Bostjanick: CMMC program moves forward as 'deliberative' process for rulemaking continues

By Sara Friedman / January 23, 2023

Companies should continue preparing for the launch of the Pentagon's Cybersecurity Maturity Model Certification program as the process to finalize rulemaking continues, according to program director Stacy Bostjanick, who spoke with Inside Cybersecurity in a wide-ranging interview.

“We are currently in the deliberative process and hoping to move into formal rulemaking imminently,” Bostjanick said. There are three rules in process -- one to finalize the NIST Special Publication 800-171 requirements in the 2020 interim final rule and two to implement the CMMC program.

The first CMMC rule will change Title 32 of the Code of Federal Regulations, followed by an update to the 2020 interim final rule that amended Title 48 of the CFR and put in place regulations for the initial CMMC program.

The 32 CFR will “describe the program” and implementation, Bostjanick said. The 48 CFR rule “applies it contractually” in the Defense Department's acquisition regulations, she said.

Bostjanick pushed back against new details in the fall 2022 unified agenda that say the two rules will be proposed, not interim final.

She said, “I’m praying for an interim final but we don’t know yet. We haven’t gotten the determination from [the White House Office of Management and Budget]. I think the rule has to be in formal” rulemaking at OMB “before we get the final determination from them but we have been in discussions with them back and forth.”

She added, “It will be a while before we get” to that determination.

“Undoubtedly,” Bostjanick said, “there has been a lot of confusion between CMMC and DFARS 7021 clause. Companies are required today to be compliant with 800-171 and so companies need to get on top of it.”

“They need to be moving towards compliance because here in the near future once CMMC goes through the process, they are going to be required to demonstrate that compliance before they can garner an award of a contract that holds controlled unclassified information. So, there is no time like right now to comply, to figure out what you need to do,” Bostjanick said.

Bostjanick highlighted several free services that DOD offers today to help companies become compliant including programs around “access control,” “awareness and training,” and “incident response.”

The DOD-Defense Industrial Base Collaborative Information Sharing Environment (DCISE) provides an access control service as well as a program for “accountability and accountability,” Bostjanick said. For awareness and training, she pointed to the Blue Cyber initiative, IronNet and Project Spectrum as organizations that provide “free assistance.”

Bostjanick said there will be a “sheet” on the DOD CIO website “hopefully soon” with details on the different programs and who to contact.

Joint surveillance voluntary program

Meanwhile, DOD's initiative to allow companies to obtain a credential that will convert into a CMMC certification when the rule goes into effect is moving forward.

The program allows an authorized certified third-party assessment organization to conduct the examination on compliance with NIST 800-171 with oversight from the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center. Bostjanick said 10 assessments have been completed so far.

"It is working and it’s going well," she said. "We have gotten a lot of positive feedback. Industry has been heartened by these. At first, they were afraid they were going to be a huge ‘gotcha’ and the C3PAOs were going to be over the top and trying to inflate the cost.”

“And everyone that I’ve talked to so far, they’ve negotiated a deal they are comfortable with and the joint surveillance program went very smoothly,” Bostjanick said.

The “intent” is for the joint surveillance to be good for a “minimum of three years,” she said, and when the CMMC goes through the rulemaking process, “we would turn that into a CMMC level two certification as long as the company has continued to do their annual affirmation, then it would be CMMC level two certification for an additional three years.”

However, Bostjanick said the acceptance of the joint surveillance assessment is subject to change as the rulemaking is finalized.

Role of managed service providers

Bostjanick addressed the role of managed service providers and how they will be able to help companies reach compliance with CMMC.

“For managed service providers that are dealing with 800-171, we are straddling the fence," she said. "We’ve put together a plan of what body of evidence we would need to see from the CMMC perspective, which I can’t talk about because it is in the rule.”

DCMA has created its own process for using managed service providers, and Bostjanick said there could be a correlation with the formal CMMC program.

DOD is working through the Defense Industrial Base Cybersecurity program to help small and medium companies, Bostjanick said: “We’ve reached out to some of the tool and cloud service providers and asked for their assistance to provide us a low cost 800-171 compliant capability that a small or medium could just pick up and implement in their spaces.”

However, she said there’s still a “handful of requirements that a company is just going to have to do themselves” in terms of physical security and policies and procedures for implementation.

Bostjanick said there are discussions with companies like Microsoft, Google, Amazon Web Services and IBM on “different ways we can crack this nut” to help companies reach compliance.

Assessment guides and CMMC level three

Industry stakeholders are eagerly awaiting updates to the CMMC assessment guides for levels one and two after noticing changes on the Pentagon’s DOD program website.

“We are working those,” Bostjanick said. “I think they will not probably be posted until such time that the rule goes out for public comment just because of the fact that we don’t want to get crosswise with the rulemaking.”

DOD has figured out how many additional practices from NIST Special Publication 800-172 will be required in CMMC level three, but Bostjanick declined to provide a specific number.

“Our perspective is there is a baseline that needs to be achieved for level three,” she said, while adding that DOD programs with CMMC requirements can also determine if additional controls should be included in their contract solicitations.

The CMMC program office has held off on providing any details on level three requirements so far, choosing to focus first on implementing levels one and two.

DOD initially planned out to roll out CMMC over a three-year period. Bostjanick said details on the rollout will be in the CMMC rule.