Federal contractors have known it’s coming. The Cybersecurity Maturity Model Certification program imposes on them, basic protective measures … if they’re dealing with the government and its data. Earlier this month the program moved closer to operational reality. Joining the Federal Drive with Tom Temin with what you need to know, Rogers Joseph O’Donnell partner Bob Metzger.
Tom Temin: Contractors have known it’s coming. The Cybersecurity Maturity Model Certification Program imposes on them basic protective measures if they’re dealing with the government and its data. Earlier this month, the program moved closer to operational reality. Here with what you need to know: Rogers Joseph O’Donnell partner, Bob Metzger. Bob, good to have you back.
Bob Metzger: Thank you.
Tom Temin: Now this program, again, has been promised, but it’s not quite imposed in reality yet. But there’s some action bringing it closer to where people are going to have to get on the program. Tell us the latest.
Bob Metzger: Well, Tom, there is a lot going on. It is a huge effort, and those in the Office of the Secretary of Defense who are responsible–Kevin Fahey, Katie Arrington–deserve a lot of credit for getting so much accomplished, so fast. And we also have to recognize the hard work and the accomplishments of the volunteers on the CMMC accreditation body. That said, you know, I have some issues with where we’re going and where we ought to end up. I’ll briefly summarize where we are. A lot has been accomplished on what’s called the assessment ecosystem. These are the practices, procedures, policies and people that will determine who is a certified assessor who can look at the cybersecurity of a contractor and decide whether they earn the necessary certification maturity level. Lots has been done there. And something has been done on picking the initial programs that will be pathfinders to see how well CMMC works in practice. Also, a marketplace is emerging rapidly. That includes consultants of all sizes and stripes, and there are new technical solutions that are being produced by even the biggest contractors to help small companies meet the need. What we’re missing, however, is a crucial piece. We do not know what the regulation is by which contracts will include clauses that require pursuit or require a CMMC certification. All of this has to be implemented through a contract clause. There’s a rulemaking effort underway. The rule has not been put out for notice or comment. It’s not final, and until it is final, all this is a lot preparation and a lot of anticipation, but not much in the nature of requirement.
Tom Temin: Yes, this is a pattern we’ve seen also with the ban on Chinese equipment. The rule has finally come out as an interim rule, but it’s going to be effective with only three weeks before the legal deadline. And that could change, but they had two years, really, to develop a rulemaking for this. And so it sounds like there’s a similar process. The rulemaking is the bottleneck in the CMMC a little bit, too.
Bob Metzger: It is, and there’s an interesting comparison. It’s easy to state high principles and worthy objectives, and 889 has one; in other words, let’s remove certain Chinese source materials from what we use in the surveillance or for video surveillance or for telecommunications. And CMMC, of course, has a great objective–making sure that we don’t rely upon self-attestation of companies, that we have assessments to verify security, All good. But there are an awful lot of details, and in order to get those details accomplished, you can run into many practical obstacles. And you have to find a way to accomplish the goals of the statute or of the policy without creating more dysfunction or useless expenditure than you gain in security. And I think that was a problem for the 889 b rule. And I think it’s still a challenge for CMMC.
Tom Temin: But in the meantime, GSA is signing up contractors to become the accreditors of other contractors, to certify them to DoD that they’re okay. Are they already in place? Or when can companies go hire someone to judge them that they meet CMMC levels?
Bob Metzger: GSA is doing something different we’ll talk about in a second. The accreditors are going to be produced and verified by this nonprofit organization called the CMMC Accreditation Board. They are developing training courses and testing programs and they’re already taking applications and fees from people that want to be registered practitioners. They’ll soon be asking for companies to submit their credentials to become assessors or assessment organizations. It’s entirely a nonprofit that’s developing the infrastructure by which assessors will be accredited. They’re also developing an assessment guide, which will tell both companies what to expect and assessors what to do. When we have our first group of assessors, then we’ll start to see some attempts in the field to conduct these evaluations. And there’s approximately 70 persons who are going to be picked as provisional assessors that we could see them begin to try some of these techniques later this fall. Now as to GSA, they’re not directly involved in determining who assessors are or how they do their job. What GSA has done, Tom, is to put CMMC into a new RFP, a final RFP, for what’s called STARS III. STARS III is the $80 billion GWAC for Section 8(a) small businesses, and incredibly, if not importantly, what GSA has done, in effect, is to say, “Attention small contractors, you should know that CMMC is coming. And when it comes, you should expect it will apply to you.” And that’s remarkable, because CMMC isn’t the regulation yet, even for DoD, and there’s nothing formal that’s been done yet that would extend CMMC or its requirements outside the defense industrial base. So maybe GSA has great purposes, but there’s an argument they’re getting a little bit far out over their skis on a slope that’s too steep.
