The Pentagon will soon publish a rule to formally begin implementing the long-awaited Cybersecurity Maturity Model Certification regime.
CMMC is intended to provide the Defense Department with a way to assess whether tens of thousands of contractors in its industrial base are meeting cybersecurity requirements for protecting controlled unclassified information (CUI) on their networks.
The program has been years in the making, and the rule is coming out approximately two years after the Pentagon massively reshaped the CMMC program to make it less of a burden for smaller businesses.
“This is the most ambitious cybersecurity conformity initiative ever attempted,” Matt Travis, the chief executive officer of the Cyber Accreditation Body, noted during a “CMMC Ecosystem Summit” hosted by GovExec today.
With the rule nearing publication, DoD officials did not discuss the program during the event. But several officials and experts close to the long-brewing CMMC program offered key things to watch as DoD prepares to issue what many expect will be a proposed rule.
Expect a lengthy document
The CMMC rule won’t make for light reading. Travis said he expects the rule will be in the “hundreds of pages” when you factor in supporting documents.
Bob Metzger, head of the Washington office for law firm Rogers Joseph O’Donnell, said he expects the rule to be “long and complex.”
“I’ve heard reports that it’s 150 pages, perhaps even more in the draft stage,” Metzger said today. “I’ve been told that there will be an extended treatment at the start of the rule that explains why they’re doing this and what it’s supposed to mean, and what the benefits will be and how it will impact industry.”
But the back part of the rule, Metzger said, will explain what will change in federal regulations under Title 32 “National Defense,” as well as under the Defense Acquisition Regulations System in Title 48 of U.S. Code. Those changes will explain how the CMMC program will work in practice, key information for companies that will need to get assessed under the forthcoming requirements.
“That’s the stuff that actually will impact you when it becomes final,” Metzger said.
Comment period to be extensive
Once DoD publishes the rule, it will kick off a 60-day public comment period. Metzger noted the previous CMMC rule in 2020, before the program was revamped, received more than 800 public comments. “I would expect there’ll be more for this,” he said.
And it’s also possible, given the enormity of the program’s impact, that DoD extends the comment period beyond 60 days. Metzger pointed to how agencies recently extended the public comment period for a number of cybersecurity rules and requests for information, including an RFI on cyber regulatory harmonization.
“Probably they’ll extend it probably for another 60 days,” Metzger said. “But that would be it.”
While DoD officials are following protocol by staying tight-lipped about the rule ahead of its release, Travis expects officials will talk more once the rule is published.
“I would expect the department, at some point during that comment period, to say something publicly,” he said. “I don’t think we’ll hear anything out of the gate. But I would be surprised that they didn’t come out and kind of explain their work while the public comment period is still open.”
How will DoD address small business concerns
The changes DoD announced in late 2021 were intended to streamline the program by reducing the different “levels” of CMMC from five to just three, while also making it easier for small business to comply with the certification requirements.
“A question yet unanswered is whether the rule will sort of set different expectations or demands for smaller businesses as opposed to larger ones,” Metzger said.
In CMMC regulatory documents that were accidentally posted online in August and subsequently pulled down, DoD estimated approximately 76,000 companies would be required to get a CMMC “level two” third-party certification, including more than 56,000 small businesses.
Travis said small business concerns are a key factor for DoD in the shaping of the CMMC 2.0 program.
“The small business concerns is one I know the department and the government has been working on because it’s so important to make sure that we hold them accountable, but hold them accountable in a way that’s not going to chase them out of the [defense industrial base],” Travis said.
Jack Wilmer, a former official in the DoD office of the chief information officer and now chief executive of cyber firm Core4ce, suggested the requirements should be tailored to the sensitivity of the information, not the size of the business.
“You can be manufacturing some really meaningful components for the department,” Wilmer said of small businesses. “It’s a slippery slope when you go down size being the determining factor in how secure you should be. I tend to fall back much more on the level of sensitivity of information that you are dealing with.”
Due to privity of contract rules, DoD will also lean on its big prime contractors to ensure the subcontractors in their supply chains are in line with CMMC.
“I would expect that the government will increase the pressure on and vigilance over the primes to make sure that they are in fact not just flowing down the clauses, but taking measures to assure that the subs are complying with the requirements,” Metzger said.
The documents that were accidentally released in August pointed to a ramp-up of the CMMC certification requirements. It shows that DoD projected a total of 517 entities would need a third-party assessment in the first year of CMMC, but subsequent years would see a steep increase in the requirements.
“The rollout is going to start small, and they’re likely to look for companies who will be ready for it,” Metzger said. “They don’t want a lot of people to fail, because that disrupts or interrupts the supply chain. Not a good outcome. But that ramp is going to get pretty steep, pretty rapidly.”
What will other agencies do?
DoD contract spending dwarfs the rest of the federal government by a wide margin. But other agencies have not been keen to jump on the CMMC bandwagon, publicly at least, even though they also face concerns about the cybersecurity practices of their contractors.