NDIA POLICY POINTS CYBER
The Costs and Scope of CMMC 2.0
While yet to be fully implemented, the Defense Department first proposed the Cybersecurity Maturity Model Certification program in 2019, and the concept seems simple.
CMMC will ensure defense contractors comply with their contractual obligations to protect controlled unclassified information, or CUI, by requiring companies to hire third-party assessors to certify compliance, moving away from the “self-attestation” model.
However, nothing is ever as simple as it seems, and since the CMMC framework was first announced in 2019, “uncertainty” is a word that has been closely associated with the program.
The Defense Department released a proposed rule to implement the second iteration of CMMC, dubbed CMMC 2.0, on Dec. 26. The rule makes several changes, including reducing the number of compliance levels from five to three, aligning Level 2 compliance with National Institute of Standards and Technology Special Publication 800-171, and aligning Level 3 compliance with NIST SP 800-171 and 800-172.
While the streamlined CMMC 2.0 makes some positive improvements, as the short timeline for comments approaches rapidly, we find “uncertainty” remains with some elements, especially around the cost and scope of the program.
The costs surrounding CMMC have been a hotly debated topic since its inception. According to department estimates, the private sector will face an annualized cost of $4 billion to implement CMMC 2.0, which includes nonrecurring engineering costs, recurring engineering costs, assessment costs and affirmation costs.
The proposed rule acknowledges public feedback indicating the cost estimates for CMMC 1.0 were too low, and as a result of several changes, “some CMMC 2.0 costs may be higher than those included in CMMC 1.0.”
The proposed rule, however, still does not include the costs associated with implementing the actual underlying cybersecurity controls, such as the security requirements outlined in Federal Acquisition Regulation clause 52.204-21 for CMMC Level 1 and the security requirements outlined in NIST SP 800-171 Rev. 2 for CMMC Level 2. When the department implemented the requirement for defense contractors to protect controlled unclassified information in accordance with NIST SP 800-171 in 2017 under DFARS 252.204-7012, the department did not release a cost estimate to assess the impact on the defense industrial base.
Although the department knew the implementation would increase costs, it answered questions surrounding costs by stating they were “unknown” but “deemed necessary.”
Currently, the Pentagon believes it does not need to consider the cost of the underlying requirements for CMMC Levels 1 and 2 since they “should already have been incurred.” While this may be true for existing companies within the defense industrial base, it may be helpful for new entrants such as startups and nontraditional defense companies to understand the requirements and costs associated with military partnerships.
Another source of uncertainty is the scope of CMMC 2.0, which goes beyond companies simply complying with existing requirements. As expected, the proposed rule expands CMMC requirements to the application of all NIST SP 800-171 controls and certification assessments to the new category of organization, “external service provider.” This means all managed service providers and managed security service providers — companies that provide info-tech and cybersecurity services to defense firms — must certify before the companies they support, the “organization seeking certification,” can seek an assessment.
The rule seemingly fails to recognize that expanding the scope of where CMMC requirements are applied also drives a significant cost increase. It no longer simply assesses existing security requirements.
The proposed rule also expands the application of the requirements.
Further expanding the scope, the department creates a new category of information, “security protection data,” but does not clearly define the data.
The rule also effectively mandates that every security tool delivered as a cloud service must be FedRAMP authorized or equivalent. Defense companies will need to consider what security tools they have now and what they will need to buy in the future and decide whether to purchase the more expensive FedRAMP options wherever possible.
Another area is the affirmation requirements for Levels 1, 2 and 3. A senior company official must affirm continuing compliance with the requirements in all systems in scope. Still, it is not clear whether an affirmation covers a specific point in time or is continuous. While a company can undoubtedly certify at a point in time that all controls are in place and working, company officials will face new potential liability and an almost impossible task if they must affirm after a set point in time continuing compliance that systems will not break, controls will not fail and the threat will not change.
Finally, in addition to continued uncertainty related to costs and scope, NIST SP 800-171, the primary underlying security requirement for CMMC 2.0, is also undergoing a separate regulatory process to update from Revision 2 to Revision 3.
The Defense Department should partner with industry to develop and implement a plan to transition between revisions to ensure industry can make decisions to allow companies to meet contractual obligations under the Defense Federal Acquisition Regulation Supplement.
The department must prioritize partnering with industry on cybersecurity requirements and implementation. The National Defense Industrial Association strongly believes that more effective cybersecurity requirements will benefit warfighters by protecting our best ideas and technology.
However, the proposed rule requires significant adjustments to balance security requirements with implementation costs. ND
Rachel McCaffrey is senior vice president of membership and chapters, and Michael Seeds is senior director of strategy and policy at the National Defense Industrial Association.
Topics: Defense Department