There’s a lot of chatter in tech spaces about the Cybersecurity Maturity Model Certification (CMMC), soon to be a requirement for contractors with the Department of Defense.
But as is often the case with regulatory questions, uncertainty abounds. Some blogs claim that enforcement mechanisms for the certification requirements are already in place, others give concrete dates for when the program’s phases go into effect.
What is CMMC?
The CMMC is an expanded suite of cybersecurity requirements for vendors who contract with the DOD. It’s aimed at protecting unclassified and classified information as well as instituting best practices. And most of it, as Deltek Senior Manager of Cloud Solutions Michael Greenman told IT Brew in June, isn’t new.
“CMMC was born as the enforcement of the cybersecurity requirements that defense contractors have had in their contracts for many, many years,” Greenman said.
Definitely maybe.
Okay, here’s where things get a little complicated. CMMC is operational in the sense that vendors are expected to adhere to its guidelines via a voluntary process. But the enforcement aspect of the rule, which would allow DOD to levy consequences on contractors, is not.
That’s because another rule, the Defense Federal Acquisition Regulations Supplement 48 of the Code of Federal Regulations (DFARS 48 CFR) has yet to be implemented. That rule being in place is required for enforcement, said Carrie Cardwell, deputy director of the CMMC program manager office for the DOD chief information officer.
“We can’t mandate contract compliance until the 48 CFR rule is published as final and effective, because that is the rule that contains the contract clause language,” Cardwell said. “So, then the implementation, or the phase in, will begin.”
Contract constriction.
In order to do that, CMMC officials will need insight into the contracts themselves, something also allowed for in the enforcement clause. CMMC Director Buddy Dees told IT Brew that the Controlled Unclassified Information (CUI) program doesn’t currently include the ability to verify compliance, one of the reasons for the CMMC rule in the first place.
“The CMMC gets the department that insight to allow us to verify that contractors are doing what has already been mandated, contractually, in their clauses,” Dees said, adding that once CMMC is fully in place, the contracts will be tied to its implementation.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Contractors will be expected to meet certain levels of CMMC compliance, determined by a phased process that will kick in once the rule is passed.
Phase through.
Once the CMMC is in place, the program’s three levels will be phased in over 12-month increments. Vendors will have a year to meet level one, then level two, then level three, depending on what certification they need for their contracts.
“The contracting officer will verify before the award that the vendor that’s going to be receiving the award has met the CMMC requirement—so no CMMC met, no award,” Dees said. “And that’s another enforcement mechanism.”
However, the phase system doesn’t mean that contractors are stuck waiting for the third phase for level three. They are welcome to meet the standards beforehand, but not required to. Industry partners are welcome to get their level two or three assessments immediately if they choose.
“They also have the discretion to include that requirement in the solicitation and then say, well, ‘It’s going to require CMMC level two in this contract award, beginning with option period one or two,’ to give them that advance notice in the solicitation,” Cardwell said.
Money problems.
Change is hard, especially for business. The reaction to CMMC hasn’t all been positive, so much so that acting DOD CIO Katie Arrington told the audience not to put down the process at the AFCEA TechNet Cyber conference in May.
Dees and Cardwell told IT Brew that they understand that some in the contracting world are wary of the new requirements. The concerns are largely broken down as cost-related. They added that they’re already seeing a spike in contractors buying into the voluntary program, well ahead of enforcement, and haven’t seen a negative impact in contracting or contract interest.
Companies expecting that CMMC compliance will cost a lot are missing that the program is making sure that contractors adhere to existing requirements that they were expected to take care of themselves on a voluntary basis, Dees said.
“There’s another part of the public that is very supportive of what we’re doing, that we’re leveling the playing field,” Dees said.