A sweeping plan to conduct independent third-party cybersecurity audits of prospective Defense Department contractors’ management of sensitive information will be subject to a formal rulemaking process, but the department and the nonprofit organization being established to train and approve certifiers are still moving at a quick clip.
“Because we’re doing rulemaking, this isn’t going to roll out as hard and fast as we thought,” said a government official delivering a briefing on Defense’s Cybersecurity Maturity Model Certification program at a meeting of the Software Supply Chain Assurance forum today.
Quarterly meetings of the forum—co-led by Defense, the General Services Administration, the National Institute of Standards and Technology, and Homeland Security Department—are attended by public and private sector representatives and conducted under the Chatham House Rule to encourage a free exchange of ideas.
The official said Defense expects the CMMC requirements to be issued as a proposed rule this fall, but regardless of the related public comment process, officials still plan to include the rules in requests for proposals starting in the third quarter.
“In June, we’re going to give you an [request for information] that says these procurements are targeted to have CMMC requirements,” the official also noted.
The CMMC effort is intended to stem the loss of controlled unclassified information. Currently, defense contractors only have to self-attest their adherence to NIST special publications laying out the appropriate protections for such data.
The department intends to operationalize the coming certification program through a nonprofit accreditation body that will be tasked with training auditors, establishing the necessary infrastructure, accreditation and credentialing, and assessment operations, as laid out in a slide presentation by the official.
Companies looking to do business with the department will have the sensitivity of their data assessed, and auditors will determine an appropriate level—1 through 5—of security required.
Entities can contest decisions made about their assessed levels, and such protests will be processed by the accreditation body.
The official said “I can only use my powers of influence” to weigh in with the body, but that the group would operate truly independently.
One meeting participant interjected saying “we really appreciate that separation.”
The department does expect to be part of the oversight structure for the accreditation body. Details will be spelled out in a memorandum of understanding between the two entities that can be signed as soon as the accreditation body is officially incorporated. The official said that should be done “by the end of the month” and “hopefully” by the end of next week.
The official said Defense expects to turn operations over to the accreditation body in February but stressed that the department is “not going to give up control of the model” itself, which will remain subject to change once issued at the end of the month.
In March, Defense plans to publish the assessment guides that auditors will use to determine what level of data protection will be required.
Participants at the meeting included small business owners with questions about how assessed levels would flow down from prime to subcontractor. The official clarified the level would not necessarily be expected to correspond.
“It depends on where your data is,” the official said, noting prime contractors may not need to make their most sensitive information available to their subcontractors.
Responding to other concerns from participants, the official said the accreditation body has agreed it will publish a list of approved products on its website.
The official acknowledged a “crawl, walk, run” reality but noted the certification program has garnered interest from other parts of the government, and world.
“We’ve got Treasury, asking about this, State, Canada,” she said. “If we do this right,” it can really be a model for the broader ecosystem.