The Defense Department is working on a guide to help industry and the acquisition community understand how to handle controlled unclassified information, addressing a foundational component of the Pentagon's Cybersecurity Maturity Model Certification program.
The guidebook will build off DOD Instruction 5240.48 issued by the office of the under secretary of defense for intelligence and security in March. The instruction establishes policy, assigns responsibilities and outlines procedures for how the Defense Department will manage CUI for all DOD components.
Requirements for industry to protect CUI start at CMMC level three, according to Defense Department acquisition office Chief Information Security Officer Katie Arrington, who spoke at an industry event Tuesday. However, there are open questions on what contractors need to be certified for level three flowing down the supply chain from prime contractors.
"We have been working with OUSDI on a training handbook to go out on what CUI is," Arrington said. "We've got to work through what is CUI and who is getting it in the waterfall of the contract from prime to sub."
Arrington compared the DOD instruction to documents that the National Institute of Standards and Technology produces, which she described as "great" but "sometimes hard to understand in small business terms."
Arrington spoke on a panel with CMMC Accreditation Body board Vice Chairman Karlton Johnson at an event hosted by email encryption company PreVeil.
The CMMC program reached a significant milestone on Aug. 31 with the first training for 25 provisional assessors who will be able to do audits. The four-day course culminated in an exam for participating assessors, which Johnson described as having a "pretty good pass rate."
DOD's acquisition office is currently working on a memo announcing that they will accept CMMC certifications from the assessors who have passed the CMMC-AB course that will be released "in the next week or two," Arrington said.
However, Arrington cautioned companies from going beyond a level one certification until DOD goes through a rule change to its acquisition regulations needed to implement the CMMC program. The proposed rule is expected to be out for public comment by November.
The current cybersecurity regime for the defense industrial base is self-attestation for the 110 controls in NIST Special Publication 800-171. Arrington said companies should hold off trying to reach CMMC level three until the rule change is complete because of an additional 20 controls that are incorporated in the maturity level that go beyond NIST 800-171, which may change based on feedback from industry on the proposed rule.
As for the official rollout, Arrington said the start of CMMC is not going to be like "a light switch" where companies that want to do business with DOD will need to comply on Jan. 1, 2021. Instead, it will be a gradual rollout over the next five years that will "be implemented strategically," Arrington said.
"As new contracts and new grants come out, [DOD components] will put CMMC in as soon as we have enough certified auditors to carry the load," Arrington said. "We don't want to put out a tremendous amount of RFPs or grants where we don't have the capability to give the marketplace the auditors that they need."
Companies should still be preparing to meet the requirements of the CMMC program today based on the maturity level that they want to achieve, Arrington said.
In addition to the training, the CMMC-AB announced a new partnership on Aug. 31 with Dun & Bradstreet to conduct financial and ownership background checks for companies that wish to become certified to do work with the accreditation body.
Information on the first 11 licensed partner publishers approved to work with the CMMC-AB was also posted on the accreditation body's website earlier this month. The LPPs will produce content for the training of assessors.
There has been increased scrutiny on the CMMC-AB over the past week after a page on the accreditation body's website was noticed on LinkedIn on sponsorships, which listed details for "partner levels" ranging from $5,000 to $500,000. For $5,000, assessors, consultants and publishers could obtain a higher listing on the CMMC-AB’s marketplace.
The sponsorships webpage was deleted after an outcry from stakeholders. During Tuesday's event, Arrington said she is "blown away" by "stuff" that she has been reading on LinkedIn that is critical of the CMMC program and the accreditation body, describing those who don’t propose solutions to the problems that they discuss on the platform as "whining."
"If you are going to be negative about [CMMC], you are never going to be able to get to a solution," Arrington said. The Defense Department is open to "finding solutions" to problems, but Arrington said DOD is "still going to press forward [with CMMC] because the nation is depending on us to do the right thing."
The CMMC-AB "has gone out of their way to set clearly defined parameters to ensure" that they are avoiding Organizational Conflicts of Interest, Arrington said. "They have been working to encompass best practices and capabilities from providers that are already in the ecosystem to bring them into the fold."