The Aerospace Industries Association is urging its members to achieve the current cyber requirements in defense contracts regarding National Institute of Standards and Technology Special Publication 800-171 and accompanying documentation as uncertainty continues over when the Pentagon's Cybersecurity Maturity Model Certification program will launch.
The Pentagon announced a revamp of its CMMC program in November 2021 that streamlines the number of maturity levels from five to three and will allow contractors to submit a plan of action and milestones.
At the time, an advanced notice of proposed rulemaking said to expect two rulemakings: one to implement CMMC 2.0 and another to finalize changes to the Defense Department's acquisition rules published as an interim final rule in September 2020.
Defense officials initially announced plans to issue the first rule in March 2023, but deadlines have shifted significantly from that timeline and it’s not clear when the rulemakings will be submitted to OMB to start the Office of Information and Regulatory Affairs review process.
Both rulemakings are now expected to be “proposed rules,” which will also delay the time for CMMC requirements to go into effect.
“It would be 100% wrong for any contracting officer to be pushing any supplier to be CMMC compliant because they can’t right now without the rulemaking in place. The interim final rule brought CMMC to life in 2021 but DFARS 7021 was a half-page that didn’t say much and then the government realized there was a bigger effort they needed to put forward to actually make CMMC real,” AIA’s Jason Timm said in an interview with Inside Cybersecurity.
“That’s why all of our primes and companies are being told it’s OK to pay attention to CMMC and read about what is going on but put your focus on the [Defense Federal Acquisition Regulation Supplement] 7012 clause if you have it in your contracts, and DFARS 7019 and 7020 from the interim final rule," Timm added. "Companies should work toward compliance with the 110 controls in NIST 800-171 and upload their score into the Supplier Performance Risk System.”
Companies need to have a system security plan and a plan of action and milestones under the original DFARS 7012 clause requirement. Under CMMC 2.0, defense officials have said there will be a 180-day deadline to close out POA&Ms. Timm said AIA supports the deadline.
“The 180-day mark matches up with some other contracting timelines within a new contract award," he said. "It’s good to have that timeline there because having a timeline is necessary for some entities to work to completion on some POA&M items.”
Meanwhile, the Pentagon and the Cyber Accreditation Body are urging companies to sign up for a joint surveillance voluntary assessment where an approved and certified third-party assessment organization will review a company’s compliance with NIST 800-171 with oversight from the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center.
The intent is for companies who achieve a DIBCAC High assessment to get those converted into a three-year CMMC certification when the rules go into effect. However, CMMC leader Stacy Bostjanick has said that could change as the rules go through the Office of Information and Regulatory Affairs review process.
“Our understanding is the joint surveillance assessment is a Cyber AB-centered event with DOD supervision," Timm said. "It will ultimately cost money for the contractor to have a C3PAO come in and do that assessment whereas in the current state DCMA’s DIBCAC will come in and do that NIST 800-171 assessment with the manpower they have.”
Timm added: “Some large companies and the primes are doing it because they see it as being the guinea pigs for the C3PAO and DIBCAC team to assess their networks and give the C3PAOs some additional training. It is probably less of a burden from a resources standpoint than a small company to request a joint surveillance assessment.”
Timm, AIA’s director for defense policy integration, identified two areas where his association would like to see more clarity from DOD.
First, he said AIA wants information on the timeline for CMMC implementation. The interim final rule set up a five-year rollout through the end of fiscal year 2025 and required the Pentagon’s acquisition and sustainment office to pre-approve CMMC language in solicitations for defense contracts through the rollout period.
“Under 1.0,” Timm said, “we were pleased to see an implementation period in the interim final rule with a five-year ramp up that started with pathfinders, then pilots that would start increasing in quantity over a five-year period.”
The Cyber AB currently has 38 authorized C3PAOs on its marketplace who will be able to conduct CMMC assessments and are being utilized now for the joint surveillance program. Timm called the number “fairly robust,” while acknowledging “it’s probably not ready for primetime so DOD should create an implementation ramp of some sort” for CMMC.
“DOD would need to work closely with the Cyber AB to determine what that ramp timeline should be and the quantity of programs to facilitate the Cyber AB’s marketplace to be able to respond and adapt to the implementation period,” he said.
“We heard snippets last year but nothing concrete on DOD’s plan for that," Timm added. "That’s one thing we are looking forward to seeing when the CMMC rules come out.”
Second, Timm said DOD should provide more information on controlled unclassified information.
“Controlled unclassified information plays a pivotal role in everything going on here,” he said. “In one part, there is the flow down between the primes and the subs. We are always talking with our membership, including the primes and the subs, on what level of the supply chain does the CUI need to flow.”
Timm said the discussion centers on “what is the right level of flow down or can the prime hold CUI and still get appropriate work done through their subs and supply chain without flowing CUI.”
He added: “The other part we have been talking about for years is the definition, identification and marking of CUI to industry. That’s a hard thing for the government to work through and we are always eager to participate in any kind of events they want to put on such as a demo or war game or tabletop exercise on the definition, identification and marking of CUI.”
The Defense Industrial Base Sector Coordinating Council conducted a CMMC tabletop exercise on the handling of CUI in June 2022, which found more work is needed to determine how DOD will classify controlled unclassified information and the required maturity level needed for defense suppliers in contracts.
The DIB SCC is composed of large defense primes, trade associations and other companies considered part of defense critical infrastructure.
Timm joined AIA in 2015 following a 22-year career in the Air Force focused on acquisition policy.
Based on his experience, Timm said he thinks “government and industry contracting officers and program managers need to discuss exactly what is CUI on those individual contracts and does it make sense for certain information to be classified as CUI.”
He added: “For me, it is a conversation that should not be unilateral. It should not be something government just hands to industry. It should be a conversation to actually get a better understanding of what the government is looking for in the information they want to protect.”