The Coalition for Government Procurement is seeking clarity on how the Defense Department will allow external service providers to play a role in achieving compliance with the Pentagon's Cybersecurity Maturity Model Certification program, in a filing on the proposed rule to implement the effort.
“The definitions of ‘External Service Providers’ and ‘Cloud Service Providers’ must be clarified to facilitate continuing access by small and medium-sized businesses, especially, to external security services. Already, a very large percentage of SMBs rely upon Managed Service Providers and Managed Security-as-a-Service Providers for day-to-day management of their information technology systems to handle data and system security and to respond to security incidents,” the coalition says in Feb. 26 comments to DOD.
“The Proposed Rule can be read to apply Federal Risk and Authorization Management Program (FedRAMP) Moderate cloud security requirements to many of these external service providers. This approach is unnecessary, unaffordable, and impracticable,” the coalition writes.
DOD issued the first CMMC proposed rule on Dec. 26. Nearly 800 comments have been filed on the proposed rule from a broad range of sectors including defense, technology, communications, electric, gas and international bodies.
The Coalition is “a non-profit association of firms selling commercial services and products to the Federal Government,” the filing says. “Its members collectively account for a significant percentage of the sales generated through General Services Administration contracts, including the Multiple Award Schedule program. Members of the Coalition also are responsible for many of the commercial item solutions purchased annually by the Federal Government.”
Leveraging MSPs and MSSPs is one way that organizations seeking a CMMC certification can lower the cost of reaching compliance. While DOD officials recognize the importance of MSPs and MSSPs, guidance has been limited outside of a DOD memo published Jan. 2 on FedRAMP Moderate equivalency.
The filing says, “Few of the tens of thousands of SMBs would be able to afford third party services if limited to those available today, or soon, which have received FedRAMP Moderate authorization. Enduring the FedRAMP process, with or without a Joint Authorization Board Provisional Authorization or Agency Authorization to Operate, is a very expensive and slow process.”
“FedRAMP helps federal agencies to establish that the cloud services they use are compliant with the statutory requirements of the Federal Information Security Modernization Act. But FedRAMP never was intended to apply to offerings of commercial cloud services, by commercial cloud providers, to commercial companies who happen to supply goods or services to DoD, but who do not operate systems by or on behalf of DOD,” the filing says.
The coalition wants DOD to avoid “draconian consequences on the thousands of small businesses who depend upon CSPs, MSPs, MSSPs and other External Service Providers” as they work to finalize the proposed rule and an upcoming second rulemaking to amend DOD’s acquisition rules.
The filing says, “DOD also should recognize that the community of ESPs is largely comprised of small businesses. [DOD] should strike a balance between imposed security requirements, on the one hand, and the ability of thousands of DOD suppliers to afford satisfaction of those requirements.”
SMBs already rely on “cloud-based managed or security services,” the coalition argues, emphasizing how there is a high “likelihood” that some SMBs will need to leave the defense industrial base if they can’t afford to meet the CMMC requirement.
The coalition also emphasizes how there is no mechanism today to assess ESPs for a CMMC certification.
The filing says: “We support measures to assure the security of all forms of ESPs. We think an appropriate starting point is to use the same baseline requirements of National Institute of Standards and Technology SP 800- 171 Rev 2 and to assess against the related CMMC security requirements.”
“The security issues present for different classes of ESPs (MSPs, MSSPs, cloud-delivered security applications, etc.), however, are distinct from those of enterprises seeking to protect the security of CUI they employ in performing DOD contracts. We expect that the best, cost-optimized solutions, also differ,” the filing adds.
It continues, “We strongly encourage DoD to form one or more public-private partnerships to develop control sets based on NIST publications that are tailored for different types of ESPs, and which focus upon the confidentiality objective of CUI.”
The coalition also calls for expanding the use of self-assessments for CMMC level two and the timeframe for closing plans of action and milestones. The filing addresses DOD’s phased approach for implementing CMMC and how the proposed rule addresses affirmations for all three CMMC levels.