Changes to the CMMC Advisory Board as Congress turns up scrutiny of cyber standards

Less than two months after the Cybersecurity Maturity Model Certification advisory board became official, there’s already changes afoot.

Two original members of the advisory board have recently left. John Weiler, CEO of the IT Acquisition Advisory Committee (IT-ACC), and Jim Goepel, the CEO and general counsel for Fathom Cyber LLC, are no longer listed on the main board of directors section.

Goepel left for personal reasons, while Weiler decided to work with the CMMC AB in a new way.

Advertisement

The change comes as the Senate and House armed services committee members turn up the heat on the CMMC by adding nine  provisions—six from the Senate—in the fiscal 2021 Defense authorization bill.

Each chamber already passed its version of the bill and the legislation is in conference.

The one provision in both bills is for DoD to bring their own cyber hygiene up to a level 3 under CMMC.

“The committee is concerned that while DoD leadership recognizes that certain cyber hygiene practices could effectively protect the department from a significant number of cybersecurity risks the department has not implemented its own cyber hygiene practices, and yet it plans to require private sector companies to implement cyber hygiene practices through the Cybersecurity Maturity Model Certification (CMMC) framework,” the House report stated. “Given the importance of implementing cyber hygiene practices that could effectively protect DOD missions, information, systems and networks, we direct the secretary of Defense to submit a report to the defense committees identifying the extent to which each of the DoD components have implemented cyber hygiene practices and levels identified in the CMMC framework.”

The Senate bill goes even further detailing what information they are interested in from the Pentagon.

“The report shall include, for each DoD component that does not achieve at least level 3 status, a determination as to whether and details as to how: (1) The component will implement relevant security measures to achieve a desired CMMC or other appropriate capability and performance threshold prior to March 1, 2022; and (2) The component will mitigate potential risks until those practices and capabilities are implemented,” the Senate report stated. “The committee further directs the Comptroller General to review this report of the secretary of Defense and provide a briefing to the congressional defense committees no later than 180 days after its submission to the Congress.”

The report would be due by March 2021.

More reports on implementation

Both chambers also want updates on CMMC implementation next year.

The House wants the Acquisition and Sustainment Office to submit a report by Jan. 15 addressing nine topics, including the estimated annual costs to the department for CMMC expenses that will be considered an allowable cost on a government contract for each of fiscal years 2020 through 2024; a discussion of the roles, responsibilities and liabilities for the prime contractors and subcontractors with regard to the assigning of the CMMC tier; and a discussion of how the CMMC Accreditation Board will prioritize the requests for CMMC certification and the factors used to determine priority, if any, specifically with regard to company size, sole source contracting, and the timelines included in the Department’s rollout of CMMC.

The Senate bill, meanwhile, asks the Government Accountability Office to evaluate CMMC and include “perspectives of companies across the defense industrial base and include analysis of the department’s oversight responsibilities, the role of nongovernmental entities in managing and executing the program, and assessment of the department’s incorporation of lessons learned from the pilot programs.”

GAO also should “assess the department’s plans to expand the requirement to all contracts and associated costs and the steps the department has taken to ensure a consistent acquisition approach across all military services and components.”

This report would be due by May 31.

With all of this interest in CMMC, the IT-AAC and the CMMC board signed a memorandum of understanding to create a center of excellence where the two non-profits will work together to promote the standards, train industry and work with NATO partners to adopt the requirements.

Weiler, who recently left the board, said the goal of the CoE is to bring together the many voices across the defense industrial base supply chain to help advise government, Congress and industry about the best ways of meeting the goals of the CMMC. He said the center “will provide an honest broker and force multiplier for small and medium businesses to get educated and prepared for CMMC and related cyber hygiene standards, and help enable existing DIB communities of practice and industry groups keep abreast of emerging changes, threats and educational programs that can be applied within their own domain, in a shared expense/revenue model.”

Changes coming from NIST?

One last possible change that came about on July 31 when the National Institute of Standards and Technology issued a draft special publication 800-53B, Control Baselines for Information Systems and Organizations.

Larry Allen, president of Allen Federal Business Partners, told the Federal Drive with Tom Temin that the draft requirements may impact level 4 and IL5 under CMMC.

“[E]ven if you’re certified to one standard, does that really mean that you’re going to be certified whatever this new NIST standard is that’s now going through the rulemaking process? We don’t know,” Allen said. “If you’re a contractor, this has to just be very confusing. And it’s a huge distraction at federal year end. My recommendation to DoD is just slow down, lower your expectations. Everybody knows that if the road isn’t built, nobody can get to the end of the road. And you shouldn’t be expecting people to pull into your parking lot if the road isn’t built.”

Allen added that contractors will not know for sure how 800-53B will impact CMMC IL4 and IL5 requirements until both standards are final, but changes are coming.

NIST details 20 control families ranging from incident response to configuration management to supply chain risks management.

In the supply chain risk management family, NIST details 14 controls, which is two more than the moderate level and three more than the low level