The American Gas Association is asking the Defense Department to consider potential avenues where contractors and subcontractors can use cyber policies at other agencies to fulfill requirements under the Cybersecurity Maturity Model Certification program.
DOD issued the first proposed rule to implement the CMMC program on Dec. 26. In comments to DOD, AGA points to two Transportation Security Administration security directives that establish ongoing reporting and assessment requirements, which they argue are “specific to the risk portfolio of pipeline systems.”
The Feb. 26 filing says, “AGA members are actively securing their networks in line with existing requirements set by TSA and are continuously improving their systems in collaboration with [Cybersecurity and Infrastructure Security Administration] and TSA to address risks specific to pipeline operations. The nature of natural gas service delivery is commoditized and repeatable, unlike other government contracts for defense systems.”
“While TSA has focused its efforts on regulating systems, rather than regulating types of information, such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), there may be overlap in regulations natural gas utilities are complying with that other contractors and subcontractors are not subject to,” AGA says.
AGA notes that the proposed rule includes a provision to “waive the inclusion of CMMC Level requirements for solicitation and contracts.” They write, “Waivers might be granted under this Section to entities who meet substantially similar requirements under other cybersecurity regulations.”
“Similarly, AGA would encourage DOD to consider whether contracting agencies meet CMMC Level requirements that are monitored through other regulatory mechanisms,” AGA says.
Reviewing and addressing potential overlaps would provide efficiencies for the government and harmonization, AGA says, as well as reduce costs for contractors associated with the CMMC proposed rule.
AGA says, “The government has accepted similar models in other policies, as seen in the government’s recent efforts to avoid duplicative and burdensome cybersecurity requirements across the patchwork of state and federal statutory authorities.”
AGA specifically points to the Cyber Incident Reporting Council and work at the Office of the National Cyber Director to establish a “potential framework for cybersecurity reciprocity.”
“Providing exceptions or accommodations within the CMMC Level requirements for entities that are already heavily regulated and subject to other cybersecurity requirements would be consistent with these efforts to avoid duplication. Accommodating contractors and subcontractors for their ongoing compliance measures will reduce costs, improve efficiency, and support the mission of securing CUI and FCI,” AGA says.
AGA also asks DOD to extend and streamline its implementation timelines for the program to “provide greater efficiency.” DOD plans to have a four-phase rollout of the program with the expectation that all solicitations will have CMMC requirements starting in fiscal 2026. AGA asks for an additional six months.
The filing says, “The assessments and affirmation requirements proposed in the CMMC rule will require increased labor costs, time, and effort on behalf of the contractors and subcontractors to set up the policies and procedures necessary for compliance beyond those measures already in place to comply with the Defense Federal Acquisition Regulation Supplement (DFARS), the National Institute of Standards and Technology (NIST) Special Publication 800-171, and other requirements.”
“This is especially true for contractors and subcontractors who must work proactively with third party vendors and other entities providing services that interact with CUI or FCI to ensure they are meeting all the compliance requirements,” AGA says.
DOD requires contractors in the proposed rule to close out plans of action and milestones within 180 days.
AGA proposes, “Rather than a strict 180-day period, the deadline for closing out all POA&M activities should be defined in the contract award based on the specific nature of the remediation activity. Second, AGA would encourage DoD to consider extending POA&M implementation timeline upon application by the contractor or subcontractor.”
AGA seeks clarification on how DOD will determine CUI requirements in contract solicitations. The group notes that DOD provides five “factors for program managers to consider when assigning the CMMC Level associated with a particular procurement,” including one that allows for contracting officers to use “other relevant policies and factors.”
The filing says, “AGA would encourage the Department to provide more information on what ‘other relevant policies’ may include when considering the CMMC Level for procurement. If further clarification is better suited for the CMMC-related contractual processes, then AGA encourages DOD to provide these details in the upcoming rulemaking proceeding” for the second CMMC rule which will make changes to the Defense Federal Acquisition Regulation Supplement.
AGA addresses the economic impact of the CMMC requirements, noting that the proposed rule in CMMC level three allows entities to “recover engineering costs related to compliance” but many of the contractors, especially utility services, will not need a level three certification.
The filing says, “Utilities could potentially hold CUI requiring Level 2 compliance measures and may incur costs in carrying out the assessments and validation processes necessary for the annual affirmations. The financial burden placed on utilities may be mitigated by accommodating existing compliance measures that address CUI protections.”
For level two, AGA says entities “may need to accelerate existing security implementation programs, at additional costs, in order to adopt the Proposed Rule’s requirements.” AGA specifically points to compliance costs for POA&Ms and argues that level two costs should also be recoverable as part of a contract.
Subcontractors will also face cost burdens, AGA says, to meet CMMC obligations. The filing says, “The costs associated with incorporating procedures and policies to comply with the annual affirmations, and the triennial certifications (as applicable), may be disproportionate to the risk their operations pose to the inadvertent disclosure of CUI or FCI.”
The filing says, “AGA asks the Department to scale these requirements by reviewing the subcontractor’s operations and providing them with alternatives that lessen the undue burden on the supply chain, reduce the overall costs, and ensure that such requirements are proportional to the subcontractor’s activity and risk.”
Nearly 800 comments have been filed on the proposed rule from a broad range of sectors including defense, technology, communications, electric and international bodies.