Pentagon plans to formally propose changes to CMMC program ahead of official launch

By Sara Friedman  / January 10, 2023

Full implementation of the Pentagon's Cybersecurity Maturity Model Certification program for defense contractors will likely shift to 2024 based on revised estimates from the Defense Department in the fall 2022 unified agenda, which indicates two proposed rules are expected for release in the coming months.

The Pentagon is implementing major changes to its CMMC program coming out of a 2021 internal review and had planned to seek an interim final designation to change defense acquisition regulations.

The unified agenda says the new rule to implement the CMMC program is now a proposed rule and changes to the 2020 CMMC rulemaking, originally released as an interim final rule, will also be issued as a notice of proposed rulemaking. The unified agenda sets a May 2023 release for both items.

“Typically, it takes about a year from the point of publication and imprint for a rule to be final,” contracting attorney Robert Metzger told Inside Cybersecurity. The new rule will likely have significant interest and generate a lot of comments that need to be adjudicated by DOD officials, he said.

Making time for DOD to review the comments is helpful, Metzger said, compared to a potential alternative where reaction to the new IFR is “hostile” and could result in “consequences and a political response that would be contrary to the best interest of the department or its industrial base.”

“The DOD continues to anticipate sending the draft 32 CFR rule to [the White House Office of Management and Budget] in the very near term. However, as DOD has previously stated, the rulemaking process may take up to 24 months to complete,” Navy Comdr. Jessica McNulty, a Defense Department spokeswoman, told Inside Cybersecurity in a statement.

The 24-month timeframe was included in the CMMC 2.0 announcement from November 2021. It’s not clear from the latest unified agenda how DOD will be able to meet that expectation.

McNulty said, “In addition to the 32 CFR rule, a 48 CFR rule will be completed to support implementation of CMMC through DFARS contractual requirements. The objective timeline for implementing contractor compliance with CMMC requirements has been and remains FY-25.”

A third rulemaking to finalize requirements around NIST Special Publication 800-171 is still on track and demonstrates DOD’s continued commitment to securing controlled unclassified information held by defense contractors.

Metzger said, “It is sufficient to have the baseline present of [DFARS clauses] 7012, 7019 and 7020 while we take time to understand, judiciously comment and resolve comments on the proposed rule” for CMMC.”

The 7012 clause requires contractors to self-attest compliance with 800-171. Clauses 7019 and 7020 set up additional parameters that make compliance scores available to acquisition officials and provide an opportunity for the Defense Contract Management Agency to review results.

Metzger said, “There is a continued commitment by the department to the importance of protecting controlled unclassified information . . . and there’s nothing to suggest DOD will retreat from its determination for the defense industrial base to protect sensitive but unclassified information.”

Alternative options

The Pentagon makes a case for moving forward with its CMMC proposals in two entries in the unified agenda that offer a “Statement of Need,” legal basis for taking action, alternatives, anticipated costs and benefits and risks.

The new CMMC rulemaking entry says, “DOD considered and adopted several alternatives during the development of this rule that reduce the burden on the DIB community and still meet the objectives of the rule. These alternatives include:

"1. maintaining status quo, leveraging only the current requirements implemented in DFARS provision 252.204-7019 and DFARS clause 252.204-7020 requiring DIB contractors and offerors to self-assess utilizing the DoD Assessment Methodology and entering a Basic Summary Score;

"2. revising CMMC 1.0 to CMMC 2.0 in response to public comments, to reduce the burden for small businesses and contractors who do not process, store or transmit critical CUI by eliminating the requirement to hire a C3PAO and instead allow self-assessment with annual affirmations to maintain compliance at CMMC Level 1, and allowing triennial self-certification with an annual affirmation to maintain compliance for some CMMC Level 2 programs;

"3. exempting contracts and orders exclusively for the acquisition of commercially available off-the-shelf items; and

"4. implementing a phased implementation for CMMC."

The agenda says, “In addition, the Department took into consideration the timing of the requirement to achieve a specified CMMC level: (1) at time of proposal or offer submission, (2) post contract award, or (3) at the time of contract award.”

When crafting the original CMMC rule in 2020, the Pentagon explored and adopted alternatives “that reduced the burden on small entities and still meet the objectives of the rule,” according to the second entry on the OIRA website.

The entry says similar work is ongoing as DOD works to shape the revised proposed rule consideration of “exempting contracts and orders exclusively for the acquisition of commercially available off-the-shelf items” and starting a “phased rollout” where the under secretary of defense for acquisition and sustainment will need to approve inclusion of a CMMC requirement in new DOD contracts.

Metzger said the rule’s benefits outlined in the second entry also demonstrates DOD priorities for getting CMMC across the finish line.

The second entry says the proposed rule will improve protection of sensitive DOD information held by contractors through:

* Enabling assessments at the entity-level of contractor implementation of cyber security processes and practices that should already be in place;

* Requiring comprehensive implementation of cybersecurity requirements rather than plans of action to accomplish implementation;

* Verifying DIB sector contractor and subcontractor cybersecurity postures; and

* Reducing duplicative or repetitive assessments of our industry partners through standardization.

Impact on defense contractors

The CMMC program will require defense contractors to pass a third-party assessment of their compliance with NIST 800-171.

Stakeholders at DOD and industry are urging companies to get ready now and not wait until CMMC requirements go into effect.

Metzger said companies who choose to delay are making a mistake when it comes to business judgement and legal compliance.

Metzger said, “On business judgement, every company in the DIB and commercial companies are subject to cyber threats every day including the still virulent threat of ransomware. I see this in the self interest of every company to make measures consistent with the cyber DFARS to improve their defenses against such threats and enhance their resilience to make companies more robust.”

The Pentagon’s acquisition office in June 2022 issued a memorandum to acquisition officials reminding them of the current NIST 800-171 standard and potential remedies for non-compliance.

The 7012 requirement “is a current real and present contract obligation which companies assumed as matter of law when they bid on and accept contracts that include the clause,” Metzger said. The use of a third-party assessment doesn’t eliminate “the underlying compliance obligation, that’s already in place,” he said.