim program where companies will be able to obtain a CMMC certification that will be honored when the CMMC rulemaking goes into effect.
She referred to it as the “joint surveillance program,” explaining how companies that were assessed against NIST 800-171 by DCMA’s Defense Industrial Base Cybersecurity Assessment Center three years ago will need to renew their assessments and the upcoming role for fully authorized certified third party assessment organizations.
The DIBCAC doesn’t have the resources to “re-up a bunch of the 300 companies that they started with” in 2019 to conduct a DIBCAC High assessment, Bostjanick said. The plan is to allow a company to contract with C3PAO to conduct the assessment with oversight from the DIBCAC, she said.
The C3PAO will contact The Cyber Accreditation Body to get on the DIBCAC’s schedule for a company assessment. “The DIBCAC assessors will be onsite. They will have one, maybe two assessors on site with your C3PAO assessment…to do some oversight,” Bostjanick told event attendees.
She said the DIBCAC “will then accept the C3PAO assessment report [and] be able to ingest that into the DIBCAC as if it were done by them. They have some regulatory requirements of things they need to check and align with it for it to become a DIBCAC assessment.”
The DIBCAC High assessment and a company’s score will go into DOD’s Enterprise Mission Assurance Support Service (eMASS) website, Bostjanick said.
She said, “Once CMMC becomes a requirement under the interim rule or the final rule, it is our hope and intent that we will able to allow that certification to be in good stead for an additional three years provided the company does its annual affirmation” that they comply with CMMC requirements.
Bostjanick said, “This could possibly change based on rulemaking. If someone complains and has heartburn with it during the rulemaking process, we may be precluded” from allowing the assessment to be converted into a CMMC certification. -- Sara Friedman (firstname.lastname@example.org)