The Pentagon is developing resources for small businesses and new guidance around data protection as the Cybersecurity Maturity Model Certification looms ever closer to reality.

The Defense Department issued the final CMMC program rule in October. It takes effect Dec. 16.

The Pentagon is also finalizing a proposed CMMC acquisition rule. DoD expects to issue that regulation next year, at which point the department can start including CMMC requirements in contracts.

The goal of the certification program is to ensure defense contractors are meeting established cybersecurity requirements that DoD officials say are necessary to detect and protect against cyberattacks. DoD officials say U.S. adversaries have successfully stolen sensitive intellectual property from the networks of defense contractors.

But the CMMC program has consistently faced concerns about potential negative impacts on the defense industry, especially small businesses.

Stacy Bostjanick, DoD’s deputy chief information officer for cybersecurity and chief of defense industrial base cybersecurity, noted that DoD will ramp up the CMMC requirements over a four-year phase-in period.

“The first year, we anticipate still having that self-assessment being acceptable with the annual affirmations,” Bostjanick said during Federal News Network’s Risk & Compliance Exchange 2024. “And then in year two, we’ll start seeing more contracts with the CMMC Level 2 certification. It will be decided on by the program manager and the sensitivity or prioritization of the topic that they’re going to put in their contracts.”

But DoD officials are still advising the industry to get ready for CMMC assessments, as program managers can choose to include Level 2 certification requirements in their contracts during the initial phase if they deem it necessary.

The department has also launched several programs aimed at helping small businesses meet the cybersecurity and compliance requirements.

In October, the Army announced a pilot program called the Next-Generation Commercial Operations in Defended Enclaves. The goal of NCODE is to provide a CMMC-compliant secure enclave that small businesses can use.

The National Security Agency’s Cybersecurity Collaboration Center for several years has offered free cybersecurity services to companies in the defense industrial base. The services, such as protective domain name system (DNS), can help companies meet some of the requirements that are evaluated under CMMC.

And DoD’s Office of Small Business is also building a cloud environment that small contractors can access to comply with CMMC. Bostjanick said the Office of Small Business is supposed to onboard its first two contractors in January and then another 25 in February.

“We’re trying to find any means possible to help alleviate some of the pain and struggle for our small businesses,” she said.

CMMC’s CUI challenges

CMMC is meant to assess whether contractors are protecting “controlled unclassified information” in line with DoD requirements. That means the release of CUI to contractors and subcontractors is a crucial element of the compliance program.

Jennifer Henderson, senior cybersecurity policy analyst at the Defense Contract Management Agency, said labeling CUI accurately is crucial but has been a challenge for DoD programs.

“That’s been a chronic issue through the years,” Henderson said. “Hopefully, CMMC will force that train of thought, will force the acquisition workforce to be careful about what they are labeling.”

She added that large prime contractors have told DoD officials they need clear CUI labeling so they can accurately share that information, and the corresponding CMMC requirements, down their supply chains.

“We can do a better job from the department side by making sure that we are working with those prime contractors to identify what is critical, and especially with CMMC, having to identify various levels and assign various levels based on the type of CUI,” Henderson said. “And then that will surely help those prime contractors to be able to say, ‘This piece goes down to this one’ and so on and so forth down the supply chain.”

Bostjanick said DoD is working on several memos, instructions and trainings for both the DoD and contractor workforce on CUI.

“One’s a leveling memo that says, ‘Hey, if your data is associated with this kind of thing, then it’s Level 2. If it’s associated with this kind of thing, it’d be a Level 2 self-assessment or this would rise to Level 3,’ ” Bostjanick explained.

The department’s CIO Office is also working with Defense Acquisition University on CUI training.

“Some people pay attention. Some people don’t,” Bostjanick said. “And so it’s going to take a whole of ecosystem working together and challenging one another to say, you know, ‘Hey, are you giving me something that really needs to be Level 2 and, you know, maybe I don’t want that.’ ”

Discover more articles and videos now on Federal News Network’s Risk & Compliance Exchange 2024 event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.