The Pentagon Office of Small Business Programs will launch a pilot with 25 to 50 companies to explore how to help smaller organizations comply with NIST Special Publication 800-171 using a cloud environment provided by the Defense Department, according to CMMC leader Stacy Bostjanick.
The environment would have tools “built on top of it,” Bostjanick told Inside Cybersecurity. “For those that would participate in an environment like that, their CMMC certification would just be a validation that they implemented it correctly in their spaces.”
Bostjanick leads the Pentagon’s Cybersecurity Maturity Model Certification program, which is aligned closely with NIST 800-171 requirements at CMMC level two. She spoke with Inside Cybersecurity Thursday on the sidelines of the Billington Cybersecurity Summit.
Stacy Bostjanick, CMMC Director, Office of the DOD Chief Information Officer, Department of Defense
Bostjanick said it’s not clear whether DOD will be able to offer the environment in the long term because “some of the estimates we have gotten for the recurring costs for that environment yearly is extremely high. So we are going to have look at different ways to do it, there are also legal issues that we have not cleared through DOD Office of General Counsel.”
The issues include “liability of hosting somebody’s information in our spaces, what if it gets hacked, and how does that work,” Bostjanick said. “There are a lot of things we need to think through and work through from that perspective, but we are going to do the pilot program for 25 to 50 companies.”
Bostjanick participated in a panel on protecting the defense industrial base with Cyber Accreditation Body CEO Matthew Travis, Matt Barry of HP Federal, Raytheon’s Amy Foy and moderator Andy Stewart of Cisco.
DOD announced major changes to the CMMC program in 2021 and is going through a rulemaking process to implement the program. The proposed rule is currently under review at OMB’s Office of Information and Regulatory Affairs.
Travis said he expects the rule will be released for public comment in November or December, while emphasizing that it is conditional on how long the OIRA review process takes.
Travis encouraged stakeholders to provide input to DOD on the rulemaking when it is released on the role of managed service providers and managed security service providers. He also pointed to support for small businesses as an important element of the CMMC program and the rulemaking.
Bostjanick reflected during the panel on the first draft of NIST 800-171 Rev. 3, which was released in May. NIST received several comments that pushed back on the draft’s use of “organizational-defined parameters.”
NIST said in August that it will reduce the number of ODPs in the second draft of NIST 800-171 Rev. 3.
Bostjanick said she is on a “tiger team” at the Federal CISO Council that includes NIST’s Victoria Pillitteri which is working on the issue.
The tiger team is working to define the “last few ODPs,” Bostjanick said, to make sure there are not “multiple flavors” at different agencies.
Bostjanick said the Defense Industrial Base Sector Coordinating Council will “be asked to come and participate with us on that tiger team when we get there to have input on what we define to ensure we are not going to do something that cripples anybody [that causes] major pain and consternation.”
She said, “There is an effort across the federal government to make sure that we standardize and don’t start asking companies to answer different flavors of 800-171 and we make it something that is achievable…we want everyone to have the same baseline level.”
DOD CIO John Sherman reiterated his commitment to the CMMC program during a fireside chat on Thursday morning with Essye Miller, former principal deputy DOD CIO.
Sherman said the rule is now at OMB and is “going to be open for public comment from over the next couple of months here. … We are implementing 800-171 NIST standards, particularly for small and medium businesses.”
DOD wants to make CMMC “implementable” for SMBs and has tried to simplify the program under CMMC 2.0 to not make it “overly burdensome,” Sherman said. “But having cybersecurity for our data that's working with CUI is non-negotiable. We've got to get this right.” -- Sara Friedman (sfriedman@iwpnews.com)