Stringent requirements on DoD contractors to comply with existing protections are expected to take effect by the end of the year
A new rule by the US Department of Defense to ensure that contractors and subcontractors are implementing information security measures required by the federal government is set to take effect 60 days after publication in the Federal Register on October 15.
The rule governs the agency’s Cybersecurity Maturity Model Certification (CMMC) Program, which verifies that defense contractors are compliant with existing protections for federal contract information (FCI) and controlled unclassified information (CUI) and are protecting that information at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats.
According to the department, the CMMC provides the tools to hold accountable entities or individuals that put US information or systems at risk by knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
The department, which has largely depended on security self-assessments by its suppliers in the past, has been criticized for some time by its Inspector General for weak supervision of its suppliers.
In a report released in December 2023, IG Robert P. Storch noted his agency issued five reports from 2018 to 2023 which consistently found that DOD contract officials failed to establish processes to verify that contractors complied with selected federal cybersecurity requirements for controlled unclassified information (CUI) as required by the National Institute of Standards and Technology (NIST).
Rules offer no relief from pressure to comply
With the new rule, the CMMC program implements an annual affirmation requirement that is a key element for monitoring and enforcing accountability of a company’s cybersecurity status. It also introduces Plans of Action and Milestones (POA&Ms). POA&Ms will be granted for specific requirements as outlined in the rule to allow a business to obtain conditional certification for 180 days while working to meet the NIST standards.
Despite the introduction of POA&Ms, contractors are concerned about their ability to comply with the new rule’s requirements within the desired time constraints. “If anyone in the industry was hoping that the pressure would be relieved, I don’t think it was,” said Robert Metzger, cybersecurity practice chair at the law firm of Rogers Joseph O’Donnell.
“There’s a little more time for things to happen,” he said. “It’s pretty clear that no one will be required to undergo a certification assessment until probably at the earliest, the first quarter of 2025 and maybe the second quarter.”
However, he added, “It is also clear that DoD continues to expect that companies who want to do business with it will satisfy all 110 requirements in NIST Special Publications SB 800-171-REV-2. That publication sets out security requirements designed to protect controlled unclassified information in non-federal systems and organizations.
DoD had been urged to be more flexible
“Many people urged DoD to take a more flexible approach,” he continued. “They wanted a lower minimum score from DOD as is needed to allow any POA&Ms. Essentially, DOD says that when an assessment is done, you have to pass 80% of the 110 stated requirements in that special publication. And if you don’t pass 80% of those, then you’re not eligible for any POA&Ms to close over a six-month interval.”
“But even then, there’s approximately 45 of the most important cyber requirements within that group of 110 that the DOD has said you have to meet on the first try, or they’re not going to let you have a POA&M to close them, even if you have an overall 80% score.”
Contractors urged to get a head start on assessments
Contractors were urged to conduct CMMC assessments during the 60-day period following the publishing of the new rule in the Federal Register by Brian Kirk, senior manager for information assurance and cybersecurity at the accounting and consulting firm Cherry Bekaert, which is a CMMC Third-Party Assessor Organization (C3PAO). C3PAOs are independent entities authorized to evaluate contractors’ cybersecurity practices and controls to ensure they meet the required security standards set by the DOD.
“The finalization of the rule paves the way for C3PAOs to begin conducting CMMC Level 2 assessments independently of DIBCAC, beginning 60 days from the rule being released to the Federal Register,” Kirk said. DIBAC — the Defense Industrial Base Cybersecurity Assessment Center — is a federal organization that conducts comprehensive cybersecurity assessments of defense contractors.
“The timing of the release of the rule allows contractors to get a head start by obtaining a CMMC Level 2 certification prior to CMMC being enforced in their contracts,” Kirk said. “Additionally, this approach will help mitigate supply and demand challenges within the CMMC ecosystem by certifying contractors who are ready.”
