No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Defense Contractors: What’s Next with CMMC?

Taking Stock of a Department of Defense (DoD) Landmark Effort

by Abel Vandegrift
July 31, 2020
in Cybersecurity, Featured
woman pressing CMMC panel on virtual screen

The Cybersecurity Maturity Model Certification (CMMC) program is supposed to shore up cybersecurity across the DoD’s 300,000+ contractor base. Authentic8’s Abel Vandegrift discusses the progress the Pentagon and other stakeholders have made over the past few months.

Since the start of the pandemic, DoD official Katie Arrington, the acquisition office’s CISO and the public face of the DoD’s effort, has kept in close touch with Defense Industrial Base (DIB) stakeholders via online conferences to provide continual updates and clarifications.

The CMMC program will require all DoD contractors to undergo assessment and third-party certification[1] of their cybersecurity posture to be awarded a DoD contract. The tiered certification program includes five levels corresponding to the sensitivity of the controlled unclassified information (CUI) a contractor will handle under a particular contract.

Accreditation Body in Place, Assessor Certification Underway

Rolling out the requirements will be a slow and measured process. The DoD has handpicked the first 10 requests for information (RFIs) that will include CMMC requirements, scheduled to appear in October after the official acquisition rule is changed. The requests for proposals (RFPs) will follow later this year, and the first contract awards are expected in early 2021.

The Pentagon plans to have CMMC requirements in all new RFIs by 2026. The DoD will not modify existing contracts to insert CMMC requirements (outside of extenuating circumstances). That means the five-year timeline accounts for the general five-year contract cycle (one base plus four option years).

The CMMC Accreditation Body (CMMC-AB)[2], a nonprofit organization responsible for overseeing the third-party assessment enterprise, is now up and running.

The CMMC-AB has begun training certified third-party assessor organizations (C3PAOs). These entities will be certified to manage the contractor assessment process. DIB companies will contract with them to conduct their assessment and certification. The certification costs will be an allowable cost built into the DoD contract.

Civilian Agencies May Follow Suit

Other federal agencies are likely to adopt similar certification models for their contractors. The Department of Homeland Security, for example, will incorporate some measures in its upcoming supply chain security guidance.[3] A form of FedRAMP reciprocity is also under discussion,[4] and the CMMC is already being referenced in civilian agency proposals.

That civilian proposal comes from the General Services Administration. In a recent RFP for its government-wide IT acquisition program,[5] the GSA recommended that contractors prepare for CMMC certification in anticipation of eventual inclusion of CMMC-like requirements in the civilian acquisition process.

Granted, it will take additional guidance – and time – for the CMMC’s official expansion beyond the DoD to civilian contracts – to take hold. The GSA’s mention of the CMMC, however, shows how the CMMC’s influence continues to grow.

In short, the development of this program has reached a point where it’s not just defense contractors anymore who should be tracking the issue. If you’re selling IT to the federal government or are planning to do so, you should take notice.

Committee Still Sees “Unanswered Questions”

Lawmakers on Capitol Hill already did. They have been keeping a close eye on the program’s progress. Through the annual National Defense Authorization Act (NDAA), the House and Senate have included provisions in their respective bills that address different aspects of the CMMC. House and Senate negotiators still need to determine which provisions will make it into the final version of the legislation.

The House-passed version of the FY21 NDAA, H.R. 6395, seeks answers to “unanswered questions” about the program’s implementation. The bill directs the DoD to provide the following by January 15, 2021:[6]

  1. the estimated annual costs to the Department to implement the CMMC and the estimated annual costs to the Department for CMMC expenses that will be considered an allowable cost on a government contract for each of fiscal years 2020 through 2024;
  2. the estimated costs for compliance and certification for each category of small, medium-sized and large businesses by CMMC tier;
  3. the status of Department efforts to revise regulations, issues related to current contract clauses, the timelines proposed for each step in the regulatory process and the planned applicability to contracts once a final regulation is implemented;
  4. the efforts of the Department to incorporate CMMC training into the Department’s and Defense Acquisition University’s training requirements;
  5. the efforts of the Department to address issues surrounding exclusivity of the standard and the certification across the enterprise;
  6. a discussion of the roles, responsibilities and liabilities for the prime contractors and subcontractors with regard to the assigning of the CMMC tier;
  7. a discussion of the plan for the CMMC Accreditation Board to engage and train the appropriate resources to conduct certifications for the defense industrial base as it pertains to the timelines included in the Department’s rollout of CMMC;
  8. a plan for the Department to obtain and retain the CMMC Accreditation Board as the exclusive provider of CMMC certifications; and
  9. a discussion of how the CMMC Accreditation Board will prioritize the requests for CMMC certification and the factors used to determine priority, if any, specifically with regard to company size, sole source contracting and the timelines included in the Department’s rollout of CMMC.

During the bill’s markup, the committee approved an amendment addressing potential conflicts of interest raised by the program. In addition to praising the effort to secure industry networks, the amendment directed the Department of Defense to provide more information on one particular aspect: How does the DoD plan to protect the proprietary information third-party auditors will gather from contractors during their assessments?

The Senate bill, S. 4049, also addresses the challenges CMMC presents particularly to small businesses and seeks additional information on how the DoD can help alleviate the burden. In addition, it includes CMMC-related provisions that range from cyber hygiene to cyber threat hunting.[7]

In a noteworthy turn, the committee expressed concern that the DoD could be holding contractors to a higher cybersecurity standard than DoD components. Citing a recent GAO report,[8] which found the DoD had not fully implemented its own cyber hygiene practices, the committee called on the DoD’s Chief Information Officer to assess each component against CMMC criteria.

On the subject of cyber threats, a provision addresses the participation of defense contractors in a threat intelligence sharing program. The committee expresses concern that CMMC levels one through three do not require a threat hunting capability and about the impact that will have.

Outlook: Encouraging Resilience

One of the final steps before the certification program becomes official is a change to the Defense Federal Acquisition Regulation (DFAR), which requires a public hearing – now delayed due to the coronavirus. Following an online comment period, the proposed rule change is now expected to go into effect in October, according to Arrington, speaking at a recent virtual event. Arrington also said she expects the program to certify 7500 companies in 2021.[9]

Most subcontractors will only require lower levels of certification. Basic cyber hygiene can go a long way toward satisfying those criteria. Still, the certification process will pose a challenge, especially for small businesses.

The good news is that congress has recognized those concerns and called for the DoD to clarify and provide some relief. Overall, having followed the effort from its early drafts (see DoD’s Cybersecurity Maturity Model Certification: Are Smaller Companies Prepared? and 5 Must-Reads for CMMC Insight), I am impressed how well the program has advanced.

It’s not often that a major DoD policy shift with a timeline as aggressive as the CMMC’s stays on target under normal circumstances. That the program is still on track during the pandemic shows the resilience of all stakeholders. It also speaks to their readiness and willingness to tackle the many difficulties that lay ahead.


[1] Office of the Under Secretary of Defense for Acquisition & Sustainment: Cybersecurity Maturity Model Certification

[2] Cybersecurity Maturity Model Certification – Accreditation Body

[3] Mariam Bakash: CISA’s Coming Supply Chain Guidance to Align with Pentagon’s Vendor Certification Program (Nextgov 4/23/2020)

[4] Robert Johnson: Katie Arrington: CMMC, FedRAMP Working on Reciprocity (Potomac Officers Club 4/20/2020)

[5] GSA: 8(a) STARS III Governmentwide Acquisition Contract (GWAC) Request for Proposal (SAM 7/22/2020)

[6] H.R.6395 – William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (116th Congress 7/21/2020)

[7] S. 4049 – National Defense Authorization Act for Fiscal Year 2021 (116th Congress 7/23/2020)

[8] GAO: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene (April 2020)

[9] CMMC Academy: Cybersecurity Compliance for Enterprise Supply Chains in the Defense Industry (Celerium 7/22/2020)


Tags: Data Governance
Previous Post

Whistleblowing Management: The Coming Regulatory Storm

Next Post

How Global Data Privacy Laws Are Changing the CDO Role

Abel Vandegrift

Abel Vandegrift

Abel Vandegrift is Director of Government Strategy at web isolation pioneer Authentic8, maker of Silo for Safe Access (Cloud Browser) and Silo for Research, which enables security teams to conduct secure, misattributed and anonymous research on the open and dark web.

Related Posts

banks information sharing_f

Sharing Is Caring? Lessons From Dutch Banks’ Data-Sharing Program

by Sukirt Singh
March 22, 2023

With federal investigations pending, the autopsy of Silicon Valley Bank and resulting cascade of bank failures is only just beginning....

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

Next Post
executive holding data security and figure with binary background

How Global Data Privacy Laws Are Changing the CDO Role

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT