Proposed CMMC rule contains no surprises, but raises some initial questions

The rulemaking is largely what CMMC insiders expected, but it still raises questions, like how the certification program will impact external IT service providers.

The Defense Department packed a lot of detail into its proposed rule for the Cybersecurity Maturity Model Certification program, released just before the holiday break. But CMMC experts also see a lot of lingering questions that DoD will have to address in 2024 before finalizing the rule.

The Pentagon announced its plans for a revised “CMMC 2.0” more than two years ago, after it delayed an initial CMMC rule issued in late 2020. The goal of the program is to ensure contractors are following cybersecurity requirements for protecting sensitive but unclassified information.

Despite all the questions and controversy at times with CMMC, Bob Metzger, the head of the Washington office of law firm Rogers Joseph O’Donnell, doesn’t see any big surprises in the rulemaking released in late December.

“Clearly, DoD has put a huge amount of thought into it,” Metzger said during a Jan. 2 meeting of the Cyber Accreditation Body. “And undoubtedly they’ve read some or perhaps much of the commentary that has been swirling around the expected 2.0 rules for a couple of years. And yet, when you look at what they’ve actually done, there are no significant architectural changes. This is pretty much what we were told we were going to get.”

The Pentagon stuck with changes to split up the CMMC requirements into three different levels. DoD plans to fully institute those requirements across all solicitations by October 2026.

DoD projects that the program will affect about 220,000 companies across the defense industrial base. But the department projects that the majority of those companies — just short of 145,000 — will only be required to self-attest to meeting cybersecurity standards.

DoD still estimates that about 76,000 companies in the defense industrial base handle more sensitive information that will require them to get a third-party assessment of their security practices.

Metzger says the rule shows DoD is not backing off contractor cybersecurity initiative.

“The rule communicates that DOD is serious about the cybersecurity of the defense industrial base,” he said. “They could have made life easier for small businesses, they might have truncated the requirements or extended the rollout period, or increased the opt outs or given contracting officers more latitude over a greater period of time so that it wouldn’t be as demanding for so many, but in the main, they did not. They kept the bar fairly high for almost everyone.”

The proposed rule carves out an important role for DoD’s prime contractors. It requires those companies to both comply with CMMC themselves and flow down the requirements to subcontractors throughout their supply chains.

“That reads to me that DoD is going to hold that prime contractor responsible for their entire supply chain,” Eric Crusius, a procurement attorney and partner at Holland and Knight, said during the Cyber AB meeting. “And you could bet that that will waterfall all the way down the supply chain from the prime contractor and may accelerate the requirements that some of these large primes have for getting a CMMC certification along the way”

But experts also say some important clarifications will be needed as DoD finalizes the rule. DoD is collecting comments on the proposed rule through February 26.

For instance, which version of the National Institute of Standards and Technology Special Publication 800-171 will contractors have to meet? The proposed rule says revision 2. But NIST is finalizing Revision 3 of the 800-171 publication with some important updates.

The rule raises questions about what version of the standards contractors will have to meet, and how DoD will ensure its contractor cybersecurity requirements keep up with evolving cyber threats.

Jacob Horne, the chief cybersecurity evangelist for Summit Seven, said DoD should clean up some of those needed clarifications. But Horne also pointed out that instituting major cybersecurity improvements to the defense industrial base will be a gradual process.

“Overall, I think that the best that we’re ever going to be able to accomplish is going to be incremental changes over time,” Horne said during the Cyber AB meeting. “I think that some sort of wholesale sea change, revolutionary, continuous monitoring, elite, high speed security revolution is just not going to happen via policy or politics or whatever. And if in this rule, specifying Rev Two is the first increment in that long series of increments, then I think that it is a reasonable compromise in a lot of ways.”

Another key question is how DoD will apply the CMMC requirements to companies that provide IT services to businesses in the defense industrial base, referred to as managed service providers or MSPs. Many defense contractors, especially small businesses, don’t manage every aspect of their IT networks. Instead, they outsource IT and cybersecurity to MSPs.

Metzger, who noted he sits on the board of an MSP firm, says the rulemaking needs to clarify how those external service providers should meet the CMMC requirements.

“We also need to be thinking about that often used word: reciprocity,” Metzger said. “If an MSP is deemed to sufficiently meet -171 for one client, we’d sure like it to apply for all clients that are using the same services, so that we don’t have each client of an MSP fighting its way over the hill to get essentially the same outcome. This proposed rule is better on MSPs. It avoids very, very bad outcomes that might have occurred. But it is not clear enough in my view.”

Crusius said CMMC Third-Party Assessment Organizations will also be strained to meet the demand of providing assessments for more than 70,000 companies in the coming years.

“There’s no way that the C3PAO community will be able to get through them fast enough for the amount of companies that need them,” he said. “So I think this only works by having an MSP community that is able to get certified and is able to be kind of categorized in a way where DoD can look at them and say, ‘OK, if this company is using this MSP, we know that 30, 80, however many of these boxes can be checked.’ We have to verify, but we don’t do like investigate each new system like it’s a brand new system, which would make these assessments a lot slower.”

Another critical question is when exactly the rule will be finalized. It typically takes an agency at least a year to adjudicate all the comments and finalize a complex rulemaking. But Horne and others pointed to a couple reasons why DoD may be able to finalize the rule by the end of calendar year 2024.

“Given the election, given the fact that DoD, against their desire, was forced to wait another three years, essentially, from the time they issued their 2020 rule, I would imagine they are exceptionally highly motivated to get this wrapped up before the end of this year,” Horne said. “That means, hey, maybe we’ll have another Christmas surprise at the end of this year.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories