The Information Technology Industry Council anticipates details on incorporating acquisition requirements for contractors under the Pentagon's Cybersecurity Maturity Model Certification program will come in the next rulemaking for the initiative, which will focus on making changes to the Defense Department's acquisition regulations.
The Defense Department is working on two rulemakings to implement the CMMC program, starting with one to amend Title 32 of the Code of Federal Regulations that was published Dec. 26 as a proposed rule. A second rule to amend Title 48 CFR would make changes to the Defense Federal Acquisition Regulation Supplement and is expected this year, according to the fall 2023 unified agenda.
“We were pleased to see the department release this first rule because it shows the department is still committed to improving the security of the defense industrial base,” ITI’s Leopold Wildenauer told Inside Cybersecurity, calling it “a major milestone in taking the next step toward getting the program up and running.”
Wildenauer is senior policy manager for ITI’s public sector team.
“It’s important to remember a lot of the details will also come down to the Title 48 CFR rule which . . . will be equally as important, if not more important, in terms of how exactly the requirements from this rule will be implemented in the procurement context, which is one of the main pillars and one of the main aspects of CMMC,” he said.
The first CMMC 2.0 rulemaking formally laid out changes announced in November 2021 to the CMMC program following an internal review. The original CMMC rulemaking, published in 2020 as an interim final rule, added three new DFARS clauses with cyber requirements for defense contractors including CMMC.
The proposed rule to update DFARS was submitted Dec. 20 to the Defense Acquisition Regulations Council and will be discussed today at a council meeting, according to the latest open DFARS case status publication.
Wildenauer said “a lot of the content” in the 32 CFR rule aligns with changes DOD announced in 2021.
“The key elements that were communicated as part of this change are reflected in this rule," he said. "It retains this tiered structure. It does retain the three levels, it also contains some information on the reciprocity with other frameworks and it also defines the scope which is something we have asked for, and it clarifies the scope which is something we have asked for in previous iterations.”
“We were pleased to see DOD keeps moving forward with this rule and we look forward to providing feedback on this rule and the Title 48 one when it comes out,” Wildenauer added.
ITI is supportive of DOD’s four-phase approach outlined in the 32 CFR rule for rolling out CMMC requirements in DOD contracts. The clock starts after the 48 CFR final rule goes into effect and begins with requirements for self assessment as a condition of award for CMMC levels one and two.
Wildenauer said he expects the acquisition rule will include language for DOD agencies, contracting officers and program managers to include as part of their solicitations.
ITI is also continuing to advocate for harmonizing cyber regulations across the federal government, Wildenauer said, noting that the Department of Homeland Security is undertaking its own process to determine contractor compliance with handling controlled unclassified information.
Wildenauer argued for reciprocity between different cyber standards to make it easier for contractors to reach compliance with multiple regimes.