Industry’s take on the latest CMMC rules

After a long wait, the FAR Council has brought forth a proposed rule that will place requirements from the Defense Department’s Cybersecurity Maturity Model Certification program into the contracting process. As you can imagine, the folks that are going to have to abide by those rules have some thoughts on what they would mean going forward. To find out what those are, the Federal Drive with Tom Temin welcomes Stephanie Kostro, Executive Vice President for Policy with the Professional Services Council.

Interview transcript:

Eric White  After a long wait, the FAR Council has brought forth a proposed rule that will place requirements from the Defense Department’s Cybersecurity Maturity Model certification program into the contracting process. As you can imagine, the folks that are going to have to abide by those rules will have some thoughts on what they mean going forward. To find out what those are, wee welcome StephanieStephanie Kostro, executive vice president for policy with the Professional Services Council. Miss Kostro, always a pleasure.

Stephanie Kostro  Thanks so much for having me.

Eric White  So why don’t we just start out, just for very top level and just for those who may not be avid followers of Federal News Network, because this is something we’ve covered extensively, the Cybersecurity Maturity Model certification program. What does it do and what is its purpose?

Stephanie Kostro  Thanks for asking, Eric, and it’s always great to level set to make sure that everyone knows what we’re talking about. This most recent proposed rule is something we’ve been waiting for for several years now. We’ll call it the CMMC program. So I don’t have to say the mouthful of what you just went through, but the proposed rule that came out last week contains proposed revisions to the DFARS with actual clauses, with actual requirements for cybersecurity. This will affect tens of thousands of government contractors who do work in the in the defense space. And let me just unpack, because you mentioned there are a couple of rules. There was a proposed rule that came out late last year, in December of 2023. That one was impacting the code of federal group, federal regulations title 32 as an overview of what CMMC is. This most recent proposed rule is where the rubber meets the road. It actually outlines the clauses that contain the requirements. And so this is something that we’ve been eagerly anticipating, as I said, for years.

Eric White  It’s taken a long time. So there were, a feel as if DoD knew what the stakes were here before setting these new parameters. If you can give us just as good as a summary of the actual CMMC program itself, can you give us a brief overview of what these two new rules are and what specifically they mandate for contractors looking to do business with the Pentagon?

Stephanie Kostro  The earlier proposed rule that came out in December 2023 is an overview of the CMMC program, and sort of what it does, what it doesn’t do. This most recent proposed rule, and I should hasten to add, that initial proposed rule that came out months ago, that is now in final rule making, reportedly at the Office of Management and Budget. We are looking forward to seeing what that final rule says. But this second rule that came out last week, that is focused on CFR, it’s title 48 with the rules. They talk about how contractors have to assess their cybersecurity measures. This proposal requires contracts to maintain a third party assessment of their cyber security. What we are seeing now is some companies can self assess. Some companies have to get this third party assessment. And there are flow down requirements throughout your supply chain to your subcontractors, and that’s going to be very, very hard to execute. So again, as I mentioned, this is where the rubber meets the road. We’ll have lots of comments about executability, how far we can flow down these requirements to subcontractors. To be honest, some of them may not even know they’re on a defense contract and that they have to do this. And so this is going to be a lengthy rollout, with hopefully a lot of opportunities for feedback from industry as we go forward.

Eric White  We’re speaking with Stephanie Kostro. She is the VP for policy with the Professional Services Council. Getting away from the specific rules themselves, as far as this implementation process and giving everybody ample time to analyze and prepare, how do you measure that, and how do you judge the job that has been done by the CMMC program to make sure that it doesn’t thrust this on to too many, as you mentioned, contractors and subcontractors who may not even know that this applies to them?

Stephanie Kostro  That is a great question, Eric. So there is a three year rollout built into this proposed rule. And if the rulemaking process is anything to go by, we have until October 15 to submit comments. Last time with the previous proposed rule, they got more than 400 comments. So they will get hundreds of comments on this one too. They’ll integrate them, hopefully well into the final rule, and we’ll see that sometime in 2025 as my guess, and then the three year countdown will start. I think what will be worth watching is, again, how seriously the government takes industry feedback, and, more broadly, stakeholder feedback. It’s not just for profit, private contractors. It’s academics and other entities that deal with the Department of Defense. What we really want to see, to be honest, is how contracting officers are going to put these requirements into solicitations, how they will require them, and then what the evaluation, award and performance pieces look like. And so the question about whether or not these requirements make companies more cyber secure, we really do have questions about. And I’ll give you an example, Eric. One is the recent hacks that we saw into political campaigns. We saw both political parties suffered some hacks recently. Would the measures that are being put into place with cmmc, would that have prevented those kinds of hacks? And I think the answer is likely no. And so as we move forward, we’re looking very practically at how contracting officers are putting these requirements into contracts, but we will also want to assess, is it making a difference, or is this really a compliance and documentation drill, which I think we all want to avoid. We want to avoid the appearance of cybersecurity without actual cybersecurity, and so that’s what we’re watching very closely. One reason why CMMC has been so difficult to implement to date is because cybersecurity requirements change frequently. You always have to stay one step ahead against potential adversaries, and that is exceedingly difficult to do. I want to make sure that CMMC and the program as it’s implemented, has that flexibility, has that agility built into it, so that we can be responsive to do what we need to do to stay cyber secure.

Eric White  Apart from trying to avoid security theater and just security for security sake, is there any support from the contracting community, just for CMMC in general, just because it will provide a little uniformity in what is needed to be in compliance with a defense contract, rather than having to piecemeal or salad bar, the different needs, the different facets?

Stephanie Kostro  I do like that phrase, salad bar. I think, yeah, it’s an interesting question, because contractors don’t typically like compliance requirements, right? I mean, it makes their lives a little bit more difficult, although they see the need for them. That said, there has been great interest in making sure that requirements are consistently applied, so that when you are compliant, you know that you’re compliant, you’re confident in that, and then you can move forward with bidding and winning and performing contracts. I would also say one area that PSC is active in, and that’s because of our more than 400 member companies, a fraction of them are defense contractors. A large portion of them are not defense contractors. They work for HHS, Homeland Security, other agencies in the federal government. This is going to be a costly endeavor to become CMMC compliant and to maintain that compliance over time. That is going to be a burden placed on defense contractors that is not necessarily placed on civilian agency contractors. And as we move forward, that level of consistency is, what is it required in order to be cyber secure? You should be able to answer that question across the government, whether you’re working for DHS or DOD or one of the intelligence agencies or Veterans Affairs. Cyber security is one of those things that is common among all of us, and so I think that is a question that we’re looking for consistency within defense contracts, but also consistency across the board.

Eric White  Well, we’ll have to see as the implementation process continues on. That’s Stephanie Kostro. She’s executive VP for policy with the Professional Services Council. Thank you so much for filling us in.

Stephanie Kostro  Thanks, Eric, take care.

Eric White  And you can find this interview to share or listen to at our website. Head to federalnewsnetwork.com/federaldrive.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.