Tabletop exercises to put CMMC 2.0 through the paces

As part of the Cybersecurity Maturity Model Certification exercise, DoD will figure out which data under Level 2 will require self-assessments and which will re...

Keep an eye on the Defense Department this summer to see just how well designers of version 2.0 of the Cybersecurity Maturity Model Certification (CMMC) did.

The first real test of the revamped effort comes in the form of tabletop exercises in mid-to-late June or early July.

Stacy Bostjanick is the chief of implementation and policy in the DoD’s Office of the DoD Chief Information Officer.

“We’re going to be doing some tabletop exercises where we actually fabricate a program and walk the dog, making sure we look at a proposal, that we’re looking for the right information and we’re going to have members from the Defense Industrial Base (DIB) sector participate with us,” said Stacy Bostjanick, the chief of implementation and policy in the DoD’s Office of the DoD Chief Information Officer, at the AFCEA NOVA Small Business IT Day event on May 5. “We want to hear from your perspective, whether that’s a bridge too far or that’s too hard for us. We need to read wicker it a different way to make sure that what we put together is an executable program that people can participate in and understand from the get go what your requirements are and how you have to manage and handle things.”

DoD revamped its approach to securing controlled unclassified information (CUI) in November and is going through the federal rulemaking process. These tabletop exercises, Bostjanick said, are an important step toward DoD’s goal of launching CMMC in 2023.

One big area of interest for DoD is the use of CUI. Bostjanick said contractors who hold certain kinds of CMMC Level 2 CUI will just need to do a self-assessment while others who hold more sensitive Level 2 data will need to get a third-party assessment.

“What we are working through with those tabletop exercises that we’re working on today is going to ferret out where we feel that we can bifurcate Level 2, where we have prioritized and non-prioritized CUI. If you are a company that has federal contract information (FCI), you got to do the 15 [security controls], you got to do that annual self assessment and affirm that you’re compliant to those. Then, you would have to do the self assessment once every three years,” she said. “What we’ve said when we started looking at the universe of companies because there’s about 80,000 companies that are anticipated to be CUI holders, and undoubtedly you will not be bidding on just one contract, I think the thought process is eventually everybody will end up wanting to participate on a procurement that needs a third-party certification. But if you’re lucky enough to be only in receipt of non-prioritized CUI, you’ll be able to do that.”

As for FCI, the National Archives and Records Administration’s Information Security Oversight Office wrote in a 2020 blog that “the definition of FCI which mentions information that is ‘provided by or generated for the government under a contract to develop or deliver a product or service to the government.’ In other words, FCI is more about what the government gives to you as part of the contract or what you create for them under the contract, while CUI protected under the General Procurement and Acquisition category is mostly proprietary information and sensitive information that is provided to the government and protected throughout the contracting/award process.”

Securing data is the ultimate goal

By shifting to CMMC 2.0, DoD hopes the process to secure CUI and other more sensitive data will be less onerous and more streamlined than version 1.0. In this second iteration, DoD combined five levels into three and focused on the type of data that vendors must protect and reduced the requirement for third-party assessments.

Dr. Kelly Fletcher, the principal deputy DoD CIO, said at the AFCEA NoVA event that the Pentagon understands what they are asking contractors to take on isn’t easy and will require time and patience. DoD estimates it could take two years from when the final rule is out in mid-2023 for CMMC to hit full operational capability.

Fletcher said as the program rolls out over the next year DoD, the ultimate goal is for contractors to do more to protect their network, systems and data, most immediately ensuring they meet the cybersecurity practices laid out by the National Institute of Standards and Technology in Special Publication 800-171.

“We’re writing a proposed rule change to Sections 32 and 48 of the Code of Federal Regulations (CFR). That is happening behind the scenes, there are people working super, super hard on this, but you are not going to see it. We, the DoD CIO, we’re going to submit these draft rules to the Office of Management and Budget (OMB), and then they’re going to enter into the rulemaking process,” Fletcher said. “We think that the rule will be published for public comment in March 2023. The reason that’s really important is this is public comment. You have the opportunity to comment, and we want your comments. We want you to say ‘this is too onerous. This is expensive. This isn’t onerous enough.’ We want those comments, and the way that you can do that is through the OMB website, and that’ll be in March about.”

