Defense Contractors: What’s Next with CMMC?

Since the start of the pandemic, DoD official Katie Arrington, the acquisition office’s CISO and the public face of the DoD’s effort, has kept in close touch with Defense Industrial Base (DIB) stakeholders via online conferences to provide continual updates and clarifications.

The CMMC program will require all DoD contractors to undergo assessment and third-party certification^[1] of their cybersecurity posture to be awarded a DoD contract. The tiered certification program includes five levels corresponding to the sensitivity of the controlled unclassified information (CUI) a contractor will handle under a particular contract.

Accreditation Body in Place, Assessor Certification Underway

Rolling out the requirements will be a slow and measured process. The DoD has handpicked the first 10 requests for information (RFIs) that will include CMMC requirements, scheduled to appear in October after the official acquisition rule is changed. The requests for proposals (RFPs) will follow later this year, and the first contract awards are expected in early 2021.

The Pentagon plans to have CMMC requirements in all new RFIs by 2026. The DoD will not modify existing contracts to insert CMMC requirements (outside of extenuating circumstances). That means the five-year timeline accounts for the general five-year contract cycle (one base plus four option years).

The CMMC Accreditation Body (CMMC-AB)^[2], a nonprofit organization responsible for overseeing the third-party assessment enterprise, is now up and running.

The CMMC-AB has begun training certified third-party assessor organizations (C3PAOs). These entities will be certified to manage the contractor assessment process. DIB companies will contract with them to conduct their assessment and certification. The certification costs will be an allowable cost built into the DoD contract.

Civilian Agencies May Follow Suit

Other federal agencies are likely to adopt similar certification models for their contractors. The Department of Homeland Security, for example, will incorporate some measures in its upcoming supply chain security guidance.^[3] A form of FedRAMP reciprocity is also under discussion,^[4] and the CMMC is already being referenced in civilian agency proposals.

That civilian proposal comes from the General Services Administration. In a recent RFP for its government-wide IT acquisition program,^[5] the GSA recommended that contractors prepare for CMMC certification in anticipation of eventual inclusion of CMMC-like requirements in the civilian acquisition process.

Granted, it will take additional guidance – and time – for the CMMC’s official expansion beyond the DoD to civilian contracts – to take hold. The GSA’s mention of the CMMC, however, shows how the CMMC’s influence continues to grow.

In short, the development of this program has reached a point where it’s not just defense contractors anymore who should be tracking the issue. If you’re selling IT to the federal government or are planning to do so, you should take notice.

Committee Still Sees “Unanswered Questions”

Lawmakers on Capitol Hill already did. They have been keeping a close eye on the program’s progress. Through the annual National Defense Authorization Act (NDAA), the House and Senate have included provisions in their respective bills that address different aspects of the CMMC. House and Senate negotiators still need to determine which provisions will make it into the final version of the legislation.

The House-passed version of the FY21 NDAA, H.R. 6395, seeks answers to “unanswered questions” about the program’s implementation. The bill directs the DoD to provide the following by January 15, 2021:^[6]

1. the estimated annual costs to the Department to implement the CMMC and the estimated annual costs to the Department for CMMC expenses that will be considered an allowable cost on a government contract for each of fiscal years 2020 through 2024;
2. the estimated costs for compliance and certification for each category of small, medium-sized and large businesses by CMMC tier;
3. the status of Department efforts to revise regulations, issues related to current contract clauses, the timelines proposed for each step in the regulatory process and the planned applicability to contracts once a final regulation is implemented;
4. the efforts of the Department to incorporate CMMC training into the Department’s and Defense Acquisition University’s training requirements;
5. the efforts of the Department to address issues surrounding exclusivity of the standard and the certification across the enterprise;
6. a discussion of the roles, responsibilities and liabilities for the prime contractors and subcontractors with regard to the assigning of the CMMC tier;
7. a discussion of the plan for the CMMC Accreditation Board to engage and train the appropriate resources to conduct certifications for the defense industrial base as it pertains to the timelines included in the Department’s rollout of CMMC;
8. a plan for the Department to obtain and retain the CMMC Accreditation Board as the exclusive provider of CMMC certifications; and
9. a discussion of how the CMMC Accreditation Board will prioritize the requests for CMMC certification and the factors used to determine priority, if any, specifically with regard to company size, sole source contracting and the timelines included in the Department’s rollout of CMMC.

During the bill’s markup, the committee approved an amendment addressing potential conflicts of interest raised by the program. In addition to praising the effort to secure industry networks, the amendment directed the Department of Defense to provide more information on one particular aspect: How does the DoD plan to protect the proprietary information third-party auditors will gather from contractors during their assessments?

The Senate bill, S. 4049, also addresses the challenges CMMC presents particularly to small businesses and seeks additional information on how the DoD can help alleviate the burden. In addition, it includes CMMC-related provisions that range from cyber hygiene to cyber threat hunting.^[7]

In a noteworthy turn, the committee expressed concern that the DoD could be holding contractors to a higher cybersecurity standard than DoD components. Citing a recent GAO report,^[8] which found the DoD had not fully implemented its own cyber hygiene practices, the committee called on the DoD’s Chief Information Officer to assess each component against CMMC criteria.

On the subject of cyber threats, a provision addresses the participation of defense contractors in a threat intelligence sharing program. The committee expresses concern that CMMC levels one through three do not require a threat hunting capability and about the impact that will have.

Outlook: Encouraging Resilience

One of the final steps before the certification program becomes official is a change to the Defense Federal Acquisition Regulation (DFAR), which requires a public hearing – now delayed due to the coronavirus. Following an online comment period, the proposed rule change is now expected to go into effect in October, according to Arrington, speaking at a recent virtual event. Arrington also said she expects the program to certify 7500 companies in 2021.^[9]

Most subcontractors will only require lower levels of certification. Basic cyber hygiene can go a long way toward satisfying those criteria. Still, the certification process will pose a challenge, especially for small businesses.

The good news is that congress has recognized those concerns and called for the DoD to clarify and provide some relief. Overall, having followed the effort from its early drafts (see DoD’s Cybersecurity Maturity Model Certification: Are Smaller Companies Prepared? and 5 Must-Reads for CMMC Insight), I am impressed how well the program has advanced.

It’s not often that a major DoD policy shift with a timeline as aggressive as the CMMC’s stays on target under normal circumstances. That the program is still on track during the pandemic shows the resilience of all stakeholders. It also speaks to their readiness and willingness to tackle the many difficulties that lay ahead.

^[1] Office of the Under Secretary of Defense for Acquisition & Sustainment: Cybersecurity Maturity Model Certification

^[2] Cybersecurity Maturity Model Certification – Accreditation Body

^[3] Mariam Bakash: CISA’s Coming Supply Chain Guidance to Align with Pentagon’s Vendor Certification Program (Nextgov 4/23/2020)

^[4] Robert Johnson: Katie Arrington: CMMC, FedRAMP Working on Reciprocity (Potomac Officers Club 4/20/2020)

^[5] GSA: 8(a) STARS III Governmentwide Acquisition Contract (GWAC) Request for Proposal (SAM 7/22/2020)

^[6] H.R.6395 – William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (116th Congress 7/21/2020)

^[7] S. 4049 – National Defense Authorization Act for Fiscal Year 2021 (116th Congress 7/23/2020)

^[8] GAO: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene (April 2020)

^[9] CMMC Academy: Cybersecurity Compliance for Enterprise Supply Chains in the Defense Industry (Celerium 7/22/2020)