The Defense Department official leading the development of an ambitious plan to independently certify military contractors’ cybersecurity practices will review a final version of the plan Friday and shared key details for its implementation.
Stipulations of the Cybersecurity Maturity Model Certification will be written into the Defense Federal Acquisition Regulation Supplement as an update to rule 252.204.7012, which currently requires contractors handling information of certain sensitivity to implement security practices spelled out in National Institute of Standards and Technology Special Publication 800-171 and to report cyber incidents within 72 hours.
The major change in the updated rule—which is expected to be open for comment in the spring—will be that contractors will no longer be permitted to self-attest their adherence to the NIST-described practices, as they are now.
The new program will also introduce five levels of tiered requirements for defense contractors. Contractors dealing with information that is not as sensitive would have to meet the “basic cyber hygiene” of level 1, versus the “good cyber hygiene” that implies compliance with the NIST 800-171 controls, or the “advanced” practices that would be required at level 5.
That risk-based approach has gotten the coming CMMC some praise, but the contracting community is on high alert with concerns ranging from the cost of certification to the details of how the audits will function through a nonprofit accreditation body.
Katie Arrington, chief information security officer for the Office of the Assistant Secretary of Defense for Acquisition, answered stakeholders’ many questions during an event hosted by the law firm Holland & Knight today, and delivered some tough love for naysayers.
“For those of you who are attesting that you’re doing the 171, and you say it’s too high of a barrier to get compliant to level 3, I ask why,” Arrington said. “If you’re already attesting on your contracts that you’re doing it, and I’m just saying I need you to prove that you’re doing it, and you’re telling me that’s too much of a burden to bear, I struggle with that.”
Details of the cybersecurity practices—in addition to the NIST controls they include practices outlined by other bodies such as the International Organization for Standardization—required for each level are described in draft 0.7 of the model.
Arrington said version 1.0, the final version to be rolled into regulation, will be delivered to her Friday Morning, and hinted it may be the subject of a Pentagon press conference that day. Arrington stressed the intent is to have the model be updated at least every year, as “electronic warfare is not static.”
“When the model releases this week or next, it will have user guides,” Arrington said, noting it will then be turned over to the accreditation body along with a memorandum of understanding spelling out how the new certification process will work with existing requirements.
“When we hand them the MOU, there will be caveats in it that say we need you to work through your assessors to create reciprocity for government work already done,” she said. “So if your company has been through a [Defense Industrial Base Cybersecurity Assessment Center] audit, there’s going to be reciprocity for that. If you have paid—your company—for an ISO 27001, we will give you credit for those controls that were made.”
Arrington said language for that specification will also be included in the updated rule.
The accreditation body will require a “crown jewel” database, which the government is building. Arrington said she herself wrote the “pretty stringent” requirements for the database into a request for information from commercial vendors.
She said the RFI will be released at the end of this week or next, and that the database will be cloud-based and that the CMMC will be “portaled into your [System for Award Management] ID.”
On cost, she said if CMMC level 1 certification comes in anywhere near “thousands” of dollars, “we’ve missed the mark.”
Level 3 certifications and higher are expected to be significantly more costly, but Arrington said defense officials are working to ensure it’s in the realm of the reasonable, and that the department is working with the Office of Management and Budget and the Office of Information and Regulatory Affairs to ensure contracting officials implement “cost realism” in their selections, noting the certifications will be an “allowable cost.”
A key point Arrington noted CMMC will only be written into new contracts. Initial requests for proposals expected to include a required certification level are expected in October, after the rule is finalized.
To stress the necessity of the rule, Arrington said the U.S. loses an estimated $600 billion per year in intellectual property and data because contractors aren’t following basic cyber hygiene practices.