The Department of Defense hopes to begin implementing its Cybersecurity Maturity Model Certification (CMMC) program requirements in contracts in May 2023, as part of an effort to prod hundreds of thousands of defense contractors to better protect their networks and controlled unclassified information.
The requirements are currently going through the federal rulemaking process for the Code of Federal Regulations (CFR) and the Defense Federal Acquisition Regulation Supplement, which is required before they can be implemented.
“We’re hoping by March of 2023, they will give us an interim rule. Now that’s not guaranteed,” Stacy Bostjanick, the Pentagon’s director of CMMC policy, said Wednesday during an event hosted by the Potomac Officers Club. “They could come back and say, ‘No, we don’t see the urgency of this meeting to be an interim rule and you will not be allowed to implement until you go through final rule.’”
If granted an interim rule decision, the program will go through a 60-day public comment period, but the department would be able to implement CMMC in contracts and acquisitions by May 2023, Bostjanick said.
She noted that the DOD will take a phased approach to ensure the entire CMMC ecosystem — which includes cybersecurity assessor and instructor certification organizations, assessors and the Defense Industrial Base Cybersecurity Assessment Center, among others — will be capable of handling certifications requested for contractors.
The Biden administration’s revamp of the program, known as CMMC 2.0 — which began last year after contractors raised concerns about the original CMMC framework developed by the Trump administration — set the schedule back.
“Based on this shift and administrations and the relook of the program, it has elongated our timeline from the perspective that we are having to do additional rulemaking activities,” Bostjanick said. “Having said that, though, I don’t think that it is a bad thing. I think having CMMC codified as a program and 32 CFR rule makes it a stronger program and gives it more lifespan, quite frankly.”
Prioritized versus non-prioritized controlled unclassified information
Bostjanick also provided insights regarding the requirements of the cybersecurity framework pertaining to prioritized and non-prioritized controlled unclassified information (CUI).
“For those companies that would handle non-prioritized CUI, the thinking is that they could merely do a self-assessment, an annual affirmation that they meet the requirements of the NIST 800-171 to handle the non-prioritized CUI … From our analysis, the non-prioritized CUI is going to be a smaller subset of the CUI that we deal with,” she said.
“Since companies don’t ever normally just do one contract with the DOD, they bid on multiple contracts, eventually, anybody who handles CUI and bids on more than one contract will most likely have to have a third-party assessment, because it’s only ever going to take one contract that you bid on that requires that third-party assessment to drive you to that level,” she added.
She noted that a contract will indicate whether the procurement includes prioritized CUI, non-prioritized CUI or Level 3 CUI as a factor. Level 3 requires an assessment from the Defense Industrial Base Cybersecurity Assessment Center.
Right now, Pentagon officials are working on several exercises to ensure the definitions between these levels of controlled unclassified information are clearly delineated.
The rough definitions they are working through right now, which could be refined in the next few months, is that non-prioritized CUI involves information that wouldn’t cause much of an issue if it were to be released — such as the material of a military uniform. Prioritized CUI is information that would cause some loss of capability or advantage if adversaries, hackers or others got hold off of it. And Level 3 advanced CUI is information associated with critical programs and technologies.
Additionally, the Pentagon is putting together an acquisition guide for program managers and contracting officers to make the decision whether or not CUI is prioritized or non-prioritized as they move into a request for proposals, Bostjanick said.