The Pentagon’s high-level review of the Cybersecurity Maturity Model Certification remains ongoing, but officials are intent on addressing small business concerns about compliance costs among other changes to the much-debated program.
Jesse Salazar, deputy assistant secretary of defense for industrial policy, said the review is helping refine an implementation plan for CMMC with three “broad goals.” Salazar, who was appointed by President Joe Biden early this spring, recently assumed oversight of CMMC.
“First, we’re focusing on managing costs to cybersecurity for small businesses,” Salazar said June 22 during the Professional Services Council’s Federal Acquisition Conference. “I recognize that small businesses are under immense market pressures.”
Insight by Exterro: Capt. John Henry, operations officer of the USCG Cyber Command, discusses how the Command prepares for and responds to cyber incidents. Justin Tolman, forensic subject matter expert at Exterro, will provide an industry perspective.
He referenced how the number of small businesses in the defense industrial base has shrank by more than 40% in the last decade. CMMC compliance could force more companies out of the defense business, an issue most recently highlighted by electronics manufactures.
“Our goal is to mitigate costs while protecting the cybersecurity of these businesses,” Salazar said, without adding further details about plans to do so.
Meanwhile, CMMC Accreditation Body Chief Executive Officer Matthew Travis, speaking later during the PSC conference, said the body and Defense Department are discussing several options for helping small businesses with the certification.
“We hope that we can be in the place where, either working with existing mechanisms in the department, the Trusted Capital program or elsewhere, that we’ll be able to maybe provide grants or forgivable loans for the smallest of these DIB companies to help them make those investments to get their baseline where it needs to be to get certified,” Travis said. “These are all in the good idea category. Right now, there’s no plan in place, but we certainly at the [accreditation body] are thinking about what tools maybe we could provide, given the position that we occupy and the role that we play, to help small businesses.”
Beyond small businesses concerns, Salazar said the second goal of DoD’s review is clarifying cyber regulations and contracting requirements. DoD published the interim acquisition rule implementing CMMC last year, but industry has questioned how the regulatory program fits in with numerous other rules governing cyber and supply chain security.
“We want to de-conflict and streamline them in order to add clarity,” Salazar said.
The third and final major point for DoD officials is to “reinforce trust and confidence in the maturing CMMC assessment ecosystem,” Salazar said.
The CMMC Accreditation Body authorized the first third party assessment organization (C3PAO) earlier this month. But more than 150 candidate C3PAOs are awaiting certification, according to the Accreditation Body website. Such organizations, along with individual assessors, are a key facet in a program that envisions one day certifying the cybersecurity practices of hundreds of thousands of contractors in the defense industrial base.
“The department is ensuring that we can operationalize our requirements through a sufficient number of assessors,” Salazar said. “We are also clearly defining roles and responsibilities, standards of conduct and audit mechanisms within the external assessment ecosystem.”
While he previewed the CMMC review, Salazar did not give a timeline for its conclusion and release. Deputy Defense Secretary Kathleen Hicks directed the review in March.
Sen. Joe Manchin (D-W.V.), chairman of the Armed Services Cybersecurity Subcommittee, said during a hearing last month that he anticipated Hicks would be making “significant modifications” to the program.
But Salazar, as he has mentioned previously, said the internal assessment “is common for major programs to help us refine our policy and program implementation.”
Travis also emphasized the accreditation body is moving forward as it awaits DoD’s decisions from the review.
“While CMMC will continue to be adjusted in this pilot phase, we’re going to continue to march forward, and we’re still looking for more individuals and companies to come into the ecosystem, either as C3PAOs, assessors, instructors, consultants, or ultimately, if you’re seeking certification on your part of the DIB, there’s a lot of information that you can start consuming,” he said.
The accreditation body certified RedSpin and Kratos as the first C3PAOs earlier this month. But first, they need DoD and the CMMC AB to finalize assessment guide and scoping guidance laying out how exactly assessors will evaluate defense contractors.
They also need a web portal through the Enterprise Mission Assurance Support Service for submitting assessments to the department and the AB.
“I told the two C3PAOs that we’re targeting mid-July to get all this wrapped up,” Travis said, adding that the “long pole in the tent” is likely setting up the eMASS portal on time.
Travis also laid out the all-important dispute resolution process for contractors who believe something went amiss with their CMMC certification.
If the company believes the assessor made a mistake in evaluating their cybersecurity practices, then Travis said the dispute would be lodged with the C3PAO overseeing the certification. The organizations have to submit the resolution process they would use before being approved as C3PAOs.
But if a company believes the assessor or the broader assessment team acted unethically, the accreditation body would step in.
“There’s really two tracks,” Travis said. “If the company hasn’t think they haven’t a fair shake on a technical issue or that the assessors haven’t fully understood the information provided, there’s a dispute resolution process that the C3PAO will adjudicate. If there was any hint or allegation of misconduct, ethical breach for bias, that dispute comes to the accreditation body and we adjudicate that.”
Meanwhile, questions continue to arise about the longer term timeline and feasibility for implementing CMMC across the vast defense industrial base. Prior to the CMMC review, the department laid out a timeline for slowly ramping up the program to cover all contracts by 2026.
Travis said any new details on the timeline of the program are subject to the review, but said he constantly talks to DoD officials about achieving “scalability” in the program.
“If you look at similar initiatives in the past whether its FEDRAMP or others, I think there was a longer term scalability path for them,” Travis said. “I expect us to follow similar growing pains early on.”