Senate Armed Services Committee leadership is asking the Government Accountability Office to "conduct an assessment on the incorporation of reciprocity" into the Pentagon's Cybersecurity Maturity Model Certification program, in the chamber's latest version of the fiscal year 2023 defense authorization bill.
The assessment follows up on a cyber subcommittee hearing in May 2021 where Defense Department officials provided an update on the CMMC program. At the time, the Pentagon was conducting an internal review and Jesse Salazar, who was serving as deputy assistant secretary of defense for industrial policy, talked about reducing the burden on small business and establishing reciprocity with other government standards.
The Pentagon announced the conclusion of the review in November and a substantial revamp of the program called CMMC 2.0.
The full text of the defense policy bill was filed Monday by committee Chairman Jack Reed (D-RI) and Ranking Member Jim Inhofe (R-OK). Plans for consideration on the floor have not been announced.
The report accompanying the bill says the committee has “continued interest in the successful implementation of the Cybersecurity Maturity Model Certification (CMMC) process at the Department of Defense. The committee has consistently raised concerns about needing to improve the cybersecurity of the defense industrial base (DIB), balanced with the needs of small and medium-sized businesses.”
The report continues, “As such, the committee applauds the department for the recent efforts to modify the CMMC requirements to a risk-based approach that addresses a range of concerns that were provided to the Department.”
“However,” the report says, “the committee is concerned that the current CMMC regulations still do not clearly address CMMC compliance for commercial-off-the-shelf technical and software component solutions. Further, the committee is concerned that there was no consideration of providing reciprocity to elements of the DIB that have already achieved some level of Federal Risk and Authorization Management Program (FedRAMP) certification. The committee believes the department can take some additional steps to achieve greater CMMC compliance for the DIB.”
“The committee directs the Comptroller General of the United States to conduct an assessment of the Department’s incorporation of reciprocity in the CMMC process. The assessment shall also include what steps the Department of Defense is taking to provide a general CMMC certification for commercial off-the-shelf technology that may be used by small businesses as their primary information technology systems,” according to the report. The comptroller general leads the Government Accountability Office.
“The assessment shall include a comparison of how the CMMC certification model includes requirements for FedRAMP certification,” the report says. “The assessment shall also investigate what additional costs may be associated with CMMC compliance if a member of the DIB already has achieved a similar FedRAMP certification level."
Specifically, the bill asks GAO to “provide a briefing on preliminary observations to the congressional defense committees not later than February 1, 2023, with a final report to follow on a mutually agreed date.”
The Senate bill also includes a provision to require DOD contractors to submit a Software Bill of Materials, and new authorities for U.S. Cyber Command to play an active role in addressing critical infrastructure attacks by “foreign powers.”
The House Armed Services cyber subcommittee sought to include a CMMC report in its version of the defense policy bill but it was left out of the full committee’s mark-up of the legislation and not considered on the House floor. It focused on the “DIB cybersecurity” and one component of the provision addressed the Pentagon’s decision to move the CMMC program from the office of the under secretary of defense for acquisition and sustainment to the office of the DOD chief information officer.
GAO released its first report in December on CMMC to fulfill a requirement from Congress in the FY-21 National Defense Authorization Act. In last year’s NDAA, Congress directed DOD to produce a report within 90 days detailing DOD’s rulemaking processes, budget needs, a plan for “communication and coordination with the defense industrial base” and coordination between DOD and other federal agencies.