Industry experts continue to raise serious concerns about the way forward for the Defense Department’s cybersecurity maturity model certification (CMMC) program.
A technology industry representative told reporters yesterday that the interim rule DoD published in September didn’t offer enough clarity about the certification process, the costs to become certified and whether there will be reciprocity with other cyber standards. Comments on the interim rule are due Nov. 30 and so far more than two dozen people or organizations have submitted analysis.
The official said they are raising these concerns now because DoD is acting with some urgency to get the program rolled out with the release of the interim rule despite repeated attempts by industry and others to raise these problems.
“The interim rule in September addresses some of these concerns and it adds additional information around the requirements around National Institute of Standards and Technology Special publication 800-171, but it doesn’t really address all of them,” said the technology industry representative, who requested anonymity in order to talk candidly about the CMMC program so as not to hurt their relationship with DoD, during the conference call.
Another industry official, who didn’t participate in the conference call, said CMMC has been unnecessarily hard.
“It’s going to be so big and so important to companies and the DoD, but there are a lot of things still up in the air yet — DoD is sort of charging ahead,” the official said. “CMMC will hit companies when it hits them, and if they are not ready, they may lose the opportunity to bid. So a lot of big vendors are getting ready for this, figuring out how it will flow down to the subcontractor levels.”
Three big sticking points
The industry technology representative said three of the biggest remaining sticking points are around reciprocity, how CMMC will deal with commercial off-the-shelf products and the timeline for CMMC to fully take effect.
The rule states it will not duplicate or overlap with as any other rules. The official said they are interpreting that as reciprocity language.
“It’s still ambiguous how CMMC will apply to DoD’s security requirements guide (SRG), to the Federal Risk Authorization and Management Program (FedRAMP) and to existing audits like those from the Defense Contract Management Agency,” the official said. “All of those have major implications for companies and everyone is trying to do business with DoD. But it leaves a lot of uncertainty about what companies have to do to comply.”
The official says DoD intends to get to reciprocity with other standards, maybe even with the cloud security program known as FedRAMP, but details remain sparse.
The second industry source said it’s unclear why DoD didn’t follow the FedRAMP model from the beginning.
“Setting up a new body to do approvals wasn’t necessary and is causing a lot of these delays,” the official said. “They didn’t necessarily have to use the A2LA as the approval body like FedRAMP does for third-party assessment organizations, but starting a new approval body isn’t easy.”
The industry expert added that when CMMC gets going, it will be a much bigger and more complicated effort than FedRAMP, and that is part of the ongoing challenges DoD and industry face.
What about COTS?
The technology industry representative said the second issue about how does the exemption for commercial-off-the-shelf (COTS) products apply under CMMC.
The official said there are several questions that DoD still should answer including more specifics about what the exemption means, what happens if DoD customizes a COTS product or applies a commercial product to a customized solution, and if all COTS providers be certified under Level 1, would the Pentagon consider making it a self-certification?
“It’s going to be hard to get enough assessors, given the number of primes who they will select in this first phase. It could be hundreds or thousands that need to be assessed,” the technology official said. “No way there is enough time to get those done in timely fashion.”
The third is around the timeline for CMMC to get going. DoD plans to issue about 15 requests for information that include CMMC this fall and a similar number of requests for proposals in 2021 that will require CMMC certification at time of award.
The technology representative said despite DoD’s announced timeline, it’s unclear when third-party assessors will be ready to begin examining companies.
“We don’t know how industry will manage the expected backlog with companies seeking to get certified,” the official said. “It’s also unclear which RFIs and RFPs DoD will focus on first, and how subcontractors will be impacted. I would encourage DoD to do a better job clarifying their plans and the timeline.”
That being said, the source also says the Pentagon needs to establish formal communication channels to stop any confusion created by the current use of informal ones like LinkedIn.
“DoD needs to have clear, more formal communication strategy. There is far too much going on through chat sessions, LinkedIn posts and webinars and not enough officially communicated as formal policy,” the official said. “This is a source of challenges for many because too much of that happening through informal channels causes confusion.”
The official added that industry also has “legitimate concerns” about how the CMMC Advisory Board is set up and how it’s been conducting itself over the last few months.
Several original AB members, including the chairman Ty Schieber and Mark Berman, the AB’s communications committee chairman, left unexpectedly in September and other members decided to exit in August.
Additionally, lawmakers have included nine provisions in the fiscal 2021 National Defense Authorization Act asking for more details and insights into how DoD will roll out CMMC.
“There are legitimate concerns about whether the AB is truly representative of industry, and whether there were potential conflicts of interest,” the technology representative said. “There were a number of issues there earlier this year and some still exist as well as some former board members still actively involved in the CMMC ecosystem and branding themselves that way. That is a concern. There has been unnecessary drama over a lot of this. Some of that is on DoD as they have not done a great job communicating about how AB members were selected and did not publish the memorandum of understanding with the AB. We know they are negotiating a new zero-cost contract and statement of work. That is not done yet. I think DoD and the AB have not been as transparent as people would’ve like.”