CMMC leader hopes for quieter rulemaking process, floats ‘cybersecurity-as-a-service’

The Cybersecurity Maturity Model program at the Department of Defense has gone through its share of changes and “evolutions” over the past year. Despite another looming regulatory process, DoD officials and contracting experts are indicating that the program is unlikely to undergo another major overhaul.

The CMMC 2.0 framework, released late last year, is currently going through a rulemaking process under Title 32 of U.S. law, which outlines rules and regulations for national defense. The program is also due for another regulatory cycle later this year under Title 48, which governs the Federal Acquisition Regulations System, but DoD's Stacy Bostjanick said officials hope that any further changes will be minor or done in the context of a real, operational program, not a theoretical concept.

“My prayer is that once we get through this round [of rulemaking], CMMC will be a thing. Our anticipation is that we will be allowed to have another interim rule like last time. We’re hoping that that interim rule will go into effect by May,” said Bostjanick, the director of CCMC policy for the office of undersecretary of defense for acquisition and sustainment, during a panel discussion with SC Media at the AFCEA DC Cyber Mission Summit this week. “Once we get through this rulemaking process, we hope there will only be one more aspect that we’ll have to address and that will be international partners.”

The biggest changes that came out of CMMC 2.0 was a concerted effort to recalibrate who would (and would not) require a third-party cybersecurity assessment.

Faced with a shortage of trained assessors and feedback in the form of hundreds of public comments from the contracting industry about the scope of the program, the Pentagon simplified the different levels of certification from five to three and specified that defense contractors who do not handle controlled unclassified information would be able to self-attest that they are meeting the government’s cybersecurity requirements.

Bostjanick said the roughly 80,000 companies that DoD estimates will qualify for Level 2 maturity (which merged many of the requirements from Levels 2-4 in the previous plan). That change is “where there’s been a lot of conversation” with the contracting community.

However, defense contracting experts say that often contractors are unaware of whether they even handle CUI or misunderstand how the government classifies protected information. Even contracts for non-technical equipment, supplies and services end up being classified as controlled information because sometimes those requirements come in a package of information that include documents detailing sensitive designs or layouts for military facilities. If they’re not flagged, those same documents can end up flowing to subcontractors and other third parties.

“Unfortunately, we haven’t done a good job within the department training our program managers and contracting officers to identify [controlled unclassified information],” said Bostjanick.

Defense-contract watchers predict few CCMC changes

Some observers are predicting that the core elements on the program and its requirements are unlikely to change drastically. Jacob Horne, who works on CMMC compliance issues at Summit7, told SC Media that despite the handwringing and looming regulatory process, the program’s requirements remain tied to the National Institute for Standards and Technology’s Special Publication 800-171, which covers how contractors must handle and secure controlled unclassified information.

“The overall takeaway is that — much like the changes from 1.0 to 2.0 — there’s actually much less that can change than people think,” Horne said in an interview. “The majority of the burden and cost and impact that are facing companies with CUI stem from NIST, not the CMMC program.”

Additionally, he said many of the same complaints raised by industry around CMMC (namely that the cost burden and impact associated with the cybersecurity requirements will hurt the ability of small businesses to compete and create new barriers to entry) were similarly levied in previous regulatory processes around controlled unclassified information in 2013 and 2017.

To be clear, shrinking participation from smaller businesses (including startups that DoD often taps for innovation) is a real problem. An analysis by Amanda and Alex Bresler of PW Communications found that the total number of small businesses in the defense market shrank by nearly a quarter, 23%, over the last six years, from an estimated 68,000 companies in 2015 to about 52,000 in 2021. Bostjanick said the department is looking at developing a “cybersecurity-as-a-service” model that could provide smaller companies with higher end defensive capabilities, though such services wouldn’t replace the need for a dedicated cybersecurity program at those companies.

Even still, Horne said that the government has consistently dismissed those complaints in the past and has little reason to back off that position now or make broad exceptions.

“I don’t see anything in the language, in the indirect language of the DoD’s webinars and industry presentations, that indicate to me a fundamental policy shift from previous rulemaking on this subject,” said Horne. “If anything, I think the nature of the threat and the lack of implementation by the DIB and how bad this problem has languished, the government will be even less inclined to give out waivers and [plans of action and milestones].”