A coalition representing major defense associations and government contractors is asking the Defense Department to extend the comment period for a proposed rule to implement the Pentagon’s cyber certification program, in a new letter highlighting three public comment periods for cyber rulemakings that closed last week.
The Pentagon issued the first proposed rule on Dec. 26 for its Cybersecurity Maturity Model Certification program with a Feb. 26 comment deadline. Industry groups raised concerns to Inside Cybersecurity on various aspects of the rulemaking following its release and joined the Jan. 26 letter from the Council of Defense and Space Industry Associations seeking a 60-day extension to April 25.
“Given the major impact CMMC will have on how federal suppliers do business with the government, CODSIA believes this rule requires extensive review. Although the rule has been expected for some time, the specific requirements were not defined such that the impact on companies seeking to do business with DoD could be determined,” the letter says.
It continues, “Since our process for reviewing, analyzing, drafting, and revising comments requires the opportunity for inputs from our more than 10,000 member companies it would be exceedingly difficult to properly address all parts of the rule in the amount of time currently allocated.”
The letter was posted on Feb. 2 on Regulations.gov.
CODSIA members include the Aerospace Industries Association, the Alliance for Digital Innovation, the American Council of Engineering Companies, Associated General Contractors, BSA-The Software Alliance, the Information Technology Industry Council, the National Defense Industrial Association and the Professional Services Council.
The ADI also submitted a separate request on Jan. 23 to DOD asking for a 60-day extension, while construction industry trade group Associated Builders and Contractors sent a Jan. 30 letter seeking a 30-day extension.
There is a second CMMC rulemaking in the works that would amend the Defense Federal Acquisition Regulation Supplement. A draft of the proposed rule was accepted Jan. 17 by the Defense Acquisition Regulations Council and is currently in the case manager processing period, according to the latest DFARS case status report.
Meanwhile, stakeholders have been under increased pressure in the past four months to provide input on upcoming cyber regulations to the government. The comment deadline for two proposed federal acquisition rules related to the 2021 cyber executive order closed on Friday, along with a interim final rule amending the FAR on removal and exclusion orders for the Federal Acquisition Security Council.
The CMMC timeline “is especially constrained given the parallel efforts required on multiple associated interim or proposed rules. For example, comments on NIST 800-171 Revision 3’s final public draft are due this week, while comments on Implementation of Federal Acquisition Supply Chain Security Act (FASCSA) Orders, Cyber Threat and Incident Reporting and Information Sharing, and Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems are all due on February 2,” according to the letter.
CODSIA says, “Taken together, the current deadline for the CMMC rule provides an insufficient opportunity for our associations’ respective members to fully engage in the comment drafting process.”
NIST Special Publication 800-171 and its accompanying assessment guide 800-171A are focused on the confidentiality of controlled unclassified information held on nonfederal systems. Both publications are fundamental to level two of the CMMC program.
The letter says, “Additionally, given the impact the proposed rule would have on the entire supplier base, we need sufficient time to adequately engage our respective stakeholders, and their respective supply chains, in order to provide the federal government with comprehensive information regarding implementation of CMMC’s security measures for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).”
The DOD Office of the CIO is responsible for making the determination on the CMMC proposed rule extension.
Industry stakeholders were successful in getting a two-month comment extension for the two cyber EO rules and the FASC rulemaking. The FASC interim final rule still went into effect on Dec. 4.
Stakeholders in the CMMC assessment ecosystem are pushing for the CMMC proposed rule and upcoming DFARS update to be finalized by the end of the year, partially in anticipation of potential impacts from the November election.
Over 100 comments have been submitted to DOD so far on the proposed rule. DOD addressed some of comments raised in original 2020 CMMC interim final rule in the December rulemaking as part of an effort to get ahead of industry concerns, according to a source.
Cyber Accreditation Body CEO Matthew Travis outlined the expected timeline at a Jan. 30 town hall meeting. Both CMMC rules will need to go through the interagency process at OMB’s Office of Information and Regulatory Affairs and a 60-day Congressional Review Act period before they can be finalized, Travis said.
Travis said he hopes the final rule will be out in the last quarter of 2024 with an effective date in the first quarter of 2025. -- Sara Friedman (sfriedman@iwpnews.com)