DOD releases interim cybersecurity rule

The rule is designed to ensure DOD contractors are adhering to a uniform standard for protecting controlled unclassified information is protected. But while trade groups representing government and defense contractors have lauded the framework but criticized the implementation and rulemaking process.

checking data (alphaspirit/

The Defense Department released an interim rule for its Cybersecurity Maturity Model Certification program that will require contractors to prove they are keeping up with key cybersecurity measures.

The rule, which goes into effect Nov. 30, was published in the Federal Register Sept. 29. Public comments will be collected until then and are expected to be considered when crafting the final rule.

Ellen Lord, DOD's top buyer, announced the rule's publication during a virtual keynote presentation at the Common Defense 2020 conference on defense industry base procurement.

"To ensure cybersecurity is also foundational for our partners in industry, the department created the Cybersecurity Maturity Model Certification or CMMC," Lord said. "Thereby requiring all DOD contracts by Oct. 21, 2025 -- five years from now -- to have some level of CMMC in each of those contracts."

The interim rule includes contracting language to amend the Defense Federal Acquisition Regulation Supplement that "requires contractors to apply the security requirements of NIST SP 800-171 to 'covered contractor information systems'...that are not part of an IT service or system operated on behalf of the government."

The interim rule effectively creates three levels for cybersecurity assessments -- basic, which is required to be eligible for award, medium and high, which can be conducted during the course of performance -- and two assessment tracks, one for NIST 800-171 that's effective now and one for CMMC, according to an analysis by the Wiley Rein law firm in Washington, D.C.

"Under this framework, contractors will be required to complete a self-assessment of their compliance with NIST SP 800-171 before they can receive DOD contracts," Wiley Rein wrote.

"For CMMC, the interim rule introduces the long-anticipated DFARS clause that sheds some light on how DOD contractors are expected to flow down the requirements to subcontractors. But the interim rule also highlights DOD's desire to continue developing the CMMC requirements outside the DFARS rulemaking process."

The aim of the program is to ensure DOD contractors are adhering to a uniform standard and that DOD's controlled unclassified information is protected. But while trade groups representing government and defense contractors have lauded the CMMC framework but criticized the implementation and rulemaking process.

Corbin Evans, the National Defense Industrial Association's principal director of strategic programs, told FCW via email that the interim rule format is limiting when it comes to allowing for industry feedback.

"The use of the interim rule format limits the ability for DOD to incorporate valuable feedback from the [defense industry base] prior to the final rule taking effect," Evans said, and "eliminates the ability for a public meeting to be conducted on the rule prior to implementation."

The Professional Services Council said in a statement that it "supports improved cybersecurity and cyber hygiene for government contractors" but is "disappointed it was issued as an interim rule, taking effect immediately, and not a proposed rule."

The rule also gives a glimpse of expected costs to comply for small businesses, ranging from approximately $1,000 for Level 1, or what's considered basic cyber hygiene, to upwards of $50,000 to reach Level 3, which is reserved for companies that process, store, or transmit CUI, to cover contract support and a certified third-party assessment.

According to a chart that evaluates estimated annual assessment costs, companies seeking a CMMC Level 1 could expect to pay $1,000 a year for third-party assessments, while those seeking Level 3 certification could spend about $60,000 a year. For the latter, about $17,000 would go towards assessments, which are organized and run by the CMMC Accreditation Body -- a non-government entity partnering with DOD to develop curricula and implement training for assessors.

However, there's concern that those cost estimates could be conservatively low and "not fully in line with the reality," Evans said. "Just considering implementation costs for the delta between CMMC level 3 and NIST 800-171, we see that the costs of compliance are still underestimated," he said. "This will harm the ability for contractors to fully recover costs of CMMC compliance, effectively imposing both a new regulatory and financial burden on defense industrial base members."