The Professional Services Council is calling for the Defense Department to do further analysis on potential costs for contractors and their suppliers to comply with the Cybersecurity Maturity Model Certification program before finalizing proposed regulations.
“PSC believes DOD’s understanding is incomplete with regard to industry’s investment timeline and outlay for CMMC compliance. The estimated implementation costs cited in the proposed rule largely undervalue the true costs companies will incur to meet and maintain compliance standards,” the contracting industry group says in comments filed on Feb. 26.
The Defense Department issued the first proposed rule on Dec. 26 to implement changes to the CMMC program. Nearly 800 comments have been filed from a broad range of sectors including defense, technology, communications, gas, electric and international bodies.
PSC argues that DOD’s CMMC proposal to require the close out of plans of action and milestones within 180 days “may be inconsistent with existing POA&Ms and therefore more costly than estimated in the proposed rule. This could be detrimental to firms not already poised for certification.”
Under CMMC 2.0, DOD will allow contractors to complete a self-assessment for level one. PSC says, “However, absent clear direction in the form of DOD policy and guidance, as a risk-mitigation strategy, PSC believes that contracting officers may frequently require at least a Level Two certification, even if a Level One self-assessment is sufficient to perform the defined requirements.”
“In this way, PSC believes the proposed rule falsely assumes that over 63% of contractors would only need to meet Level One requirements. As a result, PSC believes the proposed rule significantly underrepresents both the scale and scope of CMMC requirements across the defense industrial base,” the filing says.
PSC wants DOD to establish guidance on the parameters for helping contracting officers make a decision on the required CMMC level for DOD procurement and programs. The filing asks DOD what steps it will take if contracting officers are requiring CMMC level two and/or three requirements at a rate that is “substantially higher than projected” and to put that information in the final rule.
In addition, PSC wants DOD to “forecast its projected Level Two and Level Three assessment capacity against various demand scenarios for each certification level.” PSC asks if DOD will provide resources to satisfy the increased demand for level two and three assessments if the department is “incorrect in its assumption” on 63% of contractors falling under level one.
On POA&Ms, PSC asks DOD to “recognize that projected POA&M costs are not the same as costs already incurred and that such projected costs extend beyond the proposed 180 day adjudication period and will likely increase as underlying NIST requirements change.”
“DOD should determine the range of potential compliance timelines, the use and value of existing and planned POA&Ms, and the true certification costs – both for initial compliance as well as ongoing maintenance and oversight,” the filing says.
PSC seeks clarity on controlled unclassified information markings, specifically asking DOD to “establish primary controls over CUI marking standards by developing and issuing a CUI ‘Class Guide’ in a manner similar to Security Class Guides (SCGs) developed for classified programs.”
“Consistent definition and application of SCGs across programs is critical to the integrity and protection of classified data. Applying similar standards and approaches to how CUI will be managed, including designating DoD as the original classification authority (or similar), would provide the consistent and predictable parameters companies need to appropriately bid and maintain data security requirements throughout contract performance,” according to PSC.
PSC also addresses reciprocity, expressing concern over how the “variation in compliance requirements, and the increase in associated costs, could penalize companies that do business with DoD and with other federal agencies.”
It says, “This could in turn incentivize companies to prioritize non-DOD missions, restrict global operations, or exit the defense industrial base entirely, undermining the very purpose for the CMMC program.”
“Considering DOD’s responsibility to ensure both the health of the industrial base, and by extension the competitive landscape, PSC recommends that DOD should acknowledge and address the impact of standards and compliance requirements on firms who support both DoD and non-defense customers. The best way to address this impact is to apply similar data security requirements for contractors across all federal agencies,” according to the filing.
PSC addresses the need for harmonizing cybersecurity regulatory requirements, specifically referring to two proposed rules related to the 2021 cyber executive order and the update to NIST Special Publication 800-171.
The filing says, “In recognition of these various interrelated and parallel regulatory efforts and legal proceedings, PSC recommends that, prior to issuing a final rule, DOD work with other relevant agencies to integrate and harmonize the numerous regulatory changes that impact contractors' capacity to safeguard data and systems.”
“Absent such efforts, compliance may fall short of that needed to respond to cybersecurity threats, and industry’s costs to comply with numerous unique requirements across a varied customer base will only serve to dramatically increase the federal government’s costs of goods and services,” PSC says.