JUST IN: Contractors Have Brief Window to Comment on Sweeping Cybersecurity Mandate
iStock illustrationThe Defense Department chose the day after Christmas to release its much-anticipated proposed rule to make contracts adhere to a series of cybersecurity standards.
The department’s chief information officer on Dec. 26 published its proposed rule for obtaining the Cybersecurity Maturity Model Certification, or CMMC, which will eventually be required for any company doing business with the Defense Department. Contractors have until February 26 to provide comments on the proposed requirements.
This is the second version of the CMMC rule, which was initially released in 2020. After widespread criticism of the first version, the Defense Department kicked off CMMC 2.0 in November 2021. Refining those rules took two years and one month. The program will require contractors to adhere to a list of cybersecurity requirements to prevent theft or electronic espionage of federal contract information and controlled unclassified information, or CUI.
Eric Noonan, CEO of CyberSheath, noted that many of the cybersecurity requirements themselves “have been required for — depending on how you count — about eight years now.”
“A better way to think of [CMMC], I would offer, is that it’s the compliance, the verification and enforcement mechanism of the existing requirements,” Noonan said in an interview. “These requirements are in … well over a million contracts today — and have been since 2015 — and CMMC is just the government's verification and enforcement mechanism to make sure contractors are in fact doing what is in most of the contracts that already exist today.”
And many companies in the defense industrial base currently are not meeting the existing cybersecurity requirements, Noonan said. While the major prime contractors “largely have these controls in place … as you get into their supply chains, it very quickly drops off … there’s a massive disparity today in implementation of the actual controls.”
A major reason for the lack of implementation to this point is the fact enforcement guidelines such as CMMC have not existed, he said. “It's like speeding down a highway: everybody slows down when they see the speed trap, and that's where we are with CMMC. … I think there were a lot of companies who were waiting until they saw the speed trap, and now that the speed trap’s there, we're going to see massive levels of implementation.”
A key attribute of CMMC 2.0 is the implementation of a tiered system of three levels for cybersecurity standards and compliance, with prime contractors required to flow the appropriate CMMC requirement down throughout the entire supply chain relevant to a particular contract, the proposed rule stated.
Defense contractors or subcontractors that handle federal contract information must meet the requirements for CMMC Level 1, while defense contractors that handle controlled unclassified information must meet the requirements for CMMC Level 2 or higher, depending on the sensitivity of the information associated with a program or technology being developed.
For CMMC Level 1, businesses can do self-assessments and must comply with 15 basic cybersecurity requirements spelled out in Federal Acquisition Regulation clause 52.204–21, “Basic Safeguarding of Covered Contractor Information Systems.” The proposed rule called for the self-assessment to be performed annually and the results entered electronically in the Supplier Performance Risk System.
For CMMC Level 2, contractors and applicable subcontractors are already required to implement the 110 security requirements currently required by Defense Federal Acquisition Regulation Supplement clause 252.204–7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” which are aligned with the National Institute of Standards and Technology Special Publication 800–171 Rev. 2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” To verify contractors meet these requirements, program contracts will include either a self-assessment requirement or a certification assessment requirement, the proposed rule stated.
Self-assessment must be performed on a triennial basis, while certification must be carried out by third-party assessors known as CMMC Third-Party Assessment Organizations, which must be authorized or accredited to carry out the assessments by the Defense Department. Third-party assessor certification will have up to a three-year duration.
CMMC Level 3 adds another 24 requirements on top of Level 2’s 110 requirements, with assessments conducted by the Defense Department's Defense Industrial Base Cybersecurity Assessment Center, with certification valid for up to three years.
For each level, a senior official from the prime contractor and any applicable subcontractor will be required to affirm continuing compliance with the specified security requirements. For Level 1, affirmation is required annually, while for Levels 2 and 3 affirmation is required after every assessment and annually thereafter. Vincent Scott, founder and CEO of Defense Cybersecurity Group, said making the “assertion that we are completely 100 percent compliant, and that we will remain 100 percent compliant going forward” is an “impossible task.”
“Things happen, stuff breaks, people do stuff they shouldn't have done, the controls break down, we end up with control failures. Those things happen,” he said. “I can attest to a point in time … ‘Hey, we did a self-assessment on this day, [these are] the results, we went through the process, we say we’re 110 out of 110.’ But I can't promise tomorrow that we won't be 109 out of 110, because stuff happens.
