Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The accreditation body behind the Cybersecurity Maturity Model Certification program is planning to revise a draft process document released last month after it was roundly criticized for being overly complex and prescriptive.
During a Tuesday public meeting, Cyber Accreditation Body Chairman Matthew Travis emphasized that the “CMMC Assessment Process” document, referred to as “the CAP,” is a pre-decisional draft. The Cyber AB released the first public version of the document in late July. It lays out a procedural guide for how CMMC assessments of defense contractors should be run.
“We very much wanted to get your feedback, and I know the draft CAP has caused a lot of activity in message boards and other fora, which is great,” Travis said Tuesday. “We’re going to continue to work this and adjudicate comments and share with you, each month give you an update on CAP revisions and changes.”
In an Aug. 24 letter to Travis, the Coalition for Government Procurement argued the draft CAP “adds more burden and expense to an already complex process.” The coalition says it has more than 300 members, and 25% are small businesses.
“We have serious reservations regarding the CAP and urge that it be withdrawn, reconsidered, and re-issued in a fundamentally different form,” the letter states.
Many critiques have taken issue with its detailed description of how a CMMC Third-Party Assessment Organization (C3PAO) should prepare for an assessment and negotiate with the company seeking its services.
“When the CAP is revised, it should be more compact, expressed more simply and clearly, and it should avoid prescription of micro steps that the C3PAOs do not need,” the Coalition for Government Procurement wrote in its letter.
Another criticism is the CAP doesn’t match up with how the Defense Department is already conducing a limited number of contractor cyber assessments through its Defense Industrial Base Cybersecurity Assessment Center
Travis said the purpose of the CAP is to lay out a consistent process for third-party assessments, which requires a “sequential flow” to the document. But he said he recognized the need to find a “good balance” in the amount of detail it provides.
“We’ll certainly look to see if the current draft CAP can be pared down and make it more efficient,” Travis said. “The DIBCAC been involved in helping us with the CAP. It’s our document but we certainly appeal to some of their expertise and so we’ll continue to look to see where there’s not matching, work to match it more.”
A key question for the CMMC process is how a contractor’s use of cloud and managed IT services will be considered as part of an assessment. DoD officials have said they want to offer some level of reciprocity for other compliance regimes, like the Federal Risk and Authorization Management Program (FedRAMP), but the department has offered little in the way of details or guidance.
The draft CAP includes language about how C3PAOs should evaluate these services “ascertaining and determining if the External Cloud Service Provider meets the security requirements ‘equivalent’ to the FedRAMP Moderate baseline,” for instance.
But the Coalition for Government Procurement pushed back on that direction.
“The CAP should not impose upon C3PAOs responsibilities they are not equipped to perform, for example, determination of whether the body of evidence from a third party cloud provider is or is not FedRAMP equivalent,” the group’s latter states.
Travis says the draft CAP was not intended to cause high blood pressure for cloud- and managed- service providers. He said the AB took language from what DoD has already published, but added broader policy questions about cloud and managed services will have to be answered by the department.
“We certainly are not a policy making body when it comes to FedRAMP equivalency requirements for cloud provider inheritance,” he said. “We’re going to be we’re going to be referencing what the department is promulgating in terms of those policies.”
CMMC rulemaking enters ‘new phase’
The back-and-forth over the CAP come as voluntary assessments kicked off under a “joint surveillance program,” while DoD is making some initial headway on CMMC rule making.
Travis said the first joint surveillance voluntary assessment started last Monday, with another one kicking off earlier this week. The program allows companies to voluntarily gain an assessment of their cybersecurity compliance from a joint team of Defense Department assessors and a CMMC Third-Party Assessment Organization hired by the company seeking certification.
Companies won’t receive a CMMC certification until the Pentagon completes a formal rule making process to implement the program. But companies that earn a “high” assessment under the voluntary program will automatically receive a CMMC Level Two certification once the program is instituted, according to Travis.
“Very much excited about joint surveillance assessments beginning and when we get to the point where those lessons learned about what the DIBCAC is seeing, C3PAOs are seeing, we’ll certainly use this forum or others to share lessons learned on how that’s going,” Travis said.
Meanwhile, “the pens are down” on the initial writing of the CMMC rule, he said. The DoD team writing the draft rule has completed their initial work, and a draft is now circulating the Pentagon, according to Travis.
“I know that once the drafting is finished, we enter what is now called the deliberative process or the deliberative phase,” Travis said. “So frankly, I don’t think we’re going to be hearing much from the department in the weeks and months to come on anything that’s in the rule . . . But I do think that that we’ve entered a new phase of rule making.”