VSOFIC NEWS: New CMMC Rules for Defense Contractors to Come in November
Defense contractors should expect to see new Cybersecurity Maturity Model Certification version 1.0 requirements in requests for proposals released in November, Katie Arrington, chief information security officer in the office of the undersecretary of defense for acquisition and sustainment, said May 11.
The requirements are a reflection of the Pentagon's push to protect defense industrial base networks and controlled unclassified information from cyber attacks. The CMMC rules will require contractors to be certified by third-party auditors, which will ensure that companies are adhering to certain standards. Organizations will be required to meet different levels of security, with level one being the lowest and level five the most stringent.
“We understand this is a big cultural shift and we want to ensure that we’re doing everything we can to bring our small business partners right along with us,” she said at the annual Special Operations Forces Industry Conference, which is being held virtually this year due to COVID-19 safety concerns. “We are working on different plans and strategies to help.”
For instance, contractors bidding on a program may not need to have their CMMC certifications until the time of contract award, she noted at the vSOFIC event, which is hosted by the National Defense Industrial Association on behalf of U.S. Special Operations Command.
The Defense Department is still on track to roll out requirements this year, she said. In June, the Pentagon plans to release about 10 requests for information that include CMMC rules.
“As we release the RFIs, we'll have the certified and trained auditors who will be able to go out to industry and certify companies at the level of maturity required for the work that they’re bidding on,” Arrington said.
Meanwhile, the Defense Federal Acquisition Regulation Supplement 252.204-7012 is undergoing a rule change, she noted. The move will be completed in October. The DFARS and NIST SP 800-171 are the current regulations for storing, transmitting and processing defense information.
“You will not see the CMMC in any Department of Defense contracts or RFPs until the rule change is completed,” she said.
Last month, Arrington said the CMMC rollout is on schedule despite COVID-19 concerns. Auditors will still need to conduct inspections on site, she said, but will wear personal protective equipment such as masks and gloves.
However, the new rules will take time to implement because they cannot be inserted into an active contract, Arrington said.
“We have to go through an acquisition cycle,” she said. “Most of our acquisition contract strategies are one base year, plus four option years. So if you’re on a contract today that is not due to come out for recompete for three years, you are not going to be required to get a CMMC certification if you’re bidding only on that work for the next few years.”
The majority of companies will only need to achieve CMMC level one certifications, she noted. Prime contractors will likely need to meet higher standards than subcontractors.
“Most of you … just need to get the level one, which is simple things like access controls and passwords and making sure you have antivirus software on your computers and that you’re actually updating them and you have a way to download patches if needed,” she explained.
The ongoing COVID-19 pandemic highlights the importance of cybersecurity, she noted.
“We’re all teleworking. We’re all doing our best to access our data, our databases, our enterprises remotely,” Arrington said. “We need to have good cyber hygiene in place to do that."