While it could be months or even years before the Cybersecurity Maturity Model Certification is a requirement in defense contracts, Pentagon officials are considering financial rewards and other incentives to get contractors to improve their network defenses before CMMC 2.0 becomes reality.
The Defense Department announced major changes to the CMMC policy earlier this month, effectively removing the requirement for the majority of contractors to get a certification as a condition of an award. Instead, companies that handle less sensitive contract information will only need to submit an annual self-attestation that they’re following network security practices.
The Pentagon says the changes will reduce costs and complexity for thousands of small and medium-sized contractors.
DoD is also making changes to the CMMC standards and collapsing the model into three levels, down from the previous five. DoD will also allow companies in some cases to defer some requirements for up to 180 days after contract award.
The Pentagon will embark on a rulemaking process for the CMMC 2.0 model, which officials said could take anywhere between nine and 24 months.
But in the interim, DoD will still consider ways to incentivize contractors to improve their network security practices, according to Stacy Bostjanick, director of CMMC policy within the office of the under secretary of acquisition and sustainment.
“Some of the things that we’re looking at is the potential of if a company can demonstrate that their networks are secure, then they could possibly garner a higher profit margin,” she said during the Coalition for Government Procurement’s fall training conference last week.
“Another area that we’re looking at is increasing the use of evaluation criteria for contracts where it doesn’t necessarily have to be a CMMC certification, but we will assess people’s network security as part of a source selection evaluation,” she continued. “So it would still be a factor in garnering award prior to CMMC becoming effective through rulemaking.”
The CMMC Accreditation Body has already certified several CMMC Third Party Assessment Organizations (C3PAOs) to officially audit the network security practices of defense contractors, and Bostjanik said DoD would accept the assessments those C3PAOs perform as part of the incentive effort.
“They [the C3PAOs] actually have companies that have been signing up to get assessed,” she said. “If those companies go forward and get their CMMC assessment performed and garner their certificate, then we are looking for ways to incentivize companies to continue to do that. And the two things that we have on the table right now is increased profit and source selection evaluation criteria that takes into consideration the status of someone’s network in that source selection.”
The CMMC program was originally conceived to improve the network security practices of the defense industrial base, which officials say is still being targeted by adversarial nations to steal intellectual property and know-how about sensitive military technologies.
“I think it only makes sense for a company’s security, for national security, to defend ourselves against our adversaries that are taking our information and robbing us blind on a regular basis,” Bostjanik said. “We’re fighting a cyber war right now, and we’ve got to start protecting ourselves so we can win that war.”
While CMMC still hasn’t come to fruition, CMMC Director Buddy Dees pointed out that defense contracts have had a cybersecurity clause in place since 2016. The clause requires contractors to implement the 110 controls in the National Institute of Standards and Technology’s Special Publication 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”
But DoD rarely checked whether contractors were actually following those requirements.
“If you have those clauses and provisions in your contract, you’re still supposed to be implementing the 110 requirements out of NIST [800-]171,” Dees said. “So sitting back and waiting doesn’t really make sense, and now, where the government’s going with CMMC 2.0 Level 2, it’s going to map directly to those 110. You might as well get ahead and start working toward closing those down so that when we do go effective, you’re not behind the power curve.”
DHS chief information security officer wary of Pentagon’s changes to CMMC