"The real meat of CMMC is now finalized and out," said Eric Crusius, attorney at Holland Knight.
After years of cogitation, the Defense Department has finalized one of two big rules for its Cybersecurity Maturity Model Certification System (CMMC). It shouldn’t be a surprise to anyone, least of all the tens of thousands of affected contractors. Yesterday we heard from the Professional Services Council with an industry-wide take on CMMC. For a close-up look, the Federal Drive with Tom Temin spoke to procurement attorney Eric Crusius of Holland and Knight.
Interview transcript:
Tom Temin And Eric, this is one of two rules that they have finalized. The other rule comments are closed now, but that’s not finalized. So what did they finalize? What can industry see now that they know is gospel with respect to CMMC?
Eric Crusius That’s right. The rule that was finalized will lay out the entire CMMC program. So it’s going to kind of lay out how everything’s going to work. As you may say, how the sausage is made in the sausage factory, so to speak. All those kind of details about how this is going to work. That’s the rule that was finalized. And I think that is a really important part of this process because it lays out to contractors what they have to do and we have a better idea about when also.
Tom Temin Right. But this is not specifying what will be in contracts for contracting officers, right? So does it really have any meaning at this point?
Eric Crusius So it’s this huge ship without an engine, it’s there. We know what’s in the ship. We know where it’s going to go. We know the different parts of it. We don’t know — the engine hasn’t started yet to get it to port. That DFARs rule is kind of like the engine that will get it to port; that’s not finalized yet. But there’s far fewer details in that rule because it’s really just the smaller rules that go into contracts. The real meat of CMMC is now finalized and out.
Tom Temin I guess it’s fair to say, to summarize all of this, that people have known CMMC was coming now for several years and even though now it’s December that you have to get that certification from a [CMMC third party assessor organization (C3PAO)], you probably knew about this and it shouldn’t be a mad scramble if you’ve done your homework and kept an eye on this.
Eric Crusius What [the Defense Department] has said throughout the final rule, what they released, it was not just the rule itself, but a response to comments. Commentary kind of really gives DoD’s feelings and positions on these different issues. And one thing they’ve said consistently up to this point and within this rule time and time again is that these requirements have been around for the last seven years or so. Contractors have had a long time to get up to speed with protecting controlled unclassified information (CUI). This should not be a heavy lift for those contractors who have done what DoD expects them to do. It’s easy to disagree with that in some respects, especially new entrants to the marketplace. Smaller contractors also have concerns about the cost of this, but DoD has really thought that, ‘hey, this has been a requirement for a long time. All we’re asking to do is verify, to show us that you’re doing what you’ve said you’ve been doing for the last number of years.’
Tom Temin And I guess you could argue that these are controls, the specific cybersecurity controls themselves — aside from compliance with CMMC — is something you probably should have anyway if you are a defense contractor or if you simply value your company and want to keep cyber hackers, etc. out of it.
Eric Crusius I mean, compliance with these controls does not guarantee that you won’t have a cyber incident, but it’s sure as heck going to help prevent cyber incidents from happening. So even without the CMMC requirement, I think for a lot of contractors it’s a good idea. These nation states that are watching us closely, like China, they know the smallest companies out there in our supply chain, if they have valuable information. And they know that they are generally a weaker link. And if you own one of those companies, it really is a good idea to protect yourself because a cyber incident that goes the wrong way could mean the end of a business. So it’s an expensive investment to make, but I think it’s a business necessity as well.
Tom Temin And what do we know about the capacity of the assessors, the third party organizations? Are there enough of them out there, do we know? Do they have the capacity to maybe take on an onslaught of requests for certifications?
Eric Crusius That’s a that’s the million dollar question right there, maybe billion dollar question. But right now there are between 50 and 60 assessors out there that are capable of doing assessments. A lot of them have multiple assessment teams. So maybe there’s 100 assessment teams out there that could do assessments right now. Obviously, there are 76,000-plus companies that will need to get an assessment. But DoD’s hope is that rolling this out in stages will lessen the immediate impact, although I do think early on, once the DFARs rule comes out especially, there’ll be a little bit of a rush on the bank where contractors will just want to get assessed because they want to protect themselves. Because even though this is rolling out in phases, we don’t know exactly when the contract that that contractor has will need to get assessed. Right. They haven’t identified specific programs that are going to come first. So if I own a business that is wholly reliant on DoD contracts. I’m not going to wait. I’m just going to go and get my assessment. So that way, if an opportunity comes up that I want that requires an assessment or the work I’m working on now that’s going to be up for renewal next year is going to require an assessment, that I’m prepared to do so.
Tom Temin And if a company is assessed and certified as compliant with the controls required under CMMC and something happens bad in the cyber domain, they get attacked or something or they lose data. And it turns out that control wasn’t really in place. Who’s to blame? The assessor that said it was, or the company that thought it was?
Eric Crusius This segment’s an hour right?
Tom Temin Right. Well, yeah, I realize this could be opening up a whole channel, but it seems like that question is going to come up, I think, at some point.
Eric Crusius I think so. And I think that’s going to be very factually specific on the circumstances. Why was that control not identified as being not met? It could be that the contractor did something to obfuscate that control, perhaps, or maybe the assessor just kind of messed up. A lot of what DoD has been doing now with with various cyber incidents, they haven’t looked to punish contractors that have had cyber incidents. They’ve worked to kind of discover what’s going on so we can fix it so we don’t have this spread across the defense industrial base. And that’s going to change at some point where they’re going to say, ‘okay, you’ve had enough time to kind of get up to speed here,’ but I hope if something like that happens, it’s not the result of a missed control. It’s just that the hackers knew a better way to build a mousetrap, so to speak.
Tom Temin Yeah, there’s no guarantees in any of this, I guess.
Eric Crusius No guarantees. But certainly there are going to be instances, like you said, where a control was not met. There was a mistake made by an assessor or some kind of obfuscation by the contractor and DoD is probably going to want to find out which one it is, because if an assessor is doing something wrong, they’ll want to know that so that they can course correct for that assessor at least. Or assessors maybe that have the same idea.
Tom Temin And what’s the expected timeline for the second rule that will operationalize it with DFAR changes? I mean, you’ve characterized it as a ship without an engine. I look at it more as all the train cars are lined up now, the locomotive is backing down the track to hook up to that train and yank it along.
Eric Crusius I think they’re both great analogies there. So we now have comments that have been submitted for this. I really think they’re going to move quickly with this. I could see this final rule coming out the end of Q1 of 2025, the DFARs rule, and that’ll get this whole ball rolling. They didn’t waste any time. This rule, that part 32 rule, which is now finalized, over 400 pages long, it took them less than a year to get it out the door from proposed rule to final rule with hundreds of comments. Here we have a much simpler rule that will bring in far fewer comments. I don’t think it’s going to take them long at all to kind of go through those comments, adjudicate them and issue a final rule that’s largely consistent with the rule, the proposed rule that’s already out there.
Tom Temin Far fewer comments, pun not intended.
Eric Crusius Not intended in this instance.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED