Wireless group CTIA supports the Defense Department's decision to create an exemption for telecommunications providers under the Cybersecurity Maturity Model Certification program, while asking for more guidance on the trigger for applicability in the response to a proposed rule on implementation.
“CTIA members have a unique role as government contractors providing connectivity via commercial networks. CTIA members provide numerous vital services to the federal government from commercial wireless connectivity and devices to more tailored offerings focused on particular government missions,” the trade association writes in a Feb. 26 filing to DOD on the proposed rule.
CTIA says, “Providers are also subcontractors on several important contracts, providing connectivity and other solutions to primes that support various agencies. We expect that some CTIA member contracts will in the future be subject to the requirements of CMMC level 2 or higher, so our members have an interest in this rulemaking.”
DOD issued a proposed rule on Dec. 26 to implement the CMMC program. The Pentagon is working on a second rulemaking that will make changes to DOD’s acquisition rules.
Nearly 800 comments have been filed on the proposed rule from a broad range of sectors including defense, technology, gas, electric and international bodies.
CTIA breaks its submission into four areas with specific details on proposed changes. The areas are:
- maintain and enshrine the exemption for telecommunications providers in the Proposed Rule;
- promote harmonization via the Proposed Rule’s methods of Level selection, affirmation and certification statements, and use of security control guidance from NIST;
- clarify the scope of the Proposed Rule as it relates to subcontractors, governmentwide contract vehicles, and newly introduced terminology; and
- address implementation issues to limit potential risks for contractors.
CTIA asks DOD to clarify the encryption requirement in the rulemaking and use of the term “common carrier” when discussing the exemption for telecom providers.
The filing says, “Many service providers directly contract with DOD and other agencies, and serve as subcontractors, selling access to commercial connectivity that is agnostic as to the traffic transmitted over the networks.
“A commercial internet or telecommunications service provider’s status as a defense contractor or subcontractor should not automatically subject them to the requirement to meet CMMC, where the contracted service is commercial in nature and traffic-agnostic,” according to CTIA.
DOD’s decision to make encryption by a third-party user a trigger for entities who need to meet CMMC requirements is “unworkable,” CTIA says, “because the telecommunications service provider does not have control over whether a user encrypts the traffic it sends over the network.”
CTIA says, “DOD needs to impose CUI encryption requirements on the relevant contractor, not the telecommunications network provider -- another contractor’s failure to encrypt data should not be able to pull a telecommunications carrier’s network into the Assessment Scope.”
CTIA also notes that the proposed rule uses “varied terms to address who in the communications sector may be covered.” The wireless group specifically points to “internet Service Providers” and “telecommunications service providers,” and then referring to both as “common carriers.”
“This language is imprecise and will create confusion, particularly as the Federal Communications Commission is presently considering what services should be treated as telecommunications services. Further, ‘common carrier’ has a distinct meaning under federal law that may be more restrictive than DOD intends for its rules. This risks causing confusion,” CTIA says.
The filing says, “We urge DOD not to use ‘common carrier’ and to instead create an exception for contracts involving commercial communications networks that support government and commercial traffic, and which are not purpose-built for use by the federal government to transmit sensitive or other government data.”
CTIA asks DOD to put language in the proposed rule definitions to exempt commercial communications networks.
CTIA also wants DOD to clarify the term “Security Protection Data,” which is used in the rulemaking in the context of requirements for external service providers.
The filing says, “As currently drafted, the Proposed Rule could extend to all types of data created by Security Protection Assets that is processed, stored, or transmitted on a third-party asset, and might therefore convert more providers to ESPs than is necessary. Unnecessarily expanding the number of ESPs would increase the complexity and costs of assessments under the Proposed Rule.”
The proposed rule goes into detail on a four-phase implementation plan where CMMC will be a requirement in all contracts that concern federal contract information and controlled unclassified information in 30 months after the two CMMC rules are finalized.
CTIA asks for “at least a one-year ramp up period after the adoption of the final rule when there is delayed application of the proposed ‘affirmations’ and flexibility in the remediation of the Plan of Action and Milestones (‘POA&M’) (beyond the proposed 180-day period) is allowed.”
USTelecom also submitted comments to DOD on the proposed rule, arguing for a similar adjustment to the “affirmations” and POA&M timeline.
USTelecom writes, “Extending flexibility beyond the proposed 180-day period for an initial one-year ramp up period instead would allow organizations to address vulnerabilities more thoroughly, ensuring that remediations are not only implemented but are effective and sustainable in the long term.”
“A one-year ramp-up period would also serve as a valuable feedback mechanism, allowing both the DOD and contractors to identify and address unforeseen challenges, make necessary adjustments to the framework, and share best practices for compliance, obtain the appropriate certification, and enable sufficient C3PAO auditors to get certified as assessors,” USTelecom says.
The USTelecom filing also asks DOD to work with other agencies to harmonize affirmation requirements and provide clarity on how CMMC will apply to existing government-wide contracts.