CMMC Under Review Before Final Release

CMMC Under Review
CMMC Under Review

CMMC Under Review by DoD

The DoD is finalizing changed to the Cybersecurity Maturity Model Certification program (CMMC) in an attempt to sufficiently address national security requirements without overburdening the defense industrial sector.  According to an article recently published at the Federal News Network, these changes are to be released soon as a finalized plan of implementation.

Chief technology officer for the deputy assistant secretary of defense for industrial policy, Christine MIchienzi said that We are, again, including feedback from industry on that to make sure that this is the system that is going to be the best system for the department and for industry”. 

The Pentagon announced it was reviewing the current approach in April of 2021.  This announcement was followed by minor updates in congressional testimonies in June of 2021.  Since this time, however, the Department of Defense (DoD) has been silent on its intentions until this latest announcement of reviews.  This has raised questions as to the Biden’s administration’s commitment to CMMC achieving its stated goals.

Growing Apprehension Among Defense Contractors

This silence has created apprehension in an industry that has scrambled to meet future requirements without a clear view of exactly what these requirements are to unfold.  This has hindered the industry’s ability to create budgets and engage in meaningful strategic planning.  Additionally, many smaller subcontractors fear that the complexity of the proposed CMMC may be creating barriers to participation in the DoD acquisition process.

Members of the defense industrial base have voiced desires for standardization of the DoD marking practices for Controlled Unclassified Information (CUI) and limit requirements to directly relate to contract performance. 

Another area for concern is the Defense Federal Acquisition Regulations (DFARS) Interim Rule released in September 2020.  In a letter to the DoD, industry consortiums ITI, PSC and NDIA stated that it is unclear how this rule has been or will be adjudicated.  It then encouraged the DoD to conduct public hearings if further changes were anticipated.

All Parts of CMMC Are Being Reconsidered

The DoD is reviewing all aspects to its approach to CMMC.  Included in this reassessment is the CMMC accreditation body’s role.  Other options to this could be certification from the Defense Contract Management Agency or self certification at certain CMMC levels. 

This further action has muddied the waters as to what the future holds for contractors, subcontractors, and suppliers to the DoD.  This is especially the case for for commercial vendors who may defer investments in developing a CMMC program in the midst of such uncertainty.  In response to these apprehensions about the scope, timeline, and manner of implementation, the Pentagon has encouraged companies to stay the course as cybersecurity systems will still need to be in place and will require verification and validation.

CVG Strategy Can Help

Bad Actor Foreign Governments like China are making considerable efforts to steal U.S. IP.  While the U.S. Counterintelligence Agencies are focused on stopping this in its tracks. But, they cannot do this without industry taking up some of the workload and responsibility.

CMMC will help to secure the supply chain and are critical to plugging the data leaks to bad actors. Cybersecurity must be incorporated across all parts of the supply chain for government contractors, and this is the goal for CMMC.  Just like other new standards and requirements, the first contractors who achieve an appropriate level of certification will likely get more and newer contracts over their competitors.

Regardless of the final format of CMMC, a sound cybersecurity system must be in place to ensure conformity.  The level of soundness of a system can be accomplished by performing a Supplier Performance Risk System (SPRS) Cybersecurity Assessment.  Under the current system,  this is a requirement for businesses providing products or services to the Department of Defense (DoD).  This Supplier Performance Risk System assessment is to be completed by the contractor before DoD contracts can be awarded.  

CVG Strategy is ready to perform an SPRS cybersecurity assessment for your organization.  Our Certified ISO 27001:2013 Lead Auditors can help you meet future CMMC requirements.  Additionally, CVG Strategy can assist in the development of an effective Information Security Management System ISMS to protect CUI and instill confidence in your clients.