DoD addresses two big challenges to make CMMC a reality

The Defense Department feels better than ever about the future of the Cybersecurity Maturity Model Certification program.

DoD is close to solving two big obstacles to get CMMC off the ground more than six years after first introducing the data security program.

After finalizing the first rule related to CMMC last summer, which established the formal program, DoD now believes its path is clear to get the second regulation finalized in the coming months.

Stacy Bostjanick, DoD’s chief of the Defense Industrial Base Cybersecurity in the CIO’s office, said the rule to change the Defense Federal Acquisition Regulations (DFARs) is close to going to the Office of Management and Budget’s Office of Information and Regulatory Affairs (OIRA) for final processing.

“They’re [DoD] working on the final edits to get it back to OMB OIRA, so it is moving, and we really expect to keep it close to the original timeline that we expected of later this summer it become in full and published and ready to roll,” Bostjanick said at the Professional Services Council’s Acquisition conference last Thursday.

DoD issued that proposed rule last August. It would do several things including defining controlled unclassified information (CUI) and establish a solicitation provision and prescription for CMMC.

The challenge for DoD came when the Trump administration imposed a 60-day regulatory freeze on its first day in office. While that freeze recently lifted, President Donald Trump also issued an executive order requiring agencies to repeal at least 10 rules, regulations or guidance documents for every new rule. The CMMC DFARS rule got caught up in the regulatory freeze and 10-for-1 exchange requirement.

Bostjanick said she definitely wants to end any rumors that CMMC is going away due to the regulatory freeze.

 

Pilot shows ways to reduce cost of CMMC

The second big change for DoD is the successful pilot with cloud service providers (CSP) and a managed service provider (MSP) to provide an easier path for companies to meet CMMC requirements.

DoD estimates that there are 220,000 to 300,000 companies in the defense industrial base, roughly 80,000 will need to achieve CMMC level 2, and another 1,500 will need to achieve CMMC level 3.

Additionally, there are only 50 to 60 certified third party assessment organizations (3CPAOs), meaning DoD has to help find a way to deal with a potential backlog.

Bostjanick said the test with the managed service provider showed that this shared service approach could reduce the time and cost for certification.

“We saw one company, I can’t mention the name, but they from zero to 110 controls in two months, and it cost them about $1,300 a seat, and $32,000 for their assessment,” she said. “The same company that got them compliant and got them to their 110 controls can’t do the assessment, so you have to work with another company come and do that assessment. It was two months’ worth of work and not that much money.”

By working with a MSP or CSP, Bostjanick said companies would inherit between 80% and 90% of the controls from the platform.

“The customer responsibility matrix is going to be wildly important for a company to understand and follow because there are certainly things in the NIST SP-800-171 that require you to do work in your spaces. Now, a lot of these MSPs are providing templates and guidance and help to get the company there, but that customer responsibility matrix where you are aware and know exactly your part that you have to play to get to the 110 controls and you know most of the MSPs that are working with you will help hold the hand all the way through,” she said. “I’ve been very heartened by the capabilities that have been born out of this requirement. Industry has definitely risen to the challenge to help us, and they’ve definitely found affordable solutions for small and medium companies.”

 

Phased rollout coming

The CSPs — including Microsoft, Google, Amazon Web Services and Oracle — have partnered with managed service providers to provide capabilities, mostly through virtual desktops, to contractors.

Bostjanick said one or two of the CSP’s approach protects the data in a way if it gets downloaded to another system, it would automatically move into continuous monitoring mode.

DoD is also working with the industry advisory group the Cyber AB on an online marketplace to list these types of CMMC related services.

“We’re working right now with the Cyber AB on what the website, what would the criteria be for ingesting a company and hosting them on that website? So more to come. But we have seen some wonderful capabilities that have been out there that are definitely low cost, and they provide an environment for companies to operate in,” Bostjanick said.

While vendors already are expected to meet the requirements under NIST 800-171, the CMMC standards are more than a year from being part of a contract award.

Bostjanick said DoD will oversee a phased rollout of the requirements.

“We originally had the first phase of six months where you could continue focusing on that self-attestation, but it would be self-attestation under the CMMC rules, which means you no longer can have a plan of action and milestones (POA&M) that goes out to 2099 before you’d complete it. So now, your POA&Ms will have to be closed within six months, and you’ll have to do your annual affirmation that you are compliant with the NIST 800-171,” she said.

Previous Post
    Recent Posts
    • All Posts

    Get started today!

    Request a Consultation

    More info

    Services

    Contact Us

    Envelope Linkedin Facebook-f

    Strong Cyber Solutions, LLC

    Copyright © 2022 StrongCyberSolutions – All Rights Reserved. Privacy Policy | Cookie Policy