“NATIONAL DEFENSE MAGAZINE” By Josh Luckenbaugh
“Primes and subcontractors go after different levels of assessment which may pose grey areas where a flowdown requirement from a higher level prime contractor to a subcontractor may carry a security assessment impact.”
____________________________________________________________________________
“After some hiccups along the way, the Defense Department is finally set to begin implementing its Cybersecurity Maturity Model Certification program next year after the final rule hit the Federal Register in October.
The program, known as CMMC, is the department’s mechanism for verifying defense contractors that handle federal contract information and controlled unclassified information are compliant with the Pentagon’s cybersecurity requirements.
As the final rule outlines in its “History of the Program” section, it has not been an easy road to CMMC implementation. The department released an interim final rule in November 2020, but “in response to approximately 750 public comments on the … interim final rule, in March 2021 the department initiated an internal review of CMMC’s implementation” and eight months later announced a revised version of the program dubbed CMMC 2.0.
Felipe Fernandez, chief technology officer at cybersecurity company Fortinet Federal, said the fact the Defense Department has incorporated industry feedback throughout the rulemaking process is quite “off standard.”
“From an industry perspective … we were able to go on this journey with the DoD as the drafts were released and, of course, the final rulemaking,” Fernandez said in an interview.
CMMC 2.0 has three key features, the final rule states: a tiered model of assessment levels, an assessment requirement so the department can verify the implementation of its cybersecurity standards and a phased implementation of CMMC.
The tiered model consists of three levels. CMMC Level 1 allows contractors responsible for “basic protection” of federal contract information to self-assess compliance, while companies handling controlled unclassified information will need to achieve at least CMMC Level 2, a department release stated. In some situations, companies can confirm Level 2 compliance with a self-assessment, but otherwise they must hire a CMMC Third-Party Assessment Organization, or C3PAO, to assess them.
Level 3 is reserved for contractors handling controlled unclassified information that requires “a higher level of protection against risk from advanced persistent threats,” the release said. Level 3 assessments will be conducted by the department’s Defense Industrial Base Cybersecurity Assessment Center.
Companies that think a Level 2 self-assessment will suffice will need to be careful, Fernandez said, particularly if they are a subcontractor to a major defense prime that has a Level 2 third-party assessment.
“It may be dictated by that prime that in order for them to just have the least amount of headaches and surprises” before or after contract award, any potential subcontractors “will have to also get a Level 2 C3PAO assessment, because in the event that CUI gets passed from my system to your system,” prime contractor requirements flow down to their subcontractors, he said.
“That’s one of the areas where we’re going to see, I think, some gray area and some different rules applied,” he said. “We’re going to see … primes and subcontractors go after different levels of assessment based on their level of risk to that type of situation.”
The Defense Department is implementing CMMC incrementally with a phased approach that it plans to begin in 2025. Phase 1 will start when the department’s rule change to the Defense Federal Acquisition Regulation Supplement to contractually implement CMMC goes into effect, at which point the department will begin including requirements for Level 1 and Level 2 self-assessments in all applicable solicitations and contracts.
In Phases 2 and 3, the department will implement Level 2 and Level 3 certification requirements and will achieve full implementation in Phase 4. The first three phases will each last a year.
In a recent study conducted by Merrill Research and commissioned by CyberSheath, only 4 percent of respondents said their companies are completely ready for CMMC certification. Fernandez said many organizations have invested in cybersecurity technologies, “but unfortunately, you have to mature your policies and procedures” as well, and “I think a lot of organizations maybe are realizing they’re not mature enough yet” for CMMC compliance.
“We’re talking about businesses here, and particularly smaller businesses where they can only invest so much time and effort into these kinds of procedural improvements without risking the actual business that they’re in,” which has led to a shortage of “expertise within the companies themselves to understand the controls [and] how they need to be implemented in a way that DoD or a C3PAO would deem fit for meeting the CMMC requirements,” he said.
While many companies currently have cybersecurity shortcomings, “the good news is what we’re seeing is they’re coming for help, not just from contractors or consultants but also from their vendors, and they’re looking to us to help them meet these requirements,” he said.
For example, for the companies moving their data and assets to a cloud computing environment, “you have the Microsofts and the AWSs willing to help them out and say, ‘OK, we’ll get you at least to this level of compliance — say 75, 80 percent compliant,’” he said. “So, I think there’s lots of help for” organizations seeking assessment “from not just assessment organizations but also from the vendors, who are willing to apply time and their expertise on how their technologies can help.”
While there is likely to be an initial compression of the defense industrial base as a result of CMMC, “it’s going to lead to higher quality options” for the Defense Department as contractors increase their cybersecurity levels, Fernandez said.
As time goes on and companies start to understand the cost of doing business, “there will be maturity in the market” and “blueprints created for organizations to follow to quickly get to where they need to be,” and the industrial base will grow again, he said. “So, I think there’s going to be some lessons learned in this first couple years for a lot of organizations, but it’s going to be for the benefit of the DoD.”
Comentários