“Every single business doing any kind of business with the Department of Defense will need to get certified and get a third-party audit that they have basic cyber hygiene.”
It’s been nearly four years since former Pentagon official Katie Arrington said those words and unveiled the “Cybersecurity Maturity Model Certification” during a May 2019 conference in a windowless lecture hall at the Georgetown University Law Center in Washington, D.C.
At the time, the plan was to begin certifying contractors as soon as 2020.
The impetus behind the program was simple: China-linked groups and other hackers were stealing sensitive data from the networks of defense contractors, and multiple reports had found companies weren’t following contractual cybersecurity requirements. The Defense Department wanted to know whether companies could protect sensitive data on their networks before awarding a contract.
But shepherding a program to assess and certify the cybersecurity practices of hundreds of thousands of companies in the defense industrial base has been complex.
The original CMMC faced industry pushback and delays, and the Pentagon significantly revamped the program as part of “CMMC 2.0” rolled out in late 2021. DoD officials said then the rulemaking process could take as long as two years to complete.
Now, the Pentagon is on the cusp of sending the rulemaking to the White House Office of Management. CMMC is closer than ever to becoming a reality. But it could still take more than a year, and questions continue to swirl around the program.
Timing is everything
Bob Metzger, head of the Washington office for law firm Rogers Joseph O’Donnell, said the two biggest questions about the CMMC program are when will the rulemaking be finished, and whether the rules will be effective in 2023.
“Right now, no one knows,” Metzger said. “DoD has been delayed more than six months in getting the completed rule package to OMB for its evaluation. This suggests some disagreement within the department as to how to proceed.”
Stacy Bostjanick, chief of defense industrial base cybersecurity within the office of DoD’s chief information officer, said DoD “continues to anticipate sending the draft 32 CFR rule to OMB in the very near term,” referring to Title 32 for federal regulations that govern national defense.
“As DoD has previously stated, the rulemaking process may take up to 24 months to complete,” Bostjanick said in a statement provided to Federal News Network. “In addition to the 32 CFR rule, a 48 CFR [Federal Acquisition Regulations System] rule will be completed to support implementation of CMMC through contractual requirements. The objective timeline for implementing contractor compliance with CMMC requirements has been and remains [fiscal 2025].”
The Pentagon also stresses that many defense contractors have been required since 2017 to follow cybersecurity standards, even if they’re not yet required to obtain a CMMC assessment.
“CMMC adds a verification requirement to those existing requirements and to the cybersecurity support that the department already provides to the DIB,” Bostjanick said.
Pentagon officials had previously expressed hope they could begin rolling out CMMC requirements this year. In order for that to happen, OMB would need to approve of DoD publishing the regulations as an “interim final” rule, which could become effective 60 days after publication.
But the more likely alternative, according to Metzger, is for OMB to approve the CMMC regulations as a “proposed rule,” with a comment period of up to one year preceding the final rules becoming effective. The action would give companies more time to digest what will likely be a complex regulation and prepare for its implementation
But it means CMMC wouldn’t start showing up in contracts until 2024.
The fall 2022 unified agenda shows the CMMC regulations in the “proposed rule” stage, with a notice of proposed rulemaking expected to publish in May 2023. Those projections, however, can change.
If DoD wants to implement the program more quickly with an interim final rule, Metzger said a key factor is convincing the White House of the “urgency” behind the assessments. On the one hand, OMB may consider an interim rule unnecessary considering the existing contractual requirements for contractors to follow cyber standards.
“However, if DoD senior leadership presses hard, and insists that national security demands acceleration of CMMC third-party assessments, that could persuade OMB to go ‘interim final,’” Metzger said.
Cyber assessment ecosystem
Another major question is whether there will be enough CMMC Third-Party Assessment Organizations (C3PAOs) to meet the demand. Those organizations are authorized by the Cyber Accreditation Body.
“There’s still some concern about the speed at which DoD is getting the accreditation body put together so that our companies can get certified as CMMC compliant,” John Luddy, the vice president for national security policy at the Aerospace Industries Association, said in an interview.
So far, 35 organizations have been approved as C3PAOs, with several hundred more having applied. Matthew Travis, the chief executive officer of the Cyber AB, said the body has been “pleased with the initial response that the compliance industry” has had to the CMMC requirements.
“We’ll continue to work to get more through the process, because ultimately, when CMMC does go live, we want there to be as many authorized C3PAOs as possible,” Travis said.
Just as important, he said, is the number of CMMC individual assessors who will work at the C3PAOs and conduct the assessments. There are about 2,500 assessors in the training pipeline today, Travis said, but he estimates a total of 5,000 will be needed to scale CMMC across the defense industrial base.
How will CMMC be rolled out?
The program’s requirements will likely be introduced as part of a phased rollout, Metzger said, to avoid disrupting the market and straining the C3PAO ecosystem.
“I’d expect DoD to be looking to first apply CMMC assessments to sensitive military programs involving key defense technologies,” he said.
“Not all contractors present equal significance, not all contracts, programs, work or services, contracts or technologies — they’re not all the same,” he continued. “But DoD is going to need to have a principled and thoughtful approach to how and when and to whom it releases the new CMMC requirements.”
Travis said he’s also expecting a phased rollout to take into account the readiness of C3PAOs and assessors to meet the demand.
“The department is not going to just flip a switch the day after rulemaking and put CMMC requirements in every contract,” Travis said. “It’ll be a partnership to figure out the scale and capacity of the ecosystem when rulemaking is completed, and then we’ll go from there.”
More details on the implementation plan will likely come out as part of forthcoming rulemaking. DoD declined to comment on any details around the draft regulations.
But Luddy said the timing of the roll-out is one of the major questions within the defense industry.
“One of the things we will be looking for is an appropriate timeframe, appropriate sequence of how it’s rolled out and mapping resources to that timeframe, so that we don’t expect too much too soon,” he said.
Will defense contractors be ready?
Reports continue to find many defense contractors aren’t following the required National Institute of Standards and Technology cybersecurity controls. Meanwhile, defense contractors continue to be targeted by nation state hackers.
But compared to when CMMC was just getting started, defense contractors are now more aware of cyber threats and the need to comply with cyber standards, according to Luddy.
“Everyone’s paying attention,” Luddy said. “I think the level of focus continues to grow. You don’t have too many conversations, even at the very senior levels of our companies, where cybersecurity doesn’t come up.”
After more than a decade of targeting by Chinese espionage and other nation state threats, there’s a better understanding of how cyber threats target the defense industrial base than there was five or 10 years ago, according to Jason Atwell, principal advisor of global intelligence at Mandiant.
“There’s a better awareness of what the scope and scale of that targeting looks like,” Atwell said.
But the nature of cybersecurity threats continue to evolve, as well. The defense industrial base and related high technology industries remain prime targets for hackers, who have increasingly focused on the “supply chain” of smaller businesses that supply key components and services to large defense contractors.
And the war in Ukraine continues to raise the prospect of cyber intrusions affecting the defense industrial base
“Right now, if you’re using Russian tanks or tank designs based on Russian tanks, for instance, you’re not going to have a lot of confidence in those designs,” Atwell said. “And so if you need to get better designs, there’s only so many places to go steal that information one way or another. So I think that we might be at the beginning phases of a renewed interest in the DIB from adversarial actors.”