Tabletop exercises conducted by the National Defense Industrial Association in coordination with Pentagon cyber certification leaders found areas of improvement are needed to clarify CMMC requirements for industry around operational technology and the marking of controlled unclassified information.
NDIA ran three tabletop exercises for its members over the past few months focused on different aspects of the Defense Department's Cybersecurity Maturity Model Certification process. The first tabletop explored what a company needs to do become compliant with CMMC and implement standards outlined in National Institute of Standards and Technology Special Publication 800-171.
Corbin Evans, principal director for strategic programs at NDIA, told Inside Cybersecurity the first tabletop "went really well" and was aided by being "the part of the puzzle where there is the most information from DOD and the CMMC Accreditation Body."
The second tabletop explored the "impact of the CMMC program on operational technology versus IT," Evans said. Contractors are increasingly making their manufacturing shop floors more "connected to their IT as the manufacturing practice gets increasingly more computerized," Evans said.
"There have been a lot of conversations on CMMC implementation on the IT side for a traditional services company, software or non-manufacturing focused company," Evans said. "There has not been much discussion on how the CMMC program would work in a manufacturing environment."
Evans said the second tabletop involved "a lot of discussion" but "not a lot of answers."
John Ellis from the Defense Contract Management Agency participated in the second tabletop exercise, according to Evans. Ellis "talked through some of the current audits" at DCMA's Defense Industrial Base Cybersecurity Assessment Center, Evans said, and "what they have done in situations on manufacturing in shop floors at this point."
Evans called information provided by Ellis "really solid and helpful to clarify folks' understanding" of CMMC and to answer specific questions.
The third tabletop exercise focused on CUI and also generated a lot of questions from NDIA members.
There was an exploration on "definition of CUI" and "the flow of CUI through prime contractor down to subcomponent, subcontractors and through the supply chain," Evans said. Representatives from the National Archives and Records Administration participated in the exercise along with CMMC leaders from DOD.
Evans said the discussion looked at "complicated issues" around "identifying CUI, marking CUI and understanding on the DOD officer program manager side how CUI is going to flow through the performance of a contract."
The exercise also gave DOD some new questions to address "on the way they plan to educate contracting officers and program managers about understanding the way contractors use CUI, interpret CUI and use CUI as a part of performing a contract," Evans said.
NDIA will conduct its fourth tabletop exercise on Tuesday, exploring "contract closeout and responding to a cyber incident," Evans said. The exercise will look at "what to do and what are the requirements included within the CMMC program to essentially ensure contractors are responding adequately to cyber incidents," Evans said.
DCMA's Ellis will participate in the contract closeout exercise along with Keith Nakasone from the General Services Administration and "some industry partners," according to Evans.