The Information Technology Industry Council sees an opportunity for the Pentagon's Cybersecurity Maturity Model Certification program to become a standard across the federal government, according to a filing from the trade association on the first CMMC proposed rule.
“While the Department is designing CMMC for the protection of controlled unclassified information (CUI) throughout the DIB, there is value in scaling the program beyond DOD. Advanced persistent threats target other federal agencies and critical infrastructure, which has prompted some agencies to voice their interest in the program in the past,” the Feb. 26 comment filing says.
ITI writes, “Most notably, the Department of Homeland Security (DHS) solicited public comments on the program as part of a request for information on improving the cyber hygiene of DHS contractors. ITI strongly supports efforts to protect CUI in nonfederal systems and organizations and recommends doing so in a coordinated, harmonized manner.”
“Upon the conclusion of the CMMC rulemaking processes, DOD should evaluate the efficacy of the program and work with the appropriate federal stakeholders to explore scaling the program to other agencies. ITI does not recommend creating multiple agency-unique versions of the same program,” ITI says.
ITI argues, “Instead, a CMMC certification around a common baseline of controls and boundaries should enable a company to manage CUI for any federal agency. Converting the program into one that is open to all agencies would ensure regulatory harmonization and improve the protection of CUI in nonfederal systems and organizations.”
DOD issued the first proposed rule on Dec. 26 to implement changes to the CMMC program. Nearly 800 comments have been filed from a broad range of sectors including defense, technology, communications, gas, electric and international bodies.
ITI also participated in a filing from the Council of Defense and Space Industry Associations that goes into more depth on defense industrial base issues.
ITI addresses reciprocity with other federal standards in its standalone filing through explaining how DOD has determined equivalency with the General Services Administration’s FedRAMP program.
The filing says, “In accordance with the FedRAMP equivalency memorandum dated December 21, 2023, the Department should allow companies to demonstrate compliance with CMMC controls by reusing work from other sufficient processes and/or certifications such as FedRAMP. Among other benefits, reusing existing certifications will expedite product availability for the Department while also reducing the burden on industry.”
ITI also calls for DOD to “explicitly state that, if applicable, covered systems with FedRAMP accreditations are exempt from CMMC requirements.” The filing says, “In the interest of further harmonizing cybersecurity regulations, the Department should explore if other pre-existing certifications can be reused for the purposes of CMMC; for example, ISO 27001 or SOC 2.”
The filing asks DOD to clarify the relationship between cloud service providers and external service providers in the final rule. ITI also argues for requiring a Customer Responsibility Matrix to clarify the responsibilities for an organization seeking a CMMC certification and all service providers.
DOD should provide “[c]lear and standardized definitions” of federal contract information and controlled unclassified information that are “tailored to meet the specific requirements of the CMMC rule," according to ITI.
The filing says, “These definitions should be comprehensive, unambiguous, and aligned with existing regulations and guidance, including but not limited to the Federal Acquisition Regulation (FAR), the National Institute of Standards and Technology (NIST) Special Publication 800-171, and the CUI program.”
Potential False Claims Act issues are addressed under a request from ITI to align the timeline for requiring affirmations of compliance with CMMC requirements with every three years. Under the proposed rule, contractors would need to provide annual affirmations of compliance and get an assessment every three years.
The filing says, “In addition, requiring a prime contractor to make an attestation on behalf of its entire supply chain is inconsistent with current DFARS requirements and may not be practical. The scope of the subcontractor attestation should be refined to clarify that government contractors are only accountable for attestations (and associated compliance actions) regarding the next lower tier direct supplier.”
ITI also asks DOD to make investments in achieving an initial CMMC level three assessment an allowable cost for contractors.
The filing says, “Level 3 introduces requirements that exceed those that are required by DFARS 252.204-7012. Contractors who pursue a Level 3 Certification Assessment will incur additional costs to implement the additional controls required beyond DFARS 252.204-7012. Reasonable notice requirements and timeframes for implementation can help keep the additional costs as low as possible.