It’s a significant week for the Defense Department’s Cybersecurity Maturity Model Certification program: New rules that serve as a precursor to the full CMMC implementation took effect on Tuesday, and an announcement of the first 15 contracts that will serve as “pathfinders” for the new model are imminent.
That initial set of procurements would represent the first real-world use of CMMC, the program the department has been building for the past year-and-a-half to shore up the cybersecurity of its industrial base. So far, DoD acquisition officials have only applied the model to contracts in non-punitive tabletop exercises, and without publicly identifying the contracts involved.
The department expects to name the first 15 pathfinders within “the next few days,” Katie Arrington, the chief information security officer in DoD’s acquisition and sustainment office told an industry conference. The announcement has been highly-anticipated as the defense industry waits to see how many vendors could be impacted by the initial pathfinder process.
Meanwhile, earlier this week, two precursors to the full CMMC rollout took effect — part of a sweeping rule change DoD promulgated in September to implement the program. Going forward, almost all vendors bidding on new contracts will have to log into a web portal and attest to which specific security controls in NIST Special Publication 800-171 they’re currently complying with.
“You need to log in and do a representation of your company’s capability of implementing 800-171,” she said during AFCEA’s TechNet Cyber conference. “You’ll need a system security plan, and you’ll need to use the methodology that’s on the website to rate yourself between zero and 110. We just need you to store that there so that we can trust but verify that you actually are doing some, if not all of the 110 controls.”
The “verify” part of the new rule also kicked in this week. Once vendors have scored themselves via that new web portal, called the Supplier Performance Risk System (SPRS), DoD will eventually insist on conducting on-site audits to make sure those self-reported scores are accurate — at least in the cases of vendors who have claimed a medium or high score.
“The Defense Contract Management Agency has been doing those audits, which we refer to as DIBCAC assessments, for about two years now,” Arrington said. “What will happen is they will take your assessment that you have given yourself and logged in SPRS, and they’ll actually come to your site and they’ll say, ‘Let’s see how we think you’re actually doing.’ If you’re doing all 110 controls, you’ll be known as a ‘DIBCAC high,’ and that will be good for three years for your company.”
Arrington said DoD considers the solicitation clauses that took effect this week to be the “crawl” and “run” phases of a “crawl, walk, run” approach.
CMMC will be fully “running” in October 2025, when the full framework will be applied to all Defense contracts. Every vendor earning a contract will need to have earned a certification from a third-party assessor, at whichever of the five CMMC levels contracting officials deem appropriate for the work involved.
“These three clauses are a big deal, and they’re changing the game,” she said. “No longer is the government doing just trust, we’re actually going to verify. And security is now an allowable cost. So if your company is having to get their certification, there’s a cost associated with that and we are saying the Department of Defense is willing to pay for it. And this is beyond DoD. If you read the National Cyber Solarium report, it clearly states that the whole of the U.S. — commercial and government — should have a national cyber certification program and that it should be built on the DoD CMMC effort. This is a big change, but think about it — what in your life in the past nine months hasn’t had cyber in it?”
There will be plenty to learn from the initial 15 pathfinder contracts, and DoD and its contractors will likely need every moment of the five years the department has built into the schedule before full implementation of CMMC.
On the government side, there are still plenty of questions about how to make CMMC work, said JenniLynn Bushby, an analyst in the office of the risk management executive at the Defense Information Systems Agency.
“The biggest change is when I write a contract, I’m going to be required to determine the CMMC levels of the tasks that are in that contract. And some of the discussion we’ve been having as a team internal to DISA, is whether there is a way to standardize how we assign CMMC levels to contracts,” she said. “We see value in that, and so we’ve been looking at developing a sort of CMMC scoring rubric. The intent behind that is just to help assist the program managers across our agency with how we determine appropriate CMMC levels for their requirements. All of that is in its very early stages – we’re definitely in a learning mode.”
Among the other questions DISA is still wrestling with is whether to make CMMC certification a gate that bars vendors from even bidding on new contracts, or to only require certifications by the time the contract is awarded.
“In my job, we spend weeks, months, sometimes years working on a contract depending on its size, and depending on how complicated it is. And what if we go through source selection and the vendor that’s selected didn’t get their audit results back in time, or there’s a waiting list to get an audit, or their audit is delayed, or they achieve a lower certification level than expected? If we didn’t make that a pre-qualification to bid, it kind of puts the government at risk schedule wise,” she said. “It’s also going to add another layer of detail in our requirements definition phase. So I think DISA and other agencies within DoD are going to have to keep that in mind as they decide when they need to start their acquisition process.”
Christopher Newborn, a professor of information technology at the Defense Acquisition University, said those types of thorny questions are exactly why DoD organizations need to be thinking about how they’re going to implement CMMC right now, as do acquisition training institutions like his.
“[You need to ask] what is going to be your strategy at the command level, and then disseminate that to answer questions like whether you’re going to take a look at existing contracts, or whether you’re going to do something a little bit riskier and take a look at new contracts,” he said. “It takes planning and it takes collaboration, it will take time. It is so key to really take a look at the crawl, walk and run methodology. And at DAU, we have to come up with a training mechanism to allow that critical thinking.”