The Aerospace Industries Association is asking the Defense Department to provide information on how it will address flow-down requirements and the roles and responsibilities for primes and subcontractors, in response to the first proposed rule for the Pentagon's Cybersecurity Maturity Model Certification program.
“Clarification is needed on DOD’s intent with regard to prime contractors ‘requir[ing] subcontractor compliance throughout the supply chain at all tiers with the appropriate CMMC level for each subcontractor....’ We request clarification on what is meant by requiring subcontractor compliance,” AIA writes in comments submitted on Feb. 26.
AIA says, “Does the DOD intend for prime contractors to have additional obligations beyond flowing down applicable clauses? If so, there should be an understanding that prime contractors lack privity of contract beyond the first tier, which would make it very difficult, if not impossible to ‘police the entire DOD supply chain.’”
AIA argues, “Making prime contractors responsible for oversight and verifying compliance of the entire supply chain will place substantial risk (e.g. civil enforcement, False Claims Act, termination) on prime contractors that have neither the resources nor ability to adequately manage subcontractor CMMC compliance, unlike the federal government which has regulatory and enforcement powers.”
“Additionally, due to the complexity of the defense supply chain, a prime contractor on one procurement will often switch places with the subcontractor on another. This creates difficult situations where potentially two defense competitors are evaluating each other’s CMMC compliance. In addition, there may be situations where a contractor works on multiple contracts with varying CMMC levels,” AIA writes.
AIA says, “We recommend DOD clarify that prime contractors fulfil their CMMC obligation by flowing down the contract clauses. This would allow DOD to focus on auditing contractor compliance at all levels of the supply chain. Additionally, we recommend that DoD define what is termed as the ‘appropriate CMMC level’ for various types of data to provide clarity on the appropriate flow down for the supply chain.”
DOD issued the first proposed rule to implement the CMMC program on Dec. 26. The 234-page rulemaking outlines the Pentagon’s process for assessments, CMMC ecosystem roles and the flow down of CMMC requirements through the supply chain.
DOD has received nearly 800 comments including a submission from the Council of Defense and Space Industry Associations which asks for clarity on controlled unclassified information and addressing assessment gaps. AIA is a CODSIA member.
AIA addresses international primes and subcontractors in its filing, explaining how some DOD prime contractors are foreign entities and there are others who are domestic prime contractors that will need to flow down CMMC requirements to foreign subcontractors.
In the proposed rule, AIA says DOD “makes clear that international prime contractors and subcontractors will be subject to the same requirements as U.S. entities.” However, AIA argues that “there is not a specific set of directions or guidance as to reciprocity or accommodations for international cybersecurity standards.”
AIA writes, “For example, over the past few years, prime contractors and subcontractors in the United Kingdom (UK) have wrestled with handling CUI based on the UK’s Ministry of Defence (UK MOD) Industry Security Notice 2021/03 (Compliance with Cyber Security Requirements from Other Nations), directing the UK Defense Supply Base (DSB) to reject cybersecurity requirements in the DFARS and CMMC.”
“Both U.S. and U.K. contractors have requested a class deviation or other exceptions to the DFARS clauses. There have been ongoing discussions regarding the possibility of reciprocity between the US DOD and UK MOD, however currently we are unaware of a final resolution. The proposed Rule does not address how this will be resolved whether with the UK MOD or another foreign government or entity, and we recommend DOD establish a mechanism to alleviate this concern,” AIA says.
The filing lists a number of definitions where clarification is needed, including a request to “modify the language to include self-attestations from Third Party Assessment Organizations (3PAOs) for FedRAMP equivalency and CMMC Third-Party Assessment Organizations (C3PAOs) for CMMC equivalency.”
On CMMC level three, AIA wants additional industry input to “be sought to better understand the extensive efforts involved.”
AIA asks DOD to make a clarification on joint surveillance audits by reestablishing the three-year renewal period that will convert into a CMMC certification from the date that CMMC goes into effect in the final rule.
The filing also seeks clarity on scoping and reciprocity. AIA says, “DOD should explicitly address how the CMMC program will harmonize the reciprocity, portability, and scalability of a CMMC certification across different contracts, agencies, and international partners. As an example, [the Department of Homeland Security] is contemplating its own assessment methodology. This will lead to inefficiencies and additional costs for contractors.”
AIA seeks a clarification on external service providers that will allow one ESP certification to be used for all organizations seeking assessment. The filing also asks for more information on the requirements for FedRAMP moderate equivalency and says there should be a “consistent approach between compliance with CMMC and FedRAMP (including the use of POA&Ms).”