Tech group seeks clarity on rate of return to enter defense industrial base as CMMC program faces delays

By Sara Friedman / May 9, 2023

More tech companies are interested in joining the defense industrial base, according to Ross Nodurft, who leads the public-sector-focused Alliance for Digital Innovation, but uncertainties over how much it will cost to comply with the upcoming Pentagon cyber certification program that has faced delays is a top concern.

ADI represents some of the leading technology companies and service providers who do business at the federal and state levels. Nodurft, ADI’s executive director, told Inside Cybersecurity acquisition policy is a top priority as well as IT modernization, best practices like zero trust, and workforce issues.

The Pentagon’s Cybersecurity Maturity Model Certification program is a major shift in how the Defense Department will accept cyber risk and has faced delays due to an internal review and subsequent internal work at the Pentagon to craft regulations for implementation.

A proposed rule to change Title 32 of the Code of Federal Regulations is expected this year, but CMMC leader Stacy Bostjanick has said the rulemaking is still in the “deliberative process.” It’s currently unclear when it will be sent over to OMB’s Office of Information and Regulatory Affairs Office to start the interagency review process.

“We need to have a robust ecosystem in place to work with the Department of Defense," Nodurft said. "The risk associated with some of the compliance requirements, people are waiting to see how CMMC is fully rolled out.”

“Some of our member companies have spoken with other folks who they partner with in the commercial space who are looking to go into the federal marketplace, and there has been some hesitancy to dive in because they need clarity on what the CMMC compliance levels look like,” Nodurft said.

“And then,” he added, “they need to do the cost-benefit analysis of how many dollars it would take to make sure they are compliant and the additional amount of dollars to be assessed, audited, and have that compliance kept up to speed regularly.”

Compliance costs could include re-engineering or creating a new work environment, according to Nodurft. On top of that, he said, there’s the question of how often the CMMC requirements will be updated and what reinvestments will be needed to meet new mandates.

Nodurft said ADI members want to make sure those investments and compliance are “actually buying more security” versus creating “peace of mind for DOD.”

“It’s important as the department wrestles long term to really take into consideration what is cost for the military departments and agencies to ask for level three or level two, and whether it is going to be a race to the top where military departments are saying everything should be level three because that’s the easiest path forward,” he said.

CMMC level two aligns closely with NIST Special Publication 800-171, while level three is expected to add on additional controls from NIST SP 800-172 that address advanced persistent threats. DOD is currently focused on level two and hasn’t put out details on what will be required under level three.

Nodurft said ADI is interested in learning more about how DOD will determine the flow down in contracts for holding controlled unclassified information and the CMMC level that will be required for subcontractors.

Establishing reciprocity between CMMC and other regimes, such as the General Services Administration’s FedRAMP program, is another priority, according to Nodurft.

“The more we can think through reciprocity for the compliance regimes, the more inclined we will see an environment tech firms will want to invest in," he added. "If you are able to do one thing once and reuse it, it will make people more inclined to invest in the requirements and make sure they are able to operate in the federal space to include CMMC” and other federal programs.