Transitioning the Pentagon's cyber certification program to the Defense Department chief information officer's portfolio could have a positive impact on DOD efforts to engage with industry, according to a major trade association.
“The most important thing in the short term will be communicating with industry more on the timeline and what their plan is going to be,” said Gordon Bitko of the Information Technology Industry Council. His group wants to get more details on “when we can expect to see the rulemakings and what the process will be” for rolling out the acquisition requirements, Bitko told Inside Cybersecurity.
Deputy Defense Secretary Kathleen Hicks issued a memorandum on Tuesday moving oversight of the CMMC program from the office of the under secretary of defense for acquisition and sustainment to the DOD CIO. The move is part of an effort to improve the alignment of cybersecurity initiatives across the Pentagon.
Bitko said communications with industry on the initial pilot contracts and how DOD will handle which companies “need to be audited versus self-attestation” are “critical” areas where industry wants more detailed information.
“At the same time, it will be important for the CIO to have listening sessions to understand in some more detail from our members and all of the other companies in the industrial base that are impacted on the challenges so far, what’s worked, what hasn’t worked and really incorporate that feedback as judiciously as possible,” Bitko said. Bitko is ITI’s senior vice president of policy for the public sector.
ITI, the National Defense Industrial Association and the Professional Services Council sent a letter in September to DOD asking for more transparency and “for the department to remain publicly committed to the CMMC program to underscore the program’s importance for national and supporting global cyber ecosystems.”
At the time, the program was under an internal review. That process concluded in November with the announcement of CMMC 2.0, which introduced several changes to the maturity model and assessment requirements.
The letter said changes to CMMC could “conceivably impact the timeline, scope, and manner of implementation for program requirements.” The letter emphasized the uncertainty facing “contractors, subcontractors and suppliers” who the groups said “may defer substantial investments pending communication and greater certainty about the program’s requirements.”
DOD has committed to not putting mandatory CMMC requirements into contracts while the 2.0 efforts go through the rulemaking process, which could take anywhere from nine to 24 months. In the interim, DOD is considering creating an incentives program for companies to voluntarily obtain a CMMC certification.
PSC said on Wednesday, “Regarding the internal Defense Department organizational placement of CMMC 2.0 responsibility, PSC notes that the cyber security threat continues to grow and that additional actions are needed. Changing the organizational alignment of the CMMC office within OSD is useful to the extent that it increases recognition that current government policies and actions in cybersecurity a) need to include both government systems and contractor systems and b) should extend beyond DOD to include the rest of the federal government.”