The Pentagon didn’t introduce any groundbreaking changes in the final Cybersecurity Maturity Model Certification rule, but CMMC observers say the Defense Department made several key updates and definitions to help companies as they work to comply with the requirements.

Meanwhile, industry groups are now turning their attention to potential challenges with implementing the CMMC requirements through the contracting process.

The Defense Department published the final CMMC rule in the Federal Register earlier this week. The rule establishes the underlying processes and governance for the contractor certification program.

As many expected, the final rule maintains the three tiers of the CMMC requirements, and the certification program’s alignment with National Institute of Standards and Technology cyber standards.

The final rule doesn’t contain any surprises, according to Ryan Burnette, a government contracting lawyer at Covington and former official in the Office of Federal Procurement Policy.

“We’re seeing DoD really just sort of fine tune some of the regulatory language,” Burnette said.” But overall, I don’t see DoD having made particularly significant changes between what they proposed and what is what we’re now seeing in terms of the final rule for that’s going to govern the mechanics of the program.

Michael Gruden, counsel at Crowell & Moring and a former DoD contracting officer, noted DoD’s rule clears up some ambiguity around the role of cloud service providers and external service providers, as well as key definitions for specific issues like the protection of “security protection data.”

The rule, for instance, states that cloud service providers that handle controlled unclassified information (CUI) will be required to achieve a FedRAMP Moderate authorization or meet equivalent requirements, as laid out in a recent DoD memo.

But those cloud service providers that don’t handle CUI don’t need to go through the sometimes arduous FedRAMP process. Instead, DoD’s rule states they’ll be assessed as part of the contractor’s overall assessment.

The clarification is especially important for companies that provide services involving so-called “security protection data,” a CMMC-specific term that includes cybersecurity logs and scans, but not any CUI.

“Those nuances were needed, and I think are really useful now as companies devise a compliance strategy to meet CMMC,” Gruden said. “Now there’s more clarity in understanding what the government expects, and how all the various building blocks of compliance can fit together, and companies can then use that to then tailor their own compliance approach going forward.”

The final rule also includes updates such as an “enduring exception,” defined as “a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible.” Examples could include cases involving operational technology and Internet of Things devices.

The rule also allows for a “temporary deficiency,” where a security issue is discovered but in the process of being addressed.

“The FedRAMP equivalency, enduring exceptions, temporary deficiencies — all of those things communicate that the DoD is really taking into account the plight that contractors have in trying to implement and maintain cyber hygiene,” Gruden said.  “Some of these even mild concessions should go a long way in helping companies have a greater degree of ease, if you will, of implementing these.”

CMMC acquisition rule still being finalized

Meanwhile, DoD is now finalizing a proposed acquisition rule that would inject CMMC into the defense contracting process. Comments on the acquisition rule closed Oct. 15. In a statement last week, DoD said it would finalize the rule in “early to mid-2025.”

“Once that rule is effective, DoD will include CMMC requirements in solicitations and contracts,” DoD added.

Many defense industry groups are now turning their attention to that rule, raising potential challenges with contracting process. DoD has laid out a plan for a three-year phased implementation plan for CMMC.

But the Professional Services Council, in comments on the proposed rule, raised potential issues with how DoD program offices will use CMMC as part of the solicitation process, among other concerns.

“PSC believes that, absent much greater clarity than included in the proposed rule and more time for a phased implementation, contracts under CMMC 2.0 will be expensive, time consuming, and difficult to execute,” PSC wrote. “It is not clear that the results, even with full compliance, will actually improve cybersecurity or stay ahead of evolving threats.”

The Information Technology Industry Council also recommended several changes to the proposed rule, including an update on CMMC waivers during the phased roll-out.

“We’re pleased that DoD continues to listen to the industry’s implementation concerns,” ITI Senior Manager of Public Sector Policy Leopold Wildenauer said in a statement. “Over the past few years, DoD has continuously partnered with the Defense Industrial Base to advance the program and strengthen its implementation in DoD contracts. We encourage the department to continue this path by addressing remaining concerns with the incident reporting requirements harmonization and the enforcement of waivers.”

Aerospace Industries Association President Eric Fanning, in a statement released after the program rule was finalized, said AIA is “paying close attention” to the proposed acquisition rule.

“Several more steps must be taken before CMMC is a seamless part of DOD contracting,” Fanning said. “The first step for defense industrial base companies will be scheduling their assessments and obtaining their certifications. This phased approach is absolutely necessary due to the limited number of assessors to meet what we expect will be significant demand, especially among the supply chain.”

A persistent concern from industry in the coming months is likely to be the number of assessors available to meet the demand for CMMC assessments. The Cyber Accreditation Body, a nonprofit that holds a contract with DoD, is responsible for approving CMMC Third-Party Assessor Organizations (C3PAOs) for the program.

“PSC believes the proposed rule should make it clear that DoD will not incorporate CMMC requirements into contracts beyond the capacity of C3PAOs to certify not only sufficient numbers of prime contractors and their supply chains but also the right ones to ensure robust competition,” PSC wrote in its comments. “Additionally, it should outline how its plans for managing competition in the defense industrial base (DIB) in the event there are insufficient C3PAOs to assess and certify companies in a timely manner.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.