Trending
DOD’s silence on CMMC is worrying industry
$545M is the five-year value of the VA task order issued
to Cognosante for supply chain management
Months of silence from the Defense Department on the status of the Cyber- security Maturity Model Certification program is stirring unease among defense contractors, trade associa- tions say.
In a Sept. 8 letter to Deputy Defense Secretary Kathleen Hicks, the Infor- mation Technology Industry Council, National Defense Industrial Associa- tion and Professional Services Council called for more transparency and com- munication from the Pentagon about the CMMC program.
“We believe it is important for the department to remain publicly commit- ted to the CMMC program to under- score the program’s importance for national and supporting global cyber ecosystems,” the letter states. “This public commitment should be com- municated promptly and is particu- larly important in the context of the department’s continued internal review, updates to [Supplier Performance Risk System] tracking and reporting, and the pending publication of the Govern- ment Accountability Office’s report on CMMC.”
The Pentagon has been reviewing the program and is expected to release
its findings later this year. Meanwhile, the CMMC Accreditation Body, which is responsible for establishing the pro- cesses for assessments and training, has moved ahead on training individual assessors and organizations.
The letter also states that “the lack of clarity during the review
process has increased
uncertainty throughout
the [defense industrial
base] and among com-
mercial vendors seeking
to provide covered com-
mercial items. Changes
to CMMC, for example, would conceiv- ably impact the timeline, scope and manner of implementation for program requirements.” Furthermore, addition- al federal cybersecurity requirements could lead to “operational impacts that result in procurement inefficien- cies and contractual modifications that are passed on to the government.”
The letter comes nearly a year after the CMMC interim rule was passed and months after DOD has made any public comments about the program’s status.
Jesse Salazar, deputy assistant sec- retary of defense for industrial policy,
told a Senate committee in May that CMMC was DOD’s “most ambitious cybersecurity program for the [defense industrial base] to date,” and it required additional considerations, including making adjustments to “de-conflict and streamline multiple cybersecuri- ty requirements to prevent duplicative assessments.”
But the need for DOD to communi- cate directly and more frequently with industry was a central theme of the six- page letter from the trade associations,
which noted that a lack of guidance could make it difficult for companies to prepare to meet the standard and set inter- nal budgets.
The associations’ rec- ommendations for DOD include clarifying policy and process questions about the Defense Federal Acquisition Regulation Supplement, aligning CMMC and cybersecurity directives in contract language, and standardizing the labeling of controlled
unclassified information.
“With urgency and criticality, if
DOD is considering major changes to CMMC, we strongly recommend that these be aired with industry before any final decisions are made since it is industry that bears the responsibil- ity to meet the department’s security requirements,” the letter states.
— Lauren C. Williams
FCW CALENDAR
10/20 Supply Chain
A wide range of experts
from government and industry will present at the NASA SEWP Supply Chain Risk Management Virtual Forum.
Online
FCW.com/SCRMForum
10/26 Automation
DOD’s EricaThomas,
the IRS’ Shanna Webbers, GSA’s James Gregory and USCIS’ Meikle Paschal
are among the speakers at FCW’s Automation Workshop.
Online
FCW.com/automation
11/4 CDM
Manager Richard Grabowski, Deputy Program Manager Betsy Kulick and a wide range of other government speakers will present at FCW’s CDM Summit.
Online
FCW.com/CDM
Acting CDM Program
September/October 2021 FCW.COM 3