More eyes than normal are on the Defense Department for the next year.
It’s not just the usual set of contractors, overseers on Capitol Hill and auditors, and nation state friends and foes. Now there’s a whole community watching how DoD implements the new Cybersecurity Maturity Model Certification (CMMC).
Insight by CyberArk: Learn how the CDC is using the least-privilege model to limit how much damage hackers can do in federal networks in this free webinar.
Along with the government contractors impacted by the new requirements, civilian agencies and allies like Canada, Sweden, Italy, the United Kingdom and others are paying close attention to how the Pentagon begins to fix supply chain and other cybersecurity challenges through this new initiative.
“They are all watching to see if we fall on our face or not. If we roll this out and make it work, they have indicated they will adopt CMMC as well,” said Stacy Bostjanick, the director of the CMMC policy office in the Under Secretary of Defense for Acquisition and Sustainment, at the recent AFCEA NOVA Intelligence Community IT day in Herndon, Virginia.
After her speech, Bostjanick said she was hesitant to offer more details about which civilian agencies might be interested. But it’s clear there are several that are watching including the Department of Homeland Security and the Federal Acquisition Security Council.
DoD, which finalized the CMMC requirements in late January, also is turning its CMMC glare back on the community.
First, Bostjanick said there are rising concerns about companies falsely claiming they can get other vendors certified under CMMC.
She said if you do a Google search, there are plenty of examples of these fake offers.
“If anyone tells you they can get you certified, they are lying. The test isn’t done yet,” Bostjanick said. “We are pressed right now and we have a small team working to get this done so there isn’t a lot of time to stop and go after the fake companies. The accreditation body is getting ready to take that on more than we are. We are aware of it and want to make sure companies know not to go to someone who is engaging in false advertising.”
She said the accreditation body, which is independent of DoD, is considering sending “cease and desist” letters to any company saying they can get another vendor certified under CMMC.
“The training and examination requirements are not in place yet. A company can evaluate another company against model, but you are taking a risk because you can’t pay them to get you certified,” she said. “We have conflict of interest rules that say you can’t assess someone you’ve counseled.”
Bostjanick said the first set of third-party assessment organizations likely will be available no sooner than late summer.
DoD plans to finalize the CMMC training and assessment guides in March.
Bostjanick said those documents will tell vendors what it takes to be certified at levels 1, 2 and 3.
“These guides are where people can find answers and what artifacts are needed. It is where all the answers to all your questions will be if you go through the assessment guide,” she said. “It’s not our intent to fool anyone.”
Then sometime between April and June, she said the accreditation body will develop the training classes for third party assessors. Finally in the June or July timeframe, the first set of vendors can begin going through the assessment process in preparation for the first 15 procurements to call out CMMC requirements.
“The accreditation body is working with us to develop training material to accredit third-party assessors. There will be a marketplace for them as they go through the two-week course and test for level 3 accreditor certifications,” Bostjanick said. “We also will have Defense Acquisition University training where we will be working with program managers and contracting officers so they understand what the different CMMC levels are and give them a layman’s guide to controlled unclassified information so program managers can figure out how to disaggregate the data and flow down the CMMC requirements.”
She said DoD realizes there are steps it can take to lessen the burden on vendors.
For example, DoD plans to do a cross-walk between CMMC requirements and those under the cloud security program known as the Federal Risk Authorization Management (FedRAMP) program.
“If you are FedRAMP compliant, you will get credit for what you’ve done under FedRAMP compliance as it aligns to CMMC,” she said. “That’s another thing we will do with the accreditation body is make sure we have a reciprocity policy. We’ve been talking to the guys over at Energy because they have their Cybersecurity Capability Maturity Model compliance because eventually phase 2 will roll out and we will be talking about systems. And then, when you talk to the security guys, they are talking about a security ratings score. What they are thinking about is setting up a process similar to CMMC where they would come out to your facility to check your policies and procedures with regard to insider threat and facility security. They would assess you a score based on your policies and procedures.”
DoD expects CMMC to take five years to fully roll out, and not really get going until 2021. The Pentagon estimates the third-party assessors to certify about 1,500 vendors in 2021, 7,500 more in 2022 and 25,000 more by 2023.
DoD also is trying to reduce the time of the regulatory process because it has to publish a final defense federal acquisition regulations (DFARs) notice for CMMC.
Bostjanick said DoD is working with the Office of Management and Budget’s Office of Information and Regulatory Affairs to get the DFARs rule through the process faster than normal. She said she hoped to have the clause out this fall.
There is so much still to do to get CMMC ready by the fall, DoD may want to consider pushing back the initial implementation of the standard and find a short term way to secure the supply chain from cyber attack and protect important information.