To say that DoD’s plans to enhance the cybersecurity practices of the defense industrial base have not gone exactly as planned would be polite.
White House Executive Order 13556, creating controlled unclassified, was issued in 2010. 12 years later, DoD is still wrestling with the issue.
DFARS 252.204-7012, which mandated NIST 800-171 compliance, became effective in 2017.
CMMC version 1 was issued in late 2020 as an interim final DFARS. It never really went into effect.
CMMC version 2 was released in November 2021. It tried to simplify CMMC 1.0 and did, to an extent. But within months, they realized that a key part of it (splitting CUI compliance into two parts – one which could be self-certified and one that required third party certification) – was unworkable.
So where is it now?
CMMC 2.0 is now in the “rulemaking process” under Title 32. This process is required for all federal regulations and is really complicated. After that, it has to go through the Title 48 process which governs the Federal Acquisition Regulations process.
Stacy Bostjanick, who has been trying to shepherd CMMC since the beginning is hoping the changes that come out of the rulemaking process are minor changes to what was released a few months ago. No guarantees.
She says that she is hoping that they will be allowed, one more time, to create another “interim final rule”. Hoping.
They are trying to reduce the number of companies that will require expensive third party certifications from maybe 300,000 to 100,000, but right now there are only a dozen companies who have been approved to certify contractors. You do the math.
On top of that, DoD’s contracting officers have not been well trained at understanding and documenting what is CUI. And communicating that to contractors. You can’t communicate what you don’t understand.
Many folks believe that what will come out of this rulemaking process, which is based on NIST SP 800-171 version 2, will likely look a lot like what went in. I think this is probably right.
This means that small businesses will need to make a costly decision about whether they stay in the defense business. Many will leave. In the last six years, the number of small businesses in the defense sector has shrunk by nearly a quarter.
Unfortunately, DoD is boxed in. The problem is real and there is no simple fix. Ignoring security is not a plan. Neither is asking contractors to pinky-swear that they are doing what they should be doing.
The rules are expected to emerge from the rulemaking process in May. May 2023 that is. 13 months from now. They anticipate submitting the proposed rules in July of this year.
The Pentagon is talking to international partners. The UK has a “similar” program called the Cyber Essentials program. The Pentagon wants to compare the two programs. The Pentagon would like everyone to roll over to their desires, but that is unlikely to happen. This means that there will be differences, country to country. Contractors that do business in multiple countries will have even more paperwork – and cost – to deal with.
DoD is trying to incentivize contractors to get certified now. In part this is because, if everyone waits, the size of the queue will be that much longer. That means that if people wait for the rule to come out and get documented, then it will be longer before any number of people get certified. That means the DoD would have to choose between dropping the contract requirement or picking a less qualified, more expensive vendor who is certified. What a mess. DoD’s hands are somewhat tied in this process. They cannot offer contractors money to get certified, but they can say that vendors who are certified will rank higher in the review process than ones that are not certified. They can also say, MAYBE, that if you get certified now your certification will last longer, say, instead of three years from now vs. three years from once the standard is actually approved.
One thing that did come out in CMMC 2.0 is the concept of “waivers”. In CMMC 1.0 if you failed any controls, you failed the test. In CMMC 2.0 they are talking about waivers. Limited time, limited function, only for certain controls, maybe. They have admitted that given they do not want to shoot themselves in the head, they are going to be forced to issue waivers. They have said that each waiver will need to be individually approved by the service needing the product, which makes sense. Since some executive is going to put his or her name on a piece of paper, that by itself will limit waivers. The CURRENT plan is that waivers can’t be for more than 180 days. If there are a lot of waiver requests (there will be), that by itself will be a paperwork nightmare – both approving and tracking them. Also, since the waivers will be technical in nature, the service executive approving them will need someone to explain to him or her what the hell they are approving. A mess, in other words.
The Pentagon has created an internal deadline to submit the proposed rule to the OMB on May 4. That is step 1 in the process. Generally, they have been good at meeting those deadlines. Just barely.
They are hoping to kind of amend the -7019 and -7020 clauses instead of starting over and that is probably reasonable. But reasonable and government don’t necessarily match. It is possible that DoD will feel they need to close on a deal for the Part 32 rule before submitting the part 48 rule. That could drag things out.
We continue to tell clients to focus on 800-171 because that is VERY LIKELY to remain the core of whatever comes out of the sausage grinder. That is also what they agreed, in writing, to comply with since 2017. That means that contractors who are not 800-171 are technically in breach of contract.
One more rub in the ointment. Since 800-171 R2 came out, 800-53 revved from R4 to R5. There is an effort within NIST right now to create 800-171 R3 based on NIST SP 800-53 R5 medium. DoD has already said that they are working with NIST to incorporate some of the stuff that they “lost” when they went to CMMC 2.0. That means the goalposts are likely to move before the final rule is in place.