Based on a recent announcement made on February 3rd, the Cybersecurity Maturity Model Certification (CMMC) program, recently led by the undersecretary of defense for acquisition and sustainment, has a new home with the DoD Chief information office. This move also shifts essential staff to continue their support of the program.
Many criticisms have reflected the contractor’s hardships working to align with the CMMC 3 tier program, including how long the process can take, up to 24 months, and the many hoops to jump through — 110 security requirements for just Level 2. However, John Sherman, DoD CIO, is forging uphill; The team will continue to work with the acquisition and sustainment unit and collaborate with key industry participants and SMEs to submit updates to overcome the CMMC program’s shortcomings.
The move is optimistic for Sherman. This update in configuration will support “…integration with other Defense Industrial Base Cybersecurity programs. We are moving out in the coming weeks on the rule-making process and look forward to continuing critical collaboration with industry stakeholders,” says Sherman.
This is not the first or last iteration of the program, with the initial kickoff in 2019, which included a 5-tier system. There was then a review in March 2021, moving to a 3-tier system, then redesign and updates for CMMC 2.0 in November of 2021. The later policy review included concerns from the field, especially from small companies finding it difficult to comply with the certificate program. As new leadership takes on the role of ownership, the team will continue to unfurl the pushback from government contractors and how they handle data security at an appropriate level.
Other federal agencies have been keeping a watchful eye on the evolution and overarching concerns of the CMMC program to learn from the process. Agencies include the Department of Homeland Security and General Services Administration. When discussing the recent iterations of CMMC, Sherman said, “It means raising the waterline of cybersecurity across the DoD to keep the Chinese and Russians and other potential adversaries away from our critical data.” He continued, “This is basic hygiene to raise the water level to make sure we can protect our sensitive data so that when our service members have to go into action, they’re not going to have an unfair position because our adversary’s already stolen key data and technologies that’ll put them at an advantage.”
According to Matthew Travis, chief executive of the CMMC Accreditation Body (AB), timelines are unclear. Still, we should look for an announcement in Spring 2022 when the CMMC AB starts an interim volunteer assessment period. The CMMC AB is currently reviewing feedback from the DoD’s program management office on the “CMMC Assessment Process Guide” or CAP to make the adjustments required for the data and cybersecurity assessment and standardization.
Travis also spoke about the new employee training for reviewers of CMMC 2.0, who will lead the certification of government contractors in the program. Numbers have erupted from 111 “Certified CMMC Assessors” and “Certified CMMC Professionals” to now a staggering 759 in just a single year. He noted, “You’re going to be seeing promotional campaigns from us here this spring, to really encourage Americans to think about becoming assessors. It’s a great way to enter the cybersecurity field.” These new employees will be working with contractors to follow the CAP guidelines for the 9 months to two-year period of review. The timeline has been a key item of discouragement for the contractors who have been working for the government for decades.
The CMMC 2.0 discussion is heading to a new leader but is still moving forward with the goal in mind that protecting controlled unclassified information is essential to country security. Look for more updates in Spring 2022.
How can I be successful in Conquering CMMC challenges?
The implications of the Cybersecurity Maturity Model Certification may put prime contractors’ contract eligibility and revenue at risk, will require education on new prime contractor supply chain responsibilities, and necessitates that both prime and subcontractors quickly take the first steps in the certification process.
As Contracts Leaders, it’s important to understand your company’s latest progress with CMMC. Access integrated capabilities in Unison CLM to support the relevant technical requirements within the new CMMC model.