The Defense Department is surging ahead with efforts to get third-party assessor organizations certified for work under the Cybersecurity Maturity Model Certification program, but the process of setting up a structure for companies to be assessed and approved has many unanswered questions, according to two large defense industry groups.
The National Defense Industrial Association and Aerospace Industries Association have worked closely with the Defense Department over the past year to provide input on the CMMC standards and are eagerly waiting for more details to come out from the memorandum of understanding signed by the Pentagon and CMMC Accreditation Body last month. The CMMC AB has already launched working groups to develop standards, assessments, and training tools.
Contractors are looking for more information from the CMMC AB on how the costs associated with third-party assessments will be addressed, according to NDIA's Corbin Evans.
"Our understanding is that the CMMC AB will be responsible for working with third-party assessors to help set the rate for costs of inspection," Evans told Inside Cybersecurity. "Initially, we think the CMMC AB is going to allow the initial set of third-party assessors to set their own rates and we may see some differences on costs across the organization."
Evans, who is NDIA's principal director of strategic programs, is concerned about the price of assessments, and will be looking to the CMMC AB for information on how it will ensure that the accreditation costs for contractors are "being set responsibly and accurately."
There will be a rush for prime contractors and subcontractors to get certified before DOD issues requests for proposals in the fall with CMMC requirements included, and Evans said the department is responsible for "outlining and providing guidelines on how exactly these costs will be passed along in the contracts."
Katie Arrington, chief information security officer in DOD's acquisition office, has stated publicly that the Pentagon is considering allowing contractors to bill the department for costs associated with getting certified. Other ideas on the table include splitting the cost between the Pentagon and contractors or including the cost associated as part of a contract award.
Another concern is the timeline for contractors to get through the certification process. In June, DOD is expected to release requests for information, which will give contractors more details on what to expect and which sectors of the defense industrial base will be considered first as the CMMC process moves forward.
AIA is looking for information in the MOU to get a better understanding on what the "milestones" of the CMMC program will be moving forward in more "granular details," according to Jason Timm, the association's assistant vice president for national security policy.
"The biggest thing from an implementation standpoint is ensuring that companies can reach out to the marketplace that the [CMMC AB] is putting together where they will list all trained and accredited assessors and auditors," Timm told Inside Cybersecurity.
AIA wants to get more information on how the CMMC AB and the assessors will be able to accommodate all of the contractors in the defense industrial base who want to get certified as quickly as possible. Timm said one way to address the scale of certifications is to ensure the importance of information to be protected is clearly and properly defined in requests for proposals.
"We are asking the Pentagon to ensure that their contracting officers do not give precedence or a competitive advantage to those who have been able to get their CMMC certification ahead of somebody else," said Timm.
"There is going to be a ramp up time for companies to be able to get their certifications."
AIA is also looking for clarifications from the Pentagon on whether all subcontractors need to be certified at the same level of CMMC compliance to meet the criteria for a prime contract award.
"It really comes down to flow-down requirements of information from the prime to the supply chain," and which subcontractors have access to controlled unclassified info, said Timm.