Officials say an updated rule for implementing the program will be open for comment later this spring.
The Defense Department’s Cybersecurity Maturity Model Certification initiative could have the opposite of its desired effect and create security risks, major companies said in a letter to top Pentagon officials Friday seeking clarification on a number of issues.
“We are concerned that current plans for implementing CMMC lack sufficient clarity and predictability in key areas, and as a result may unnecessarily generate confusion, delay and associated costs,” reads the letter to Ellen Lord, under secretary of Defense for acquisition and sustainment, and Katie Arrington, the chief information security officer for the acquisitions office. “These challenges could lead to the DIB being even less secure, if left unaddressed.”
More than 100 companies are represented in the letter by the Internet Association, BSA | The Software Alliance, The Cybersecurity Coalition, the Information Technology Industry Council, CompTIA and the Alliance for Digital Innovation.
Pentagon officials are launching the CMMC in an attempt to ensure contractors within the Defense Industrial Base are implementing appropriate cybersecurity controls amid concerns foreign adversaries such as China are hacking their systems to steal valuable intellectual property.
Defense contractors are currently self attesting their adherence to controls such as those laid out in National Institute of Standards and Technology Special Publication 800-171. The CMMC would require independent third party auditors validate companies’ compliance before they can do business with the DOD.
Defense officials say the CMMC requirements will be added to the Defense Federal Acquisition Regulation Supplement as an update to rule 252.204.7012 and will be open for public comment in the spring.
But industry isn’t waiting to weigh in.
Pentagon officials say they are moving slowly, and with “irreversible momentum,” stressing the CMMC won’t be fully implemented until 2026. But they recently noted the coronavirus pandemic won’t affect their implementation timeline, which involves including CMMC requirements in 10 “pathfinder” Requests for Information this year.
“Since DOD has said there will be no delay in implementing the CMMC, the private sector needs to understand how DOD will address the serious questions and uncertainty that exists about the accreditation process,” Norma Krayem, chair of the cybersecurity, privacy and digital innovation practice group at Van Scoyoc Associates, told Nextgov. “Even just auditing 10 contracts in 2020 will impact a large-scale number of businesses based on the flow-down requirements.”
That sentiment echoes some of the concerns companies highlight in the letter.
“We recognize that there is a real tradeoff between speed of implementation and addressing these issues, given the risks to the DIB,” the companies wrote. “At the current implementation speed, unless there is a continued commitment to improving CMMC in the areas noted, we are concerned it may limit competition and reduce the government’s access to new technologies.”
The letter also highlights concerns related to security for an information repository auditors will use, the applicability of the standard to foreign partners, streamlining the CMMC with other U.S. government requirements and the suitability of the proposed controls.
“We believe that some of the controls in CMMC apply best to traditional models, but not as well to modern large scale infrastructure,” the letter said. “Rigid conformance to those controls may actually introduce new risks to the controls in place for high security and high availability or operational technology systems and environment.”
The letter tried to strike a collaborative tone.
“We stand ready to assist DoD in optimizing the CMMC’s effectiveness,” it said. “Considering and incorporating IT industry feedback will help ensure that DoD implements a structurally sound and holistic initiative from the beginning.”
Help us understand the situation better. Are you a federal employee or contractor with information about how your agency is handling the coronavirus? Email us at firstname.lastname@example.org.