Written by Mark Pomerleau
The Department of Defense expects to begin implementing Cybersecurity Maturity Model Certification (CMMC) program requirements on contracts in May 2023, as part of an effort to prompt hundreds of thousands of defense contractors to better protect their assets. networks and controlled unclassified information.
The requirements are currently undergoing the federal rulemaking process for the Code of Federal Regulations (CFR) and Defense Federal Acquisition Regulation Supplement, which is required before they can be implemented.
“We hope that by March 2023 they will give us a provisional rule. Now that’s not guaranteed,” Stacy Bostjanick, the Pentagon’s CMMC policy director, said Wednesday during an event hosted by the Potomac Officers Club. “They could come back and say, ‘No, we don’t see the urgency of this meeting as an interim rule and it won’t be allowed to implement until it goes through the final rule.'”
If an interim rule decision is granted, the program will go through a 60-day public comment period, but the department could implement CMMC on contracts and acquisitions by May 2023, Bostjanick said.
He noted that DOD will take a phased approach to ensure that the entire CMMC ecosystem, which includes cybersecurity assessors and instructor certification organizations, testers, and the Defense Industrial Base Cybersecurity Assessment Center, among others, will be able to handle the certifications requested for contractors.
The Biden administration’s revamp of the program, known as CMMC 2.0, which began last year after contractors raised concerns about the original CMMC framework developed by the Trump administration, pushed back the schedule.
“Based on this change and the administrations and the review of the program, it has lengthened our timeline from the perspective that we have to do additional rulemaking activities,” Bostjanick said. “Having said that, though, I don’t think it’s a bad thing. I think having CMMC codified as a program and the 32 CFR rule makes it a stronger program and gives it more shelf life, frankly.”
Prioritized versus non-prioritized controlled unclassified information
Bostjanick also provided information on the cybersecurity framework requirements related to prioritized and non-prioritized Controlled Unclassified Information (CUI).
“For those companies that would handle non-prioritized CUI, the idea is that they could simply do a self-assessment, an annual affirmation that they meet the NIST 801-71 requirements for handling non-prioritized CUI… From our analysis, non-prioritized CUI goes to be a smaller subset of the CUI that we deal with,” he said.
“Because companies typically never do a single contract with the DOD, they bid on multiple contracts, eventually anyone who handles CUI and bids on more than one contract is probably going to have to have a third-party appraisal, because it’s only ever going to take a contract that you bid on that requires a third party evaluation to bring it to that level,” he added.
He noted that a contract will state whether the procurement includes prioritized CUI, non-prioritized CUI, or Tier 3 CUI as a factor. Level 3 requires an assessment from the Defense Industrial Base Cybersecurity Assessment Center.
Right now, Pentagon officials are working on various exercises to ensure that the definitions between these levels of controlled unclassified information are clearly delineated.
The rough definitions they’re working on right now, which could be refined in the coming months, is that non-prioritized CUI involves information that wouldn’t cause much of a problem if published, such as material from a military uniform. Prioritized CUI is information that would cause some loss of capability or advantage if it were acquired by adversaries, hackers, or others. And advanced level 3 CUI is information associated with critical programs and technologies.
In addition, the Pentagon is developing procurement guidance for program managers and contracting officers to make a decision on whether or not CUI is prioritized as they move through a request for proposals, Bostjanick said.