JUST IN: Pentagon Reviewing CMMC for Potential Improvements
iStock photo-illustrationThe Defense Department is conducting an “internal assessment” of its far-reaching Cybersecurity Maturity Model Certification program, which has raised concerns among industry about the costs and other challenges of meeting the requirements.
The review was first reported by FedScoop.
Cybersecurity Maturity Model Certification, or CMMC, is a Pentagon initiative aimed at prodding the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China.
“In light of increasingly frequent and complex cyber intrusion efforts by adversaries and non-state actors, the [Defense] Department remains deeply committed to the security and integrity of the defense industrial base,” Pentagon spokesperson Jessica Maxwell said in a statement to National Defense April 1.
“As is done in the early stages of many programs, the DoD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process,” she said. “This assessment will be used to identify potential improvements to the implementation of the program.”
Maxwell declined to say who initiated the review, when it was launched, or when it is expected to be completed.
“As this internal assessment is ongoing, we are not able to provide further detail,” she said.
The new CMMC cybersecurity standards, which companies must eventually adhere to if they want to do business with the Pentagon, was first unveiled in January 2020 during the Trump administration. It includes five different security levels. The level that a company must achieve will depend on the work it is doing for the department for specific contracts. The new requirements have already been included in some solicitations for the pilot program.
During implementation, third-party assessor organizations, known as C3PAOs, will have to conduct audits and certify that a company has met the required standards before it can win contracts. Contractors are responsible for paying for the audits and their efforts to come into compliance.
The new requirements are being rolled out over time. By 2026, all Pentagon contracts will include CMMC requirements. The rules are expected to affect more than 300,000 contractors in the vast defense industrial base.
The Biden administration is now taking a fresh look at the initiative.
“It's not surprising that a transition of administration would bring some attention to a program that's this large and has … received as much attention as the CMMC program has up to this point,” said Corbin Evans, principal director of strategic programs at the National Defense Industrial Association. “There's certainly been a lot of conversations, not only among industry folks that we represent, but also government around how exactly CMMC will work.”
One area of concern for contractors is implementation, Evans noted.
“How exactly will the controls contained within CMMC be implemented and interpreted, and then ultimately assessed by a third-party … inspector?” he said. “How will that be done consistently from organization to organization, keeping in mind that no two companies have the same style or setup for internal security and … trying to impose a common set of security standards?”
“You're going to see a lot of different interpretations and a lot of different executions of those standards. So additional guidance related to exactly what the DoD is looking for, exactly what they are telling certified third-party assessment organizations they're going to be looking for — that ambiguity is something that kind of continues to be pervasive across the industry,” he added.
The price tag for achieving certification is another hot button issue.
“How is industry going to bear yet another set of government regulations that are, by industry standards, very burdensome, very expensive to implement, even at the Level 1 level?” Evans said.
Defense officials have estimated that it would cost a few thousand dollars for companies to reach Level 1 compliance, which is the least stringent level. But NDIA believes that the Pentagon is underestimating the price tag.
“Even at a Level 1, and especially at a Level 3, we are going to see increased costs across the board with industry,” he said. “Folks are worried about their ability to continue to do business with the DoD, their ability to attract new subcontractors or new entrants into the defense industrial base — new partners — because of the increased barrier of entry that CMMC is perceived as.”
Evans said it’s too early to tell how the review will shake out or if the Pentagon will end up pumping the brakes on CMMC implementation.
“It's too early to say if a delay is necessary or inevitable,” he said. “I will say there is a lot of work that remains to be done to meet the DoD stated goals of its implementation timeline, both in 2021 and beyond.”