By Jaspreet Gill on April 21, 2022 at 2:26 PM
Story updated 4/22/2022 at 10:25 am ET to include a clarification that Bostjanick was referring to May 2023 for when a new CMMC interim rule might go into effect.
WASHINGTON: The Pentagon is assessing whether to develop cloud service offerings to help contractors meet requirements for its cyber certification program, according to the Defense Department’s deputy chief information officer.
The Cybersecurity Maturity Model Certification (CMMC) program aims to strengthen the cybersecurity of the defense industrial base by holding contractors accountable for following best practices to protect their network, but can be an onerous undertaking both for the companies and their assessors. The Pentagon last November rolled out CMMC version 2.0, streamlining the security tiers of the program from five to three and resulting in some requirements changes for its first two levels.
David McKeown, DoD deputy chief information officer and senior information security officer, whose office leads the CMMC effort, said Tuesday at the AFCEA Cyber Mission Summit he’s looking for “innovative solutions” to help contractors meet at least 85 out of 110 controls in NIST Special Publication 800-171 in order to achieve certification required for Level 2 of CMMC.
“For instance, in the CMMC realm, rather than go out and assess each and every network of our industry partners, I’m kind of keen on establishing some sort of cloud services that either achieve many of the 110 controls in [NIST SP] 800-171 or all of them that industry partners can consume to store our data and safeguard our data without us having to go out onto your network,” McKeown said.
Pentagon CIO John Sherman in February said he hoped the upgraded CMMC program would raise the cybersecurity “waterline” across DoD to keep potential adversaries away from critical data.
“This is basic hygiene to raise the water level to make sure we can protect our sensitive data so that when our service members have to go into action, they’re not going to have an unfair position because our adversary’s already stolen key data and technologies that’ll put them at an advantage,” Sherman said at the AFCEA Space Force IT conference.
Meanwhile, CMMC’s policy director said Wednesday another interim rule for the program could come in May next year. The Pentagon released its first interim rule, which define some mandatory compliance requirements, in September 2020 for the first version of CMMC, prompting hundreds of comments and criticism from industry regarding the timeframe and complexity of the program.
“Our anticipation is that we will be allowed to have another interim rule like we did last time,” Stacy Bostjanick, CMMC policy director for the Office of the Undersecretary of Defense for Acquisition and Sustainment, said. “We’re hoping that the interim rule will go into effect by May. In fact, my team is very frustrated with me today because I’m sitting here with you guys and they’re stuck in a room going through a rule that’s like hundreds of pages long.”
Once the rulemaking process is over, she said she hopes “there will be only one more aspect that we’ll have to address and that will be the international partners.”
“That will probably take some rulemaking effort,” Bostjanick said. “We’re working through how that’s going to work in getting that laying flat today.”