A coalition of industry groups led by the U.S. Chamber of Commerce is seeking flexibility when it comes to implementing requirements in the Pentagon’s Cybersecurity Maturity Model Certification program, arguing that it is needed to address compliance costs as work to finalize regulations gets underway.
“Our associations believe that it is essential that [the Defense Department] builds in flexibility in the administration, application, oversight, and enforcement of the proposed rule. Such flexibility would benefit DOD and the thousands of businesses subject to the CMMC Program,” the coalition writes in comments submitted on Feb. 26.
The filing says, “The circumstances of every business differ. The CMMC Program contemplates applying one complex rule, with even more complex accompanying documentation, to [small] businesses.”
DOD issued the first proposed rule on Dec. 26 to implement the CMMC program. Nearly 800 comments have been filed from a broad range of sectors including defense, technology, communications, gas, electric and international bodies.
The Chamber’s submission was co-signed by 47G-Utah Aerospace and Defense Association, Alliance for Digital Innovation, Associated Builders and Contractors, BSA-The Software Alliance, Construction Industry Round Table, National Association of Wholesaler-Distributors, National Utility Contractors Association, Power & Communication Contractors Association and Security Industry Association.
The filing says, “Likely there would be many circumstances where one or another facet of cybersecurity compliance cannot be achieved affordably or without unacceptable disruption to an enterprise. And in many situations, relief from a formal requirement may be warranted, especially where a risk assessment shows that the cost of 100% compliance is high while the likelihood of harm is comparatively low.”
“DOD should direct that CMMC Program assessors to use their professional judgments and not require them to seek the maximum evidence of compliance where there is evidence of sufficiency. Perfect is often the enemy of the good. Indeed, making the rule too rigid risks a disconnect between the contracting community and DOD that could make compliance practically impossible for hundreds if not thousands of businesses in the DIB,” the filing says.
The filing argues that the proposed rule’s costly certification regime will impact competition from “small contracting entities in the defense industry” and says DOD is “[o]verlooking the costs of compliance for newly covered contractors under the CMMC Program.”
The coalition addresses capacity needs with a call for DOD to provide reassurance to contractors that there will be enough capacity to conduct assessments.
According to the filing, contractors are “distressed that the C3PAO community and DoD may lack sufficient capacity to conduct the number of assessments, particularly for Levels 2 and 3, which would be required in order to facilitate competition in government contract.”
In addition, the filing says the proposed rule “does not adequately address whether DoD is prepared to assess contractors that must undergo a Level 3 Certification Assessment in order to bid on a contract.”
DOD should acknowledge the need for waivers as part of the program, the filing says.
The coalition also pushes for establishing a safe harbor for contractor compliance with CMMC.
The filing says, “DOD is urged to ensure that contractors are protected from regulatory and legal liability when they meet the security requirements in accordance with the relevant CMMC Program levels.”
The coalition calls for the creation of a “adjudication authority within DOD.” The filing says, “DOD has seemingly ceded much authority to the Cyber AB, reflecting the scale of the certification challenge and the limitations of DOD’s internal resources, including those of the DCMA DIBCAC. Our associations are concerned that key decisions, including ones affecting contractor eligibility for contracts, would be resolved by an external party, the Cyber AB, with no DOD involvement.”
“DOD’s office of general counsel should consider whether this is an acceptable delegation to the private sector of an inherently government function. Many in industry would be reassured if DOD established an adjudication resource within the department,” the filing says.
The Chamber-led coalition raises concerns over the scoping and marking of controlled unclassified information, which is also addressed in filings from the Coalition of Defense and Space Industry Associations and the Aerospace Industries Association.
The Chamber filing says, “DOD contractors of all sizes have continuing, yet fundamental, questions about CUI, which is an umbrella term for all unclassified information that requires safeguarding under Executive Order 13556. A governmentwide CUI Registry provides information on the specific categories and subcategories of information that the executive branch guards closely.”
“Still, the scope of CUI marking is a leading concern that our associations consistently hear from contractors, and it should be a central one that DOD and industry spend more time working through,” according to the filing.
Further, the filing argues, “DOD can create confusion when it infers that contractor information can be deemed CUI because it matches general descriptions in the CUI Registry. However, our associations believe that there must be a specific basis in (1) statute, as with export controls or (2) a contract, as with Controlled Technical Information (CTI). Indeed, the CUI Registry should be revised to make this stipulation more plainly understood.”