The Defense Department recently issued proposed rules for its Cybersecurity Maturity Model Certification Program (CMMC).
The Defense Department recently issued proposed rules for its Cybersecurity Maturity Model Certification Program (CMMC). That means a rule of one kind or another is inevitable. For some insight on what it will mean for contractors, the Federal Drive with Tom Temin spoke with attorney Townsend Bourne, a partner at Sheppard Mullin.
Interview Transcript:
Townsend Bourne I think that’s right. We’re hearing that commentary from a lot of companies. So the proposed rule we got at the end of December aligns with what DoD had been telling us to expect for a while with CMMC 2.0, which is their second iteration of the program. It will require DoD contractors and subcontractors that handle sensitive information for DoD to implement some pretty rigorous security controls. So depending on the type of information and the types of contracts those companies want to be involved with, the level of compliance and intensity associated with implementing those controls can be pretty time consuming and costly.
Tom Temin And it will therefore fall disproportionately, it sounds like, on small business. But then again, they might have different requirements than the large primes.
Townsend Bourne That’s been a concern. That’s certainly been raised throughout the CMMC process, whether small businesses are going to be disproportionately harmed by the rules, and how they might be able to leverage existing models and service providers to help shoulder some of the cost. The proposed rule is pretty clear that there’s not going to be a waiver or an exception based on a business’s status as a small business. Those businesses that hold this type of sensitive information are still going to be expected to have the security controls in place. But there have been some solutions proposed where small businesses might be able to use a cloud service provider or other external provider to be able to leverage some security controls from an outside third party to help reduce the burden a bit.
Tom Temin And so then getting to what the rules say will be required. What can companies do to get there? It sounds like it’s both a technology and a compliance exercise.
Townsend Bourne It is. If you’re like the majority of companies that are going to be impacted by this rule and you hold controlled, unclassified information for the Department of Defense, your company will be expected to implement a 110 security controls, which are set forth in a publication that is issued by the National Institute of Standards and Technology. Those 110 controls have a lot of technical aspects. So how do you implement access controls on your information systems? What type of security policies do you have in place? How do you limit external connections to your systems? But there is also a compliance element which involves making sure that your policies are current and updated, making sure you have annual training for employees and people with security responsibilities, as well as making sure you have documentation so that when your company is assessed against those controls, you have support to demonstrate that you’re meeting each of the controls.
Tom Temin All of the moving parts, the requirements, the third party assessors and so forth. That’s all still remaining in CMMC. So it remains pretty complicated apparatus sounds like.
Townsend Bourne I think that’s right. With the CMMC 2.0, DoD did remove the requirement for a third party assessment at level one, which is the lowest level under the CMMC program. So for level one, companies will be able to perform an annual self-assessment rather than bringing in a certified third party assessor. But yes, for the most part, contractors at level two and then level three will have to have an outside third party assessment and potentially an assessment by DoD itself.
Tom Temin Yeah, lots of people traipsing in and dirtying the rugs. We’re speaking with attorney Townsend Bourne. She’s a partner at Sheppard Mullin. And short of saying, well, let’s skip it. What can people comment on that might actually change the shape of what they come out with?
Townsend Bourne It’s a good question. Personally, I don’t know that we’re going to see significant changes from the proposed rule that came out at the end of December and the way the final rule is drafted. Most importantly, because DoD has been working on this program for so long, and I think they’re at the point where they think it’s pretty close to final. I think some of the areas for comment that we’ve been working with clients on, and with some other groups on kind of center around assessment and affirmation requirements. So a big piece of the CMMC 2.0 program is that contractors at every level will have to have an annual affirmation that a senior official from their company provides, saying that they’re compliant and they’re going to maintain compliance with CMMC. So I think specifics around how that affirmation is going to work, who has to provide the affirmation, and even if the affirmation is necessary, for example, at level one. Those are some of the main areas for comment that we’ve been discussing, particularly because as you, and I’m sure most of your listeners know, any time you have to provide a certification or affirmation to the federal government, you’re a potentially opening yourself up to false claims at risk and liability. If there’s anything that’s not current, accurate and complete about that certification. So that’s a big piece of this program as well.
Tom Temin Right. It’s almost to the point now, when you look at all of the other areas of regulation and contractor compliance, you really can’t swing a dead cat without running into something that could get you afoul of False Claims Act these days.
Townsend Bourne I think that’s right. And particularly with DOJ’s announcement a couple years ago that it was going to focus on contractor cyber fraud through its civil cyber fraud initiative. This is an area of great focus both for DOJ and the federal government and contractors who want to make sure that they’re staying on the right side of that line.
Tom Temin And I guess if they ask you to report the carbon footprint of your third party assessor in doing your CMMC, we’d have a perfect confluence of all the possible regulations, maybe.
Townsend Bourne That’s right. Yeah. We’re seeing a lot more emphasis on certifications and representations in a lot of these new supply chain and cybersecurity roles.
Tom Temin And what are the regulatory technicalities here. When this rule comes into effect, then they would have to modify the defense, [Federal Acquisition Regulation (FAR)], the [Defense Federal Acquisition Regulation Supplement (DFARS)]. Would that mean the FAR itself also has to be changed.
Townsend Bourne So this will end up being an update to the DFARS. It gets a little complicated and lawyerly, but I’ll go there for a minute. There are two separate rule makings going on that are related to CMMC. The proposed rule we got at the end of December is under title 32 of the Code of Federal Regulations, which is the part of that code that dictates DoD policy. There’s another rulemaking that will update title 48 of the Code of Federal Regulations, which will also update the DFARS. So we’ll see a final rule that updates both title 32 and title 48. The title 48 rulemaking and final rule is really what triggers the CMMC program for contractors, because that will be an update to the DFARS.
Tom Temin And so that when CISA, the Cybersecurity and Infrastructure Security Agency, and the General Services Administration get together under [Office of Management and Budget (OMB)] and say, we want this for the civilian side, they will have a pre-baked cake to simply take out of the oven and put on the FAR side.
Townsend Bourne That’s definitely possible. There is an open FAR case right now that is supposed to implement the federal government’s CUI policy across civilian agencies. It’s been sitting as an open bar case since 2017, so we haven’t seen much movement on it for a long time. But I think you’re right. With implementation of CMMC, we might start to see more movement on the far side of this, although remains to be seen whether the FAR Council will implement the same type of assessment and affirmation requirements that we’re going to see in the DFARS.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED