With two rulemakings expected at the end of 2022 to formally kick off the Defense Department's Cybersecurity Maturity Model Certification program, contracting attorney Robert Metzger says the development of incentives to encourage military contractors to invest now in CMMC preparation is critical but the process is complicated.
“We don’t really know the schedule of what DOD is going to do when,” Metzger said reflecting on the upcoming rulemaking changes to the Pentagon’s CMMC program. He added, “My latest read is that they are not expecting to put out new interim rules until the end of this year” based on the Fall 2021 Unified Agenda of Regulatory and Deregulatory Actions.”
“If that is correct, it implies there is an enormous amount of work to be done at DOD to resolve many of the questions that have surfaced since the announcement of [CMMC] 2.0, and to then document the resolution in proposed rules and seek their approval,” Metzger said.
DOD announced major changes to its CMMC program in November 2021, and said there will be no CMMC requirements in defense contracts until the rulemaking process is complete. DOD estimates the rulemaking process could take anywhere from nine to 24 months.
If the two rulemakings are released in December 2022, Metzger said the earliest they would go into effect is March 1, 2023, which he said means there will be “13 months before any assessment is required on any contract. And there is reason for concern many companies will see this interval for 2.0 to do little or nothing.”
“The problem is that none of the threats that explain the CMMC initiative go away," he added. "The trends, the nature and variety and success of threats have arguably gotten worse since CMMC started.”
Metzger spoke with Inside Cybersecurity on the potential incentives for companies to encourage preparation for CMMC now. He is the co-chair of law firm Rogers Joseph O’Donnell’s Cybersecurity and Privacy Practice Group, and a co-author of MITRE’s “Deliver Uncompromised” report.
First, Metzger said DOD could decide to provide an option for “adjusting profit on weighted average guidelines” on contracts. However, this would only help a “subset of companies that have negotiated forward pricing rate agreements and whose contract awards are subject to negotiation under the weighted average guidelines.”
The second possibility is providing an “evaluation credit” for companies that have specific qualifications for cyber credentials, Metzger said, citing certifications from the International Organization for Standardization, the Cloud Security Alliance and HITRUST as examples.
However, DOD could run into problems using credits because of the Paperwork Reduction Act, “which essentially limits to a very small number the request or demand for records by the government without approval” by the OMB’s Office of Information and Regulatory Affairs, according to Metzger.
DOD could work around requiring the production of information on credentials by “essentially asking for answers on qualifications. DOD has a right to define its requirements for a contract,” he said.
DOD “often asks about many things” for a “management or technical” evaluation “to make sure it selects the best among the offerors,” Metzger said, adding “cybersecurity is an important attribute of any company doing business with the department” which makes these kinds of questions in scope.
The third option is for DOD to issue a contract award that includes the evaluation of a company’s cyber credentials as a contract deliverable requirement after a contract starts, according to Metzger. He said DOD could ask for a company’s “system security plan,” “system self-assessment” and a plan of action and milestones (POA&M) as well as a follow-up report “every three or six months as to how you are doing.”
Current DOD cyber standards
As part of the CMMC interim final rule, the Defense Department established a process to require companies to submit their scores for compliance with NIST Special Publication 800-171 to DOD through the Supplier Performance Risk System.
The process was intended to be a placeholder while DOD rolled out the CMMC requirement in all DOD contracts over a five-year period. When the CMMC program was updated in November 2021, DOD rolled back 20 extra controls from maturity level three to align the publication with NIST 800-171.
DOD sought emergency clearance for an information collection on NIST 800-171 compliance as part of the rulemaking preapproved days before the CMMC interim final rule was issued.
DOD explained in September 2020:
This collection of information is needed prior to the expiration of the time periods normally associated with a routine submission for review under the provisions of the Paperwork Reduction Act, to enable the Department to immediately begin assessing the current status of contractor implementation of NIST SP 800-171 on their information systems that process CUI. Defense contractors have not fully or consistently implemented the NIST SP 800-171 security requirements on their covered information systems. Authorizing collection of this information on the effective date will motivate defense contractors and subcontractors who have not yet implemented existing NIST SP 800-171 security requirements, to take actions to implement the system security requirements on covered information systems that process controlled unclassified information. The aggregate loss of sensitive controlled unclassified information and intellectual property from the DIB sector could undermine U.S. technological advantages and increase risk to DOD missions.
Metzger said the SPRS information provided today are currently “binary answers” in six areas and DOD asks for the total score instead of the full NIST 800-171 assessment results.
However, DOD officials could change their minds and announce that they will use the scores submitted and the date companies provide for when they are going to close POA&Ms as part of a “technical or management evaluation of [the contractor’s] competitive negotiated proposal,” according to Metzger.
Use of this information would create “reason for concern” for companies that have not done a “good job” determining their score or “misled the government,” he said.