The Defense Department is getting closer to finalizing details on the process for contractors to obtain a CMMC certification ahead of the formal program launch in May 2023, which will include a memo from Pentagon officials to establish a “joint surveillance program” where assessment organizations and DOD officials work together to complete voluntary examinations.
DOD announced in November a revamp of the Cybersecurity Maturity Model Certification program following an internal review and teased the creation of incentives to encourage contractors to prepare for CMMC during the lengthy rulemaking process.
Potential incentives initially focused around allowing contractors who can demonstrate their networks are secure to “garner a higher profit margin” or using contractor’s network security as part of the “criteria” for a “sole source selection evaluation,” according to CMMC director Stacy Bostjanick.
Stacy Bostjanick, Chief of Implementation and Policy, Office of the DoD Chief Information Officer
However, internal discussions at DOD shifted to center around allowing the three-year clock on voluntary certifications to start when CMMC requirements begin showing up in new contracts next year. The accreditation body behind the CMMC program, known as “The Cyber AB,” supports the approach, but it has taken months to figure out how the voluntary assessments could be accepted before the rulemaking is published.
In June, Bostjanick explained the Pentagon’s approach calling it a “joint surveillance program” where NIST Special Publication 800-171 assessments conducted by certified third party assessment organizations with oversight from the DIBCAC will be converted into CMMC certifications when the official launch begins.
The Defense Industrial Base Capability Assessment Center, known as the DIBCAC, started conducting voluntary assessments in 2019 to determine whether contractors are able to achieve the 110 controls in NIST 800-171. Many of those assessments are up for renewal this year.
The “NIST Special 800-171 DoD Assessment Methodology” explains how to determine a compliance score and processes for a DIBCAC High assessment.
The document says, “The High Assessment, conducted by DoD personnel who have been trained in accordance with DoD policy and procedures to conduct the assessment, requires a thorough on-site or virtual verification/examination/demonstration of the Contractor’s system security plan and implementation of the NIST SP 800-171 security requirements.”
However, Bostjanick said in June, the DIBCAC doesn’t have the resources to “re-up a bunch of the 300 companies that they started with” in 2019 for DIBCAC High.
She explained that the plan is to allow a company to contract with C3PAO to conduct the assessment with oversight from the DIBCAC. The C3PAO will contact The Cyber AB to get on the DIBCAC’s schedule for a company assessment.
“The DIBCAC assessors will be onsite. They will have one, maybe two assessors on site with your C3PAO assessment … to do some oversight,” Bostjanick said during the industry webinar.
She said the DIBCAC “will then accept the C3PAO assessment report [and] be able to ingest that into the DIBCAC as if it were done by them. They have some regulatory requirements of things they need to check and align with it for it to become a DIBCAC assessment.”
The Cyber AB CEO Matthew Travis updated stakeholders on what to expect at his group’s “Town Hall” meeting last week. He pointed to the “DOD memo on joint voluntary assessments” and the release of CMMC assessment process guide (the CAP) as the two steps needed to jumpstart the voluntary program.
The timing is aligned with DOD’s upcoming rulemaking submission to the Office of Management and Budget for review. Bostjanick said the plan is to put out the interim rule in March 2023 and have a 60-day comment period before it goes into effect.
But Bostjanick clarified that accepting voluntary assessments “could possibly change” during the review process.
She said, “If someone complains and has heartburn with it during the rulemaking process we may be precluded to do that, but at the get-go the company will at least have that DIBCAC High assessment reported in [the Supplier Performance Risk System] for the next three years.”
There’s also a possibility that OMB decides the rule should be proposed instead of interim, Bostjanick said, which means “everything would shift later out by another year” to March 2024. -- Sara Friedman (firstname.lastname@example.org)