CMMC Regulations on the Way Despite Pandemic
The Defense Department’s new high-profile cybersecurity regulations are on schedule for implementation this year despite potential setbacks from the COVID-19 pandemic.
Katie Arrington, chief information security officer at the office of the undersecretary of defense for acquisition and sustainment, said the Pentagon will begin rolling out the Cybersecurity Maturity Model Certification version 1.0 rules this year.
The requirements are part of the Defense Department’s push to protect industrial base networks and controlled unclassified information from cyberattacks. The CMMC rules will require contractors to be certified by third-party auditors, which will ensure that companies are adhering to certain standards. Organizations will be required to meet different levels of security requirements depending on the type of work they are doing, with level 1 being the lightest and level 5 the most stringent.
Acquisition officials unveiled their roadmap for implementation in January, before the COVID-19 pandemic roiled U.S. society and industry. The plans included releasing solicitations with CMMC requirements baked in for pathfinder programs this year.
“We are on track to do that,” Arrington said during a Project Spectrum webinar in May. “We’re still on target to release some initial [requests for information] in June. … Stay tuned, but the work hasn’t stopped and we’re still doing our absolute best to stay on track.” Project Spectrum is intended to help small businesses improve their cybersecurity and is supported by the Defense Department’s Office of Small Business Programs.
The biggest challenge presented by COVID-19 includes figuring out how to conduct third-party audits of companies’ cybersecurity readiness, she noted. Auditors are required to perform on-site visits to assess compliance.
“We’re trying to figure out ways around that,” Arrington said.
During a webinar hosted by Bloomberg Government, Arrington said auditors may need to “find a new way of doing business” to adjust to COVID-19 safety concerns. This will include wearing personal protective equipment while visiting companies.
“I think that you’ll wear a mask, and you’ll maintain some social distancing and you’ll be able to do the audit,” she said. “Just like the cable guy today — they come into your home, or they meet you, they wear a mask and we respect each other’s personal space to ensure safety for all.”
There could potentially be a two- to three-week delay on carrying out the first round of audits due to coronavirus, she noted. However, the potential schedule slip is expected to be “nothing of significance,” she added.
“Of course, COVID-19 is … impacting every aspect of our life,” she said. “But a two-week push on something is not going to have a massive impact to our rollout of this. … I don’t think it’s going to be anything impactful to the schedule.”
Defense contractors should still expect to see new CMMC requirements in requests for proposals issued in November, Arrington noted, but the Pentagon plans to help companies adapt.
“We understand this is a big cultural shift and we want to ensure that we’re doing everything we can to bring our small business partners right along with us,” she said at the annual Special Operations Forces Industry Conference, which was held virtually in May by the National Defense Industrial Association due to safety concerns about COVID-19.
“We are working on different plans and strategies to help.”
For instance, contractors bidding on a program may not need to have their CMMC certifications until the time of contract award, she noted.
“As we release the RFIs, we’ll have the certified and trained auditors who will be able to go out to industry and certify companies at the level of maturity required for the work that they’re bidding on,” she said.
Corbin Evans, director of regulatory policy at NDIA, said the Defense Department has yet to recruit, train and certify auditors.
“It does seem like they’re getting close” to doing that, he said. “Once they start up that process, we’ll start to get a better idea of how long that certification is going to take.
“At this point in time, I think it’s safe to say mid- to late summer is probably a good estimation for when those auditors will likely start to go out into the field, although that may be a little on the early side,” he added.
Meanwhile, the Defense Federal Acquisition Regulation Supplement 252.204-7012 is undergoing a rule change, Arrington noted. This will be completed in October. DFARS 252.204-7012 and National Institute of Standards and Technology Special Publication 800-171 are the current regulations for storing, transmitting and processing defense information.
“You will not see the CMMC in any Department of Defense contracts or RFPs until the rule change is completed,” Arrington said.
Evans said the Pentagon is changing the Defense Federal Acquisition Regulation in accordance with CMMC. The department has developed a draft rule requiring that CMMC regulations be attached to future contracts.
“This process is a little bit more formalized,” he said.
To pass the rule, officials will first need to have a public meeting to gather feedback from stakeholders and outside parties including NDIA, Evans noted. However, this process may be affected by the inability to gather large crowds in public spaces due to COVID-19 restrictions.
They “have started to have conversations around delays in that process because of the limitations on their ability to have a public meeting,” he said. “The rule-making process is potentially stalled because of the fact that they can’t do a public meeting.”
The new rules will still take time to implement because they cannot be inserted into an active contract, Arrington noted.
“We have to go through an acquisition cycle,” she said. “Most of our acquisition contract strategies are one base year plus four option years. So if you’re on a contract today that is not due to come out for recompete for three years, you are not going to be required to get a CMMC certification if you’re bidding only on that work for the next few years.”
By 2026, all Pentagon contracts will require CMMC certification, according to officials.
The majority of companies will need to achieve CMMC level 1 certifications, Arrington said. Prime contractors will likely need to meet higher levels than subcontractors.
“Most of you … just need to get the level 1 which is simple things like access controls and passwords and making sure you have antivirus software on your computers and that you’re actually updating them and you have a way to download patches if needed,” she said.
Evans said that he is “cautiously optimistic” that CMMC will continue to stay on track despite COVID-19. Although some Defense Department programs may be experiencing delays of up to 60 to 90 days, CMMC is one of the department’s high priorities, he noted.
“It is plausible that they’re kind of allocating resources internally to prioritize keeping CMMC implementation on track,” he said.
Stuart Itkin, vice president of product management and marketing at Exostar, a Herndon, Virginia-based supply chain management company, said members of the defense industrial base are already working on bolstering their cybersecurity practices to prepare for the new rules and stop intellectual property theft.
“Some suppliers are looking at it from a risk perspective and they understand that the intellectual property, the [controlled unclassified information] that is being exfiltrated — that is being stolen — actually belongs to them,” he said. “They are the ones that are experiencing the loss.”
In May, Exostar released a cybersecurity tool geared toward helping companies score their existing policies and procedures, he said. The firm is not charging customers to use its tool to reach the first level of CMMC certification, he noted.
Implementing CMMC regulations is intended to help companies reduce the risk of losing their IP, he said. The United States has been working to deter adversaries such as China from stealing information from defense contractors.
“Compliance is intended to be a proxy for security,” he said. “Implementing those practices or implementing those regulations should reduce the risk … of IP loss.”
The increase in teleworking due to COVID-19 has highlighted the need for companies to review their policies to ensure employees are following safe cybersecurity practices from home, he noted.
“The teleworking has had a real impact on expanding the attack surface that adversaries look at,” he said. It is “exposing vulnerabilities that may not have been as apparent as in the past. … One of the things that we’ve emphasized to organizations is that they look and they review their work-from-home policies.”
Evans said improving cybersecurity practices in advance of the CMMC rollout may help companies stave off a potential increase in cyber threats as contractors continue teleworking.
“That’s going to help them not only prepare for the CMMC adoption down the road, but also allow them to thwart some of those increased number of threats as … their workforce is more dispersed,” he said.
Arrington encouraged industry to get a head start on meeting the new requirements, noting that companies can download the model and begin implementing some practices that would help them meet level 1 standards
“Waiting isn’t an option for any of us,” she said. “This is just a … when life gives you lemons, make lemonade” situation.
However, meeting these requirements may be more difficult for smaller businesses that are already hurting economically from the pandemic, Evans noted. The Small Business Administration and other government agencies are in discussions about potentially providing financial assistance for certification, he said.
“There are the financial constraints that are likely affecting small businesses that may inhibit their ability to make cyber-related investments at this point in time,” he said.