“The language in the rule that they put in there is very strong,” he continued. “An assertion [from a] legal perspective is the equivalent of an oath. So, I have to swear an oath that we're always going to be compliant going forward. … Nobody can do that.”
In a statement, the Defense Department said it “estimates overall program costs will be reduced by allowing for self-assessments for Level 1 and some Level 2 assessments and minimizing cost to industry for Level 3 assessments by having government assessors … conduct these assessments.”
Trey Hodgkins, president and CEO of Hodgkins Consulting LLC and the chair of the National Defense Industrial Association’s Cybersecurity Division, said the department is not adequately taking into consideration the costs for companies to not only reach the required level of cybersecurity but to sustain that level long-term.
“From a regulatory perspective, [it’s] going to be challenging for a sophisticated company to understand all their risks and liabilities, much less a smaller business — which probably doesn't have access to those kinds of resources another company would — to understand what they need to do and not do,” Hodgkins said in an interview. “It's costly. I think the department underestimated their expenses.”
While the government can assert that many of the cybersecurity requirements are in place in contracts already, “the reality … is that I think a lot of companies have been waiting for this rule to come out to understand what is the level of the investment?” he said. “Am I supposed to be a Level 1 self-assessment, or am I going to need to do a Level 2 audit, which is done by a third party? Where does the work that I do for the department — or as a subcontractor to some of the primes — where does this fall into that environment, and what do I need to then invest in to meet that requirement?
“I think some people have perhaps postponed or delayed those investments, waiting to see what this looks like and trying to get a better sense of it,” he said. “So, they do have an existing obligation, [but] I don't think the department has the kind of universal adoption that they think the contract clauses require.”
Another potential cost driver is the expansion of scope in the proposed rule requiring companies to assess not only assets that process, store or transmit CUI but also those that provide security for CUI assets, Scott said.
“From my perspective, that means we are eliminating a huge swath of the available security tools … that are out there for purchase by the defense industrial base,” he said. In the last decade, “nearly all security tools have a cloud component now,” and the CMMC 2.0 proposed rule requires cloud service providers to meet the Federal Risk and Authorization Management Program, or FedRAMP, Baseline Moderate or Equivalent standard.
“There are only 300 or so FedRAMP offerings out there, and they are all tooled for big government, … and if you're a small or medium-sized business, there continues to be challenges in even getting someone to sell those offerings to you, if they exist,” Scott said. And switching to a FedRAMP product will incur a “significantly” higher licensing cost, as “it's very expensive to get something FedRAMP certified and very challenging.
“It is a very, very expensive prospect for a company to get their tool FedRAMP certified. … I don't think there's going to be a lot of drive in the commercial security space to accommodate this because the small and medium-sized defense contractors” aren’t a large enough market, he said. “The DoD isn't driving the marketplace — the rest of the commercial world is, and the rest of the commercial world doesn't care about FedRAMP.”
After taking industry’s comments on the CMMC 2.0 proposed rule under consideration, the Defense Department is expected to publish the permanent rule later in 2024. Scott offered a grim outlook if there aren’t significant changes to the proposed rule.
“You have a pretty fair size of DoD companies that live below what I call the cybersecurity poverty line,” he said. “The DoD has said [it was] prepared to accept some shrinkage in the [defense industrial base] in order to meet these requirements because it was important. Potentially, I think the shrinkage could be quite large, [and] I don't think the DoD is going to allow that to happen, because [it needs] those companies.”
Scott said he thinks of CMMC as the “unstoppable force meeting the immovable object,” or a “high-speed SUV sliding into the intersection against the light — there’s going to be a wreck, but I don't know where all the cars are going to end up.
“I suspect that the DoD will probably be forced to modify and lower some of this, because … they really would just crush a significant portion of the defense industrial base if they roll forward with it as is,” he said.
Hodgkins said he believes CMMC “will deliver better security at the end of the day” and have a “rising tide floats all boats effect, but it's going to come at a cost.
“I don't know that the government has fully understood what those costs are, and I don't think there's a clear understanding of how government requirements need to be part of the cost of the end product,” he said.
Noonan said the “silver lining” for defense companies is that “despite … some of the noise around these requirements, they're largely the same requirements, and it's kind of like getting in shape.
“There's no better time to start than now, and the sooner you start, the sooner you’ll get to the finish line,” he said. “Certainly, read the rule, make comments, do all those things, but more importantly, get to work on implementing the requirements, because that's really where all the gains are.”
Additional reporting by Stew Magnuson