NDIA asks Pentagon for details on CMMC pilot activities, guardrails around assessments

By Sara Friedman  / October 16, 2020

The National Defense Industrial Association is asking the Defense Department and the accreditation body behind its Cybersecurity Maturity Model Certification program for additional guidance on issues ranging from the assessment process to costs for certification.

In a letter to DOD and the CMMC Accreditation Body, NDIA lists questions in nine areas that are of concern to its members on the implementation of the CMMC program.

"We appreciate DOD's prior engagement with industry to enrich and refine the model's specifications, and we look forward to continuing the dialogue as DOD fleshes out the administrative structures, processes, and procedures to manage implementation and compliance," the association writes in the letter sent Oct. 8.

"As with our previous comments, these questions seek to clarify and optimize implementation of CMMC," the letter continues. "NDIA is fully supportive of the CMMC's underlying vision and plan to create a 'unified cybersecurity standard for DOD acquisition.' We urge DOD to continue providing industry with the opportunity to review and comment on DOD's proposed plans for the implementation and assessment of CMMC, preferably before any additional interim or final rules are promulgated to help inform and improve rulemaking."

The association wants clarity on the rollout of the program including how pilot or pathfinder contracts are being identified and if information on the chosen contracts will be made available publicly. NDIA also wants to know what programs will be prioritized for the rollout.

"Simply including [program] information in the [request for information/request for proposals] may not give a company sufficient time to respond, depending on the proposal timeline, CMMC level, and especially if you are a subcontractor under the program and may not see the RFI yourself -- if DOD has key aerospace competitive programs in mind they want to target in 2021, it would be helpful to share that with industry. If they plan to target certain sole-source contracts, would also be helpful to know," NDIA writes.

In terms of costs, NDIA is looking for more detail on the "the allowability of costs associate[d] with CMMC compliance and how they will be recovered." Companies are "incurring costs associated with preparing for compliance," NDIA says, and asks if DOD will be allowing direct and indirect costs, especially for CMMC maturity levels four and five.

The largest section of the letter is on the assessment process, and it asks a broad range of questions regarding oversight of the assessors through the CMMC AB and DOD:

  • Is the C3PAO training process prepping audit companies to understand the nuances of every different IT and manufacturing Operational Technology (OT) environment?
  • The DIB is full of technical complexity and nuance that may result in 'false negatives' (failing a contractor) because the assessor lacks the technical competence and skills to understand what is likely to be many ways to approach some of the controls.
  • How will the DoD ensure consistency of the interpretation and application of requirements between C3PAOs and government auditors? How will the situation be handled if a C3PAO certifies a firm but a government auditor disagrees with the findings?
  • It seems that certification audits are likely to include the target company trying to “sell” their controls to the C3PAO as adequate and sufficient to meet the standard. Highly likely that companies will ask their outside cyber consultants to be present at the assessment to help 'argue the cause.' How is the CMMCAB approaching this? Will outside cyber advisors be allowed to be present?
  • How does the DOD and the CMMCAB plan to ensure consistency among the C3PAOs? Will there be an audit process to ensure C3PAOs are consistent and comprehensive in their assessments?
  • What oversight will there be over C3PAOs ability to set their own prices?
  • Given that the C3PAOs will be performing some traditionally governmental functions, what oversight will the DOD retain over these actors? To what extent would ethics rules applicable to Government employees be passed on to C3PAOs? For example, would any rules prevent or restrict an assessor from 'switching sides' to go work for an organization seeking certification?
  • What systems and mechanisms have been developed to resolve disputes regarding C3PAO assessments and what recourse will contractors have? Are there plans for contractors to have recourse to DOD?
  • What considerations have been given to the recourse options available to subcontractors that fail C3PAO assessments? Will this cause delay on performance of the contract? Will a subcontractor seeking to remediate shortcomings be given expeditated processing for re-assessment?
  • Will C3PAOs be liable for any losses incurred due to a disputed assessment, where the C3PAO was found to be in error?

NDIA is also looking for more information on the inner workings of the CMMC AB, where there has been some turnover on the entity's board.

NDIA asks, "While industry recognizes the hard work of the all-volunteer CMMCAB and their commitment to our shared mission, what legal and contractual protections are in place to prevent actual or potential conflicts of interest by Board members? Many CMMCAB members have business interests outside the AB and the DOD itself is bound by strict ethical rules. What rules will apply to the CMMCAB? Will these rules be included in the new Statement of Work agreement between the CMMCAB and the DOD?"

The letter asks if the CMMC AB has considered a model where it hires and trains assessors to work for the accreditation body, saying the model "would allow the CMMCAB more quality control mechanisms over the C3PAOs and ensure consistency in audit performance and price."

NDIA wants more information on the criteria agencies will use to determine CMMC levels and measures to "ensure consistency," and the association asks when guidance will be released on the certification levels to help its members plan for the CMMC pilots.

When it comes to the handling of controlled unclassified information, NDIA asks for an update on DOD's progress in developing a handbook and what training and materials will be available for contractors "for the handling of CUI." The letter specifically asks if there will be online courses on CUI or training materials from the Defense Acquisition University.

The letter also details some of the questions NDIA has about the interim rule released last month to change DOD's acquisition rules to implement the program, including about reciprocity with assessments conducted by the Defense Contracting Management Agency to date and language in the rule around NIST Special Publication 800-171.

"NDIA stands ready to discuss our questions in-depth should you so desire," the letter reads. "As our previous engagement on this issue shows, we would be happy to participate in dialogue on the CMMC program, its requirements, and its implementation, to ensure that the program achieves its objectives in a manner that respects the needs and concerns of its stakeholders."