Tom Temin: We’re speaking with Robert Metzger. He’s a partner at the law firm Rogers Joseph O’Donnell. Yes, STARS III was the one they just expanded because they ran out of other vehicles that had small business on it. But is it so bad for people to at least be forewarned, just by this other channel, that this is going to happen?
Bob Metzger: That’s the best justification for it, Tom. It’s great that the community is told to prepare for cybersecurity and also for supply chain risk management. Those are so important. But it’s a little difficult to tell small businesses that they must conform now to requirements that are not present. And on supply chain risk management, the advice that’s given in STARS III is that you should look to NIST Special Publication SP 800-161. That’s about 250 pages of highly complex insight and recommendations intended for federal agencies. There is no standard that was developed for commercial organizations doing business with the government that instructs them on what measures to take for supply chain risk management. Maybe there should be, but I’m troubled with the idea that we are casting future requirements that aren’t determined, the particulars aren’t known, the process isn’t in place and the regulations aren’t there. And we’re telling this huge community of businesses you should comply with these, whatever they are, whenever they come. That’s a bit peculiar.
Tom Temin: But would it be out of bound, or would it be ridiculous for a company to at least read those NIST guidelines? And maybe they could figure out or use a consultant to help them figure out, “These are the top 10 you have to do,” which is probably good business anyway, to have that modicum of cybersecurity. And at least then their noses would be pointed into the wind when this whole thing actually starts.
Bob Metzger: There’s a lot to be said for getting smart sooner and acting now on both cybersecurity and supply chain risk management. These things take time to accomplish. Getting started now means that you will be further along when the time comes where regulations are in place and contract requirements are imposed. That’s all good. But we always have to be thinking about what it costs and whether there is a business case that can be made for the smaller and medium-sized companies to make this investment. We also have to be wary of asking people to meet requirements or standards when they don’t exist because in these difficult economic times, many companies are going to be very careful before they spend a lot of money unless they know what the target is and how it will be determined whether they got close enough to that target to earn the new business.
Tom Temin: Right. And the same companies may have already had to spend money to throw out all their Huawei and ZTE gear and get in whoever is not on that bad list.
Bob Metzger: Absolutely. You know, some of the aspirations that we have that are excellent national policy can have extreme effects upon the operations of companies who may already be strained. We’re talking a lot now, as you’ve read, Tom, of course, about reshoring aspects of our industrial base. I’m all for it, but we can’t bring everything back instantly. And we have to be careful that we don’t impose obligations upon our industrial base that they can’t afford to fulfill or that they literally cannot fulfill because of the absence of qualified U.S. sources. That’s one of the problems with the 889 ban. Nobody wants these Chinese sources in their supply chain. But deciding that you don’t want them does not create affordable, acceptable alternatives instantly. And we have to be wary of imposing obligations or liability risks on companies for actions that they cannot take or for participants in their supply chain, which they do not know.
Tom Temin: And getting back to CMMC. Just briefly, what are the timelines and deadlines now, over the next several months?
Bob Metzger: Well, CMMC is a little bit delayed largely because of COVID-19. What is happening now is that the accreditation program is gathering speed over the fall. I think we can expect assessment guides, the appointment of the provisional assessors, perhaps the start of these pilot programs. We will see by the end of the year at least the beginnings of an operating system by which people can become registered and certified and qualified to do assessments. Now the key is going to be when RFPs and RFIs will include the CMMC requirement. And that turns entirely upon the rulemaking. I’m told that we can expect that a rule will come out for comment maybe in September, October. Maybe it’ll just take 30 days to get through that and a final rule come out. Personally, I doubt it. There’s a lot of people whose business and opportunity are affected by CMMC. And usually in that situation, you get a lot of comments when a proposed rule comes out. And those comments have to be reconciled before the final rule is issued. So my own prediction is that we won’t really see CMMC until after the first of the year. I don’t think the regulation will be final until late in the year, and then we will start to see RFIs and RFPs include the requirements. Now that seems like a long time away, except really, it isn’t. Because if it takes you six months to get ready for an assessment, well, conceivably you could be looking at CMMC requirements in your RFP, you know, as early as six months from now. So you’d better get started.
Tom Temin: Robert Metzger is a partner at the law firm Rogers Joseph O’Donnell. Thanks so much.
Bob Metzger: Thank you.