After the proposed rule is out, and it’s likely to be an interim rule with a request for comments, DoD will start adding CMMC requirements to contracts.

Fletcher said the CIO’s office is strongly encouraging contracting offices to release requests for information and other pre-solicitation notices if the upcoming request for proposal will include CMMC requirements.

“The way that you will know that CMMC is required is when you look at an RFI and RFP or solicitation it’s going to tell you very clearly, CMMC certification is required at this level. So it’ll never be a surprise, and it’s not going to be backwards compatible,” she said.

Project Spectrum focuses on small businesses

Fletcher added that companies, especially small firms, should begin as soon as possible to prepare for CMMC no matter the level.

DoD is providing help to small companies through Project Spectrum.

Kareem Sykes, the program manager of Project Spectrum, said the initiative aims to help small firms, through their Mentor-Protégé relationships improve cybersecurity and meet CMMC standards.

He said the current pilot effort has about 13 companies but they want to expand it over the next year.

“As we get companies in, we educate them about what the [CMMC] requirements are and how it relates to them as a company. We get an idea of what they’re doing in the space and an understanding what their goals are. Are they looking for Level 1, Level 2 or Level 3? Once they have an understanding of what those encompass, we talk about cyber curriculum development. A big piece of what we do is cyber coursework,” Sykes said at the AFCEA NoVA event. “I heard a lot of talk about plan of action and milestones (POA&Ms), which obviously, under the 2.0 model will be more time bound and where companies have a little more leeway and flexibility. So to that end, as it relates to courses, we have a POA&M course, we’re hot and heavy and developing and it should be very out very, very soon.”

Sykes said participating companies need both a mentor-protégé agreement and a sponsoring DoD agency.

He said the first step for companies who want to participate is to apply for the program and complete a cyber readiness check, specifically with a focus on NIST 800-171 and CMMC requirements.

Once they are accepted into the program, then comes the training based on the results of the readiness check.

“We’re going to schedule a tech review call, want to make sure that they, in no uncertain terms, know they have access to our live cyber advisors, and then within two business days of that call, that’s when we get into the actual customized compliance plan or the training plan,” he said. “They have actionable data and information from which to move forward in their journey.”

Incentives for contractors

Additionally, Congress approved, but have not funded, DoD to provide grants or loans to companies to meet the CMMC requirements. Bostjanick said there are constant conversations about how best to help small firms improve their cyber postures.

In the meantime, companies can help offset the costs of CMMC in other ways.

“CMMC is an allowable cost. It’s a cost of doing business,” she said. “You can include that in your overhead and general and accounting rates to be able to recoup the cost that you’ve spent implementing CMMC.”

DoD also is hiring more assessors through the Defense Contract Management Agency (DCMA). Bostjanick said DCMA received funding to hire 140 new assessors for the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) team, and has started to bring them on board.

“[DCMA wants to] make sure that they have the capacity to handle the CMMC Level 3 certifications. They are also the ones that are doing the CMMC Level 2 certifications for the certified third-party assessment organizations (C-3PAOs),” she said. “We are quite confident that the DIBCAC does have the bandwidth and the capability to handle anything that we are going to need in the future.”

Fletcher said despite the challenges with CMMC 1.0 and the move to 2.0, companies are understanding today more than ever why they must do a better job securing data.

“By the summer, if you know that you’re CMMC compliant, if you feel confident in your networks and you’ve done, perhaps, some of this early actions, you’re going to be super well postured for when you’re going to start seeing RFIs and RFPs that call for CMMC requirements” she said. “If it were me, I would want to be some one of the early adopters, and I think it’s going get rid of a lot of competition, although I could be wrong. I think not in the long term. But certainly initially.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories