The Professional Services Council is supportive of the Pentagon's plans to allow self assessment for less sensitive information held by defense contractors under the Cybersecurity Maturity Model Certification program, while recognizing that contracting officers could still decide to choose a higher level of security than needed to ensure adequate protection of the information on nonfederal systems.
The Defense Department confirmed its plan for CMMC 2.0 in a Dec. 26 proposed rule to remove the third-party certification requirement for level one and some contracts under level two. The rulemaking amends Title 32 of the Code of Federal Regulations to implement the CMMC program.
“What I’m unclear about and worried about is whether any contracting officer actually use that lower tier and what would be the basis and the criteria for having that be the requirement for a contract,” PSC president and CEO David Berteau told Inside Cybersecurity.
CMMC level one is focused on federal contract information and level two concerns controlled unclassified information.
PSC represents a broad range of contractors who do business with the federal government. In PSC’s experience, Berteau said, contracts and contracting officers “tend to want to have less risks, rather than more risk and my concern is one of the ways they reduce risk from their perspective is to require a higher level of certification.”
Berteau added, “And so one of the big questions we have at the front end is, what are the incentives and motivations, what are the criteria and how would those criteria be applied for what level of security is required in a contract.”
DOD needs to consider where the risks are when it comes to determining what is CUI, Berteau said, recognizing that there is difference between “technical data packages for high-end weapon systems” companies doing business with deployed forces who are providing “food, fuel or logistics support.”
The CMMC proposed rule estimates 63% of contactors with CMMC requirements will fall under maturity level one. A small subset of contractors under level two, 4,000 companies or 2%, will be eligible for a level two self assessment.
Thirty-five percent of contractors will need a level two certification, according to the rule. DOD identifies 1,487 entities, or 1% of companies, that will qualify for a CMMC certification assessment under level three.
The definition of CUI and the application of the definition “at the contract level and at the task order level is all over the map,” Berteau said. It should be “both consistent and predictable in order for a company before it bids to know what level of security it needs to have and how it is going to apply that level of security,” he added.
Berteau said, “We have a long way to go before we have both the precision or fidelity on those questions. That’s not really addressed by the proposed rule. This proposed rule sort of assumes stable, predictable CUI marking and application across the department that frankly is not there yet.”
“However,” Berteau said, “it’s quite possible a CMMC rule like this will serve as a forcing mechanism to bring some of that consistency and predictability to the CUI universe.” The government has to decide what is CUI, Berteau said, not the contractor.
DOD is working on a second CMMC proposed rule that will make changes to the department’s acquisition rules.
Berteau said he was pleased that the December rulemaking was a proposed rule because of how “complicated it is and all of the questions that are going to be raised about it. It’s important that it not be implemented until it’s been through a pretty thorough round of comments and hopefully improvements that result from those comments.”
He noted that there are “a lot of moving parts in the contractor cybersecurity arena that are not static,” pointing to ongoing work to update NIST Special Publication 800-171.
“Other agencies, civilian agencies, are putting out their own guidance and incorporating their own procedures into play without it being clear that this will all be coordinated across the federal government, this integrated approach,” Berteau said.
Berteau said, “Companies that have to comply with multiple regimes face some real challenges here, and statutes keep evolving. The [fiscal 2024] National Defense Authorization Act had quite a number of provisions affecting contractors in the cybersecurity arena and I would expect the same will be true in next year’s bill.”
DOD is accepting public comments through Feb. 26 on the proposed rule and eight accompanying draft guidance documents.