The Information Technology Industry Council is looking for details from the Defense Department on how the Pentagon will handle the implementation of DOD's Cybersecurity Maturity Model Certification based on an interim rule currently out for public comment.
"Our members want to know the timing for when they will need to get certified so what they are providing meets the Defense Department's requirements," Gordon Bitko, senior vice president of policy at ITI, told Inside Cybersecurity.
The rule released on Sept. 29 lays out the cybersecurity requirements that contractors will need to meet to do business with DOD, through the National Institute of Standards and Technology Special Publication 800-171 and the CMMC Framework. The rule goes into effect on Nov. 30.
DOD will incorporate CMMC language into its contracts over a five-year period by Oct. 1, 2025. During that time period, CMMC language in solicitations must be approved by the Pentagon's acquisition and sustainment office.
In the short term, the rule puts in place a compliance regime under NIST 800-171, which is the current standard for self-assessment mandated by the department. For the first time, contractors will be required to submit their assessment results to DOD's Supplier Performance Risk Management System, which will give DOD and its components access to the information.
Bitko said the rule is "unclear" on how the information in the self-assessments will be used by DOD and questioned what happens if a contractor doesn't meet all of the controls.
"Does this mean that if you get below a certain score you are precluded from competing for a contract*" Bitko asked. "Or do you have time until your CMMC assessment or some other third- party assessment to get your score up*"
Bitko said the responses to the scores in SPRS could be interpreted differently by contracting officers within different DOD components without more guidance from the Pentagon on the rule.
The timing of the rule and DOD's decision to release an interim final rule rather than a proposed rule as planned is also concerning, Bitko said, calling the CMMC program a "consequential change" that needs more time for industry review.
"Since there is a five-year timeline to roll out the program, it doesn't make sense to me to issue a final rule," Bitko said. DOD is already doing assessments to work out issues with CMMC in various pilots, which Bitko said should continue while industry gets more time to work through the rule.
"It makes sense that it is taking time to work through these things," Bitko said while highlighting ITI's concerns. "If these things haven't really been worked through, maybe the rule shouldn't have been pushed out as an interim rule going to into effect; maybe it should be a draft rule where these things could be discussed and worked through."