The Aerospace Industries Association is advocating for the Defense Department's Cybersecurity Maturity Model Certification program to be used by civilian agencies, as part of an effort to address "ambiguity" over sensitive information held by contractors and create synergies.
“By other federal agencies coming on board with CMMC, that will help settle the ambiguity that is currently out there . . . the more synergy across the cybersecurity space for the government and industry the better,” AIA’s Jason Timm told Inside Cybersecurity. A major proposed rule to implement the CMMC program was published on Dec. 26.
Timm noted that DOD can “lead the way forward” on cybersecurity, emphasizing that “the biggest issue is defense industrial base companies don’t just work on contracts for the Defense Department, they also work for a lot of other federal agencies.”
Timm specifically referred to the Federal Aviation Administration, NASA and the Department of Homeland Security as examples. “Bringing other federal agencies together to coalesce around CMMC is a good thing,” Timm said.
The government’s controlled unclassified information program is through the National Archives and Records Administration. How other organizations “start to mark their data . . . has yet to been seen” outside of what’s specified in NARA’s CUI registry, Timm said.
Timm, AIA’s director for defense policy and integration, spoke with Inside Cybersecurity on the state of the CMMC program following the release of the CMMC proposed rule.
The comment period for the rule and eight accompanying guidance documents closes on Feb. 26.
The proposed rule implements changes announced in CMMC 2.0 and amends Title 32 of the Code of Federal Regulations.
DOD is working on a second rule to amend Title 48 of the CFR which makes changes to the Defense Federal Acquisition Regulation Supplement. The second rule is expected this year, according to the fall 2023 unified agenda.
The original CMMC rulemaking, published in 2020 as an interim final rule, added three new DFARS clauses with cyber requirements for defense contractors including CMMC.
“It will be interesting to see what DOD comes out with the 48 CFR activating the 7021 DFARS clause," Timm said. "Everyone is looking for the 48 CFR so for the DFARS piece, for actual implementation of the 7021 clause and how that is going play out and whether it will be a proposed rule or interim rule like it was before in 2020.”
“We are all pleased the 32 CFR is a proposed rule so we get an opportunity to comment on the new version, 2.0, versus the last rulemaking under CMMC 1.0,” Timm said.
The Information Technology Industry Council is also looking forward to seeing the 48 CFR rule to see how CMMC requirements will be incorporated into contract solicitations.
DOD announced major changes to the CMMC program in November 2021, including taking out a third-party certification for CMMC level one and some contracts under level two. The CMMC proposed rule issued on Dec. 26 provided details on how the assessment process will work.
“The level one self assessment eases a lot of the angst that came out in the original [IFR] rulemaking regarding cost of third party assessments for small business under level one," Timm said. "Having a self assessment for level one is good, but there can always be a need to fact check the supply chain ensuring your next tier supplier is actually where they say they are.”
“From a level two standpoint, the rule specifies a projected number of small businesses that would be allowed to do a self assessment but the vast majority of the supply chain will need a C3PAO or certification assessment,” he added.
Timm also reflected on DOD allowing contractors to have a plan of action and milestones under CMMC 2.0.
“When the government came out with 2.0 and they said POA&Ms out to 180 days, that completely makes sense and we are happy to have a POA&M versus not having a POA&M," he said. "The use of the POA&M and what controls would be allowed listed or tracked in a POA&M are yet to be seen but it’s a good news story from here.”