The Department of Defense has created a new framework of cybersecurity requirements and certifications contractors must achieve under the Cybersecurity Maturity Model Certification (CMMC). But what about the DOD contractors that mostly outsource their IT and cybersecurity to managed service providers?
The Pentagon’s CMMC leadership, now housed in its Office of the CIO, is planning to meet soon to address potential requirements for managed service providers under the CMMC framework that could ease the burden for those contractors that do very little of their own IT.
“What we are looking for are ways to ease the burden on the [defense industrial base],” Stacy Bostjanick, chief of implementation and policy in the Office of the CIO, said Wednesday during a town hall event with NeoSystems. “And so cybersecurity-as-a-service is a logical place that we’re moving to,” she said, adding that the office is considering pilots to explore those kinds of arrangements.
Bostjanick said more and more defense contractors have moved to a managed service provider for IT, and that means “we’re going to have to make sure that we have a model and requirements that fit that paradigm to ensure that those providers are secure as well as the companies using them.”
In the next few weeks, she will meet with DOD Chief Information Security Officer David McKeown and others “where we’re proposing what kind of requirements we would ask managed service providers, cybersecurity-as-a-service people who use cloud capabilities … so companies can be secure in using them, so that they meet the requirements.”
The hope is the Pentagon will be able to finalize those to include in the updated interim rule under what’s being referred to as CMMC 2.0 — a more eased set of requirements for defense contractors introduced late last year. Bostjanick is eyeing March 2023 for the release of that rule, and then DOD would begin implementing CMMC in some contracts that May.
Once McKeown gives his approval to any different rules for managed service providers, the department will begin sharing those with industry for feedback.
As DOD looks ahead to issuing a CMMC rule next year, things continue to evolve for the program. For instance, last month Bostjanick detailed how the department is thinking now about the different types of controlled unclassified information that contractors handle, like prioritized and non-prioritized CUI.
Under CMMC 2.0, contractors that handle CUI will have to be certified in meeting one of three tiers of requirements.
But even the DOD has shown that meeting those requirements can be difficult. According to the Government Accountability Office, though the DOD is not legally required to meet CMMC standards itself, its components have only met 78% of the 110 requirements for systems that manage advanced levels of CUI.