The Defense Department on Friday published a set of sweeping cybersecurity standards that will begin to be incorporated into Defense contracts later this year, marking a major milestone in an overhaul of its procedures for enforcing IT security in its industrial base.
The 1.0 version of the Cybersecurity Maturity Model Certification framework comes after the department spent several months circulating draft versions and getting comments from the vendors who will eventually have to live by it. It specifies five different levels of cybersecurity rigor, ranging from basic hygiene requirements for vendors who don’t deal with sensitive data, to detailed lists of security controls for those companies that could put the department in serious jeopardy if their systems were penetrated.
Insight by Zoom: Experts from NASA and the Pacific Northwest National Lab will explore how the culture change brought on by the pandemic will continue in the hybrid workforce in this free webinar.
Although CMMC will be incorporated into some contracts this year, it will take until 2026 before it makes its way into all new DoD procurements. Pentagon officials say they’re taking a slow, deliberate approach, because fully implementing CMMC will be a major challenge: every company that does business with the Pentagon will have to get some level of certification from a third-party assessor, and the entire Defense acquisition workforce will need to be trained on how to apply the model to their contracts.
That training will begin to appear on the Defense Acquisition University’s website this summer, at about the same time DoD picks the first ten contracts that will be subject to CMMC. The requirements will first appear in requests for information in June, and then in formal requests for proposals this fall.
“Obviously this is a complicated rollout for industry, and we’re being realistic in terms of making sure we have pathfinder projects that we’ll implement, and then learn, get the feedback and go on,” Ellen Lord, the undersecretary of Defense for acquisition and sustainment said at a Friday press briefing. “This is a critical cornerstone of the department’s overall cybersecurity effort, and we believe we are doing this with what I would call irreversible momentum. We want to make sure that this works and that it is sustained.”
The CMMC effort crossed another major milestone in January by standing up an accreditation body that the department says will operate independently from the Pentagon. Via a memorandum of understanding the department is now drafting, the 13-member board will decide which cyber third-party assessors (C3PAOs) are allowed to certify contractors’ systems under CMMC.
“The department has delivered the CMMC model 1.0 to the accreditation board. The accreditation board will then use the model and the associated assessment guides to mature training for candidates C3PAOs,” said Katie Arrington, DoD’s chief information security officer for acquisition. “In parallel, the board will establish requirements for candidate C3PAOs and individual assessors. We’ve had numerous companies ask, how do I become a CMMC assessor? The board will provide updates on training classes, which are planned to start in early spring 2020, and the accreditation board and the CMMC website will be the best places companies to get the information.”
Defense acquisition officials emphasized that they’re doing everything they can to ensure they’re not taking a one-size-fits all approach to CMMC, and that they see it as critical that the process not drive small and non-traditional businesses away from Defense work.
The department has spent the better part of the last year conducting a series of “listening sessions” with vendors in an effort to make sure the industry understands the program’s goals, and to attempt to craft a program that improves their cybersecurity without imposing undue burdens.
Initial reactions from industry groups on Friday seemed to suggest the vendor base has seen that effort as largely successful.
“The government and the contractor community must keep working together to address real and growing cybersecurity threats, and we need a robust response to protect our infrastructure, information and supply chains,” David Berteau, the president and CEO of the Professional Services Council said in a statement. “With today’s announcement, DoD has achieved a significant milestone. PSC remains committed to the important next step of implementing the model and achieving the protections necessary.”
Gordon Bitko, a former FBI chief information officer who is now the public sector vice president at the Information Technology Industry Council, said the success of the project would depend on continued cooperation with industry.
“We strongly support efforts to increase industrial base cyber security and the federal government’s efforts to improve data protection. Given the evolving nature of these threats, it’s essential that the federal government has the tools it needs to properly protect sensitive information and systems,” he said. “Our industry understands this is a complex and ever-changing task. To that end, we look forward to reviewing this latest iteration of CMMC, and to working with DoD to incorporate information technology industry input and implement a structurally sound and holistic approach to improving U.S. industrial base cyber and supply chain security.”
Arrington said half of the new accreditation body is made up of members with a small business background, and small business owners have been part of the weekly working groups DoD has been using in its development process for CMMC since last April. In addition, the department offered cybersecurity training to 5,200 small businesses last year in preparation for the CMMC rollout.
She argued the new model will create a more level playing field than DoD’s current cybersecurity regime for industry, which requires all vendors who handle Defense data to self-attest that they meet 110 specific security controls laid out in the National Institute of Standards and Technology’s Special Publication 800-171.
“Today, if you have two small businesses bidding on work and they’re self-attesting, Company A may only really be doing 80 of those, with a plan of action to do the other 30. Meanwhile, Company B is actually doing all 110 controls. Company A’s rates are generally going to be lower, because they’re not doing those additional 30 controls, but oddly they’re both ‘technically acceptable.’ The CMMC is going to change that,” she said. “We need to make sure that our industry partners are prepared to take on the work and the third party auditors will ensure that they are implementing the practices that we need in place to secure the national defense and our industrial base.”
The new certification process will only apply to new contracts, but there will be no exceptions. That means even work the DoD solicits in non-traditional ways, such as through other transaction agreements, will still have to comply with the process.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
As another way to make sure CMMC doesn’t get in the way of the department’s simultaneous efforts to involve non-traditional vendors, DoD will offer help to anyone who needs it through its Procurement Technical Assistance Centers.
“One of my biggest concerns is implementing CMMC for small and medium businesses, because that’s where a large part of innovation comes from,” Lord said. “We need small and medium businesses in our Defense industrial base, and we need to retain them. We know that the adversary looks at our most vulnerable link, which is usually six, seven, eight levels down in the supply chain.”
Defense officials said they are also working with large prime vendors — whose cybersecurity defenses tend to be much more advanced — on ways they help secure smaller subcontractors so that they can pass CMMC’s requirements.
They declined to detail those specific efforts, but Kevin Fahey, the assistant secretary of Defense for acquisition, said they could, for example, extend some of their own security protections around lower-tier vendors.
“There are certain instances where they have a critical subcontractor, and what they do is that subcontractor works within their infrastructure,” Fahey said. “That’s something they do today, and something they would definitely carry on in the future.”