The Defense Department needs to become more transparent over its work on the Cybersecurity Maturity Model Certification program, according to an industry letter to Pentagon leaders raising concerns over a lack of communication and other issues.
"We believe it is important for the Department to remain publicly committed to the CMMC program to underscore the program's importance for national and supporting global cyber ecosystems," the coalition led by the Information Technology Industry Council said in a letter to Pentagon officials on Wednesday.
"This public commitment should be communicated promptly and is particularly important in the context of the Department's continued internal review, updates to [Supplier Performance Risk System] tracking and reporting, and the pending publication of the Government Accountability Office's (GAO’s) report on CMMC," the letter reads. "Without a statement of support for cybersecurity assurance, we are concerned that some companies may continue to delay implementation of important security practices pending an understanding of the final requirements."
The letter is signed by ITI, the National Defense Industrial Association and the Professional Services Council.
The groups sent the letter to Deputy Defense Secretary Kathleen Hicks, who ordered an internal review of the CMMC program in March, and other DOD officials including acting Pentagon acquisition chief Gregory Kausner; acting DOD Chief Information Officer John Sherman; Jesse Salazar, deputy assistant secretary for industrial policy; Army Lt. Gen. David Bassett, director of the Defense Contract Management Agency; and John Garstka, acting chief information security officer for acquisition and sustainment.
The letter specifically addresses the review, saying: "While we understand that the transition to new senior leadership often leads to a review or assessment of existing programs, it has also highlighted the increased need for frequent and transparent bilateral communications between DOD and industry regarding cybersecurity regulation, assessment products, and programs. The lack of clarity during the review process has increased uncertainty throughout the [defense industrial base] and among commercial vendors seeking to provide covered commercial items."
The associations argue changes to CMMC could "conceivably impact the timeline, scope, and manner of implementation for program requirements." The letter addresses the uncertainty facing "contractors, subcontractors, and suppliers" who they say "may defer substantial investments pending communication and greater certainty about the program's requirements."
The letter identifies three areas for concern: the "need to standardize and improve the marking practices for the Department's [controlled unclassified information] requiring protection and dissemination instructions"; "the Department may be reviewing outdated/static information" since the interim final rule came out in September 2020; and the need to create a "coherent strategy" that addresses reciprocity "between analogous domestic and international cybersecurity mandates, frameworks, and standards."
The groups say, "If there will be significant changes to CMMC, we encourage DOD to share those changes via a proposed rule rather than an immediate final rule. We also encourage DOD to conduct virtual public hearings if the Department contemplates material changes to the present structure and methods. Such steps would demonstrate to industry that DOD is receptive to new perspectives and aware that input in the fast-moving IT industry may have changed since late 2020. It would also alleviate some of the uncertainty that the ecosystem is facing while the Department completes the adjudication of received comments."
When it comes to reciprocity, the associations specifically refer to the General Services Administration's FedRAMP program and the Cloud Computing Security Requirements Guide (SRG) from the Defense Information Systems Agency.
On the commercial side, the letter encourages the Pentagon to take into consideration standards developed by the American Institute of Certified Public Accountants for auditing and "recognition of commercially viable methods of validating cloud security."
The letter proposes several ways to "better support the evaluation of potential modifications to the CMMC program, the assessment practices, or the operational procedures":
1. Regularly engage with industry.
2. Standardize and improve the marking practices for DoD CUI requiring protection.
3. Harmonize CMMC and related contractual clauses with existing and future cybersecurity directives.
4. Clarify Inter-Governmental Authorities for Implementing CMMC and Related Cybersecurity Requirements.
5. Provide additional implementation guidance and support for small businesses.
6. Evaluate and clarify remaining policy and process questions around the implementation of DFARS.
The groups expand on the recommendations in the letter with details on how the Defense Department can improve communications with industry and provide additional clarity to stakeholders.
On support for small businesses, they write: "The delay in implementation requirements and a protracted program review have caused great confusion across industry and have negatively impacted small businesses who do not know how to budget for an assessment against an undefined program scope. In the case of [the Defense Federal Acquisition Regulation Supplement] and CMMC, compliance costs are a specific concern of small businesses due to their size and scale to remain competitive in the marketplace. For many small businesses, both engaging directly with DOD and working as sub-contractors, recouping CMMC costs will depend on the successful contract award. This uncertainty creates a disincentive for small businesses to participate in firm fixed price contracts."
The letter makes recommendations to support small businesses:
"To alleviate some of the burden on small businesses, the Department should provide them with additional implementation support and guidance. For example, solutions could include 1) specific assistance and incentives to offset the cost of implementation, such as a Cybersecurity as a Service program, 2) recommendations to the services and prime contractors to leverage existing certified technologies to limit the exposure of CUI to the small business contractor, or 3) reducing the burden of the assessments for small businesses operating at Levels 1 and 2."
The associations call for "harmonization" of new security requirements, specifically referring to President Biden’s May cybersecurity executive order, a recent request for information from the Department of Homeland Security for a "vendor cybersecurity assurance program similar to CMMC," and potential actions in Congress through the fiscal year 2022 defense authorization bill and other legislation.
They write, "Governmental mandates like these call for centralization with considerations for conditions under liability protection and criteria over negligence instead of retaliation for intrusions. An accord across agencies, services, and at program levels will strengthen our nation's defenses and avoid divergence of national security, critical infrastructure, and civilian security. Ultimately, the harmonization of existing and future cybersecurity directives will move the administration closer towards its goal of coherent information and cybersecurity risk management."