The Pentagon’s internal cybersecurity auditors are already giving companies credit for using services provided under the Federal Risk and Authorization Management Program, but the Defense Department still needs to iron out similar reciprocity details with the Cyber Accreditation Body.
Deputy DoD Chief Information Officer for Cybersecurity David McKeown says the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is recognizing when contractors use FedRAMP-certified services to manage and protect sensitive data.
DoD officials have long said they intend to offer some level of reciprocity between the Cybersecurity Maturity Model Certification and other cyber certifications, but the details on how such a program would work in practice have been scant.
“I’m a fan of reciprocity, and I don’t want to do re-work when we’re looking at exactly the same controls,” McKeown said during a June 24 webinar hosted by Preveil. “When the DIBCAC goes out, if one of the vendors shows that they’re utilizing FedRAMP-certified services, it’s very easy to run a check there and give credit for those controls which are being satisfied by that offering.”
But McKeown says DoD officials still need to discuss reciprocity with the Cyber Accreditation Body, which authorizes and accredits CMMC Third-Party Assessment Organizations (C3PAOs).
“Right now, with the CMMC AB, I don’t know if we’ve broached this particular topic,” he said. “We certainly have with the DIBCAC, and we’re giving them credit. But we probably need to have that conversation with the AB as well, just to make sure that they know that we do endorse reciprocity.”
Furthermore, the Pentagon has not fully considered whether companies can receive credit for meeting other cybersecurity standards, such as those maintained by the International Organization for Standardization (ISO).
“We’d have to probably do some more work in order to look at ISO and any other standards out there, but certainly those mappings exist, and I think we could easily do that,” McKeown said.
The discussion on reciprocity comes as the Pentagon plans to submit a formal rule implementing the revamped CMMC requirements to the White House Office of Management and Budget by mid-August. At the same time, DoD is kicking off a CMMC early adopter program to encourage companies to get an assessment before the requirements are finalized.
Pentagon officials hope OMB will approve an interim rule by March 2023, kicking off a 60-day public comment period. DoD would then be able to start requiring CMMC in contracts by May 2023.
Streamlining requirements between CMMC and other programs like FedRAMP could likely ease burdens on contractors, as well as help address a potential shortage of C3PAOs. As McKeown alluded to, there’s overlap between FedRAMP and CMMC requirements. And FedRAMP also uses Third-Party Assessment Organizations (3PAOs) to evaluate the security of cloud services and products.
The Pentagon’s CMMC team is putting together a specific plan to streamline requirements for managed service providers, according to Stacy Bostjanick, chief of implementation and policy in McKeown’s office. MSPs are third-party companies that remotely manage a customer’s IT systems.
“There’s an approach that we’re going to put forth to see if we get agreement on it, which would be a hybrid between FedRAMP and CMMC,” Bostjanick said. “And it will clearly outline what the requirements are that each partner in the agreement would have to meet.”
She specifically highlighted the need to provide documentation using the Control Implementation Summary/Customer Responsibility Matrix templates in FedRAMP. Those documents lay out the security responsibilities between cloud service providers and federal agency customers, delineating who is responsible for maintaining each security control.
“Those are very important,” Bostjanick said. “Companies that have struggled with it so far have had a difficulty getting those documents completed. And that’s what needs to be done.”
Ultimately, DoD wants to make it easier for companies to understand how they can use different IT services to meet the CMMC requirements, according to McKeown.
“Beyond reciprocity, we’re also hoping that we will be able to perform some sort of FedRAMP-like assessment of a managed service or cloud service that meets many or even all of the 110 controls and be able to put those on a consumable product list that companies can just go to and know that if they consume that, they’re going to get full credit for having satisfied CMMC,” he said.