A coalition representing large defense and tech groups is asking the Defense Department to provide clarity on marking controlled unclassified information, defining responsibilities in contracts and flexibility on addressing assessment gaps, in formal comments on the first proposed rule for the Pentagon's Cybersecurity Maturity Model Certification program.
The proposed rule issued on Dec. 26 reflects major changes to the CMMC program announced in November 2021 following an internal review. The Coalition of Defense and Space Industry Associations submitted comments on Monday.
“We appreciate the rules’ general alignment with the policy objectives that were communicated as part of the move from CMMC 1.0 to CMMC 2.0 and in subsequent engagements. We believe the rule provides much needed clarity on key questions, including the streamlining of Assessment Levels, a more flexible process of flowing down CMMC requirements to subcontractors, and a clearly defined roll out period that provides enough time for contractors to fully implement the program’s requirements,” CODSIA says.
Coalition members include the Aerospace Industries Association, the Alliance for Digital Innovation, the American Council of Engineering Companies, Associated General Contractors of America, the Information Technology Industry Council, the National Defense Industrial Association and the Professional Services Council.
CODSIA provides recommendations in four areas starting with ensuring “the protection of DOD data by delineating clear and actionable CUI marking instructions and responsibilities in contracts.”
“Achieving CMMC’s desired risk management outcomes is contingent upon clear, accurate, and consistent CUI marking guidance," the filing says. "The current ambiguity in the marking process leads to significant marking inaccuracies. To minimize risk acceptance, many agency components default to overmarking data as CUI.”
“This leads to a situation in which basic documents, presentations, and communications are incorrectly marked as CUI, which now must be protected per DFARS 252.204-7012," the filing adds. "At the same time, the imprecise marking guidance provided to contractors potentially leaves true CUI unmarked, which goes against CMMC’s primary objective of protecting CUI in nonfederal systems."
The coalition emphasizes how industry depends on DOD to “identify, define and describe the CUI requiring protection.” It adds: “This is especially true whenever the Department assigns the identification responsibilities to contractors.”
The filing says, “If the guidance is clear, accurate, and consistent, contractors can apply it to the data they generate for or at the direction of DOD and take necessary steps to ensure the protection of the data. This would also reduce the Department’s workload of responding to clarification requests from contractors.”
CODSIA argues, “Without this critical information being defined to industry, there is a great risk of goal misalignment which could waste scarce resources at best and leave open vulnerabilities in sensitive systems at worst.”
The filing also asks DOD to enable more flexible plans of action and milestones (POA&Ms).
“We appreciate the decision to allow plans of actions and milestones (POA&Ms) for select controls during the CMMC assessment," CODSIA says. "We note that roughly two thirds of objectives are not eligible for POA&Ms due to the excess risk that an incomplete implementation would introduce.”
When it comes to closing POA&Ms, CODSIA says the “remaining 105 objectives will need to be maintained on a continuous basis to preserve the contractor’s CMMC certification.”
The coalition says: “As contractors need to update and reconfigure their systems, several controls pose an outsized challenge for small and medium sized contractors to maintain on a continued basis. We recommend providing greater flexibility on POA&Ms by allowing for extension requests for extenuating circumstances and by providing an option to maintain CMMC certification through an appropriate POA&M to close temporary deficiencies due to system reconfiguration.”
Another major area of focus is asking for “guidance on how to cascade requirements to international sub[contractors] with explicit mentions of any applicable reciprocal procurement agreements.”
Finally, CODSIA calls for future-proofing the proposed rule by putting in place a “clear transition process for forthcoming standards revisions.”
CMMC level two is closely tied to NIST Special Publication 800-171. The requirements in the proposed rule are tied to revision two of the NIST publication. NIST is in the process of updating the 800-171 series.
“The rule should clearly define how revisions to SP 800-171, SP 800-171A, SP 800-172, and SP 800-172A will be handled," CODSIA says. "To design a transition process that reflects advancements in security requirements while also being implementable, we offer the following input for your consideration. At the time of award, the contract should specify which revision applies. This should be the latest published version of the standard for which assessments are available.”
“As NIST updates the underlying standards, there should be a clear roadmap for when the new requirements will go into effect," the filing adds. "The transition timeline should account for the time it takes the Cyber AB to update the assessor training materials, train assessors, and have companies complete the updated assessment process."
The coalition says: “Before completing their new assessments, companies will also require time to reconfigure their systems to fully implement the new security requirements. To bridge the gap between transitions, service level agreements (SLAs) or plans of actions and milestones (POA&Ms) may present suitable tools.”
Currently, the rule only allows POA&Ms for initial assessments, according to CODSIA, and not when there are changes to the assessment baseline. As a result, CODSIA says some contractors may “fall out of compliance.”
“Contractors who complete their tri-annual reassessments after the expiration of the appropriately scoped transition period should be required to certify to the latest version of the underlying standards,” according to the coalition.