First you should what is CMMC program ? The Cybersecurity Maturity Model Certification (CMMC) program is an initiative established by the United States Department of Defense (DoD) to enhance the cybersecurity posture of organizations within the defense industrial base (DIB). CMMC, DFARS Rule Making Process are two interrelated frameworks that aim to improve the cybersecurity posture of firms cooperating with the US Department of Defense (DoD). While DFARS creates rules for defense contractors, CMMC offers a single standard for cybersecurity. Let’s investigate the importance of these measures and how they affect the military industry.

Background of CMMC, DFARS Rule Making Process

The Defense Federal Acquisition Regulation Supplement (DFARS) Rule Making Process and the Cybersecurity Maturity Model Certification (CMMC) developed as essential elements in improving the cybersecurity of firms working with the US Department of Defense (DoD). The defense industrial base (DIB) has established these projects in response to the changing threat landscape and the growing demand for effective cybersecurity solutions.

CMMC, DFARS rule making process

All Defense Industrial Base (DIB) companies that handle controlled unclassified information (CUI) while working with the Department of Defense (DoD) will require certification under the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program. The CMMC – enshrined in DFARS Clause 252.204-7012 – will consist of multiple levels of maturity, with each level representing a set of cybersecurity best practices and controls that a company must implement – with the goal of enhancing the cybersecurity posture of the DIB.

The CMMC rule making process began in January 2018, when the DoD released a Request for Information (RFI) to gather input from industry and other stakeholders on how to improve the cybersecurity of the DIB. The RFI received over 700 responses, which helped inform the development of the CMMC model.

What is CMMC v1.0 to v2.0 ?

In September 2020, the DoD released v1 of the CMMC model,[see DFARS Case 2019-D041] which included an interim rule and final set of cybersecurity best practices and controls for each level of maturity. The 5 levels of CMMC consisted of many confusing layers of a subset of controls.

Source: Regulations Gov

A small group of DIB companies piloted the model and provided feedback on its practicality and effectiveness. However, they did not receive it well, and now the DoD has presented its modified version 2 of CMMC.

cmmc v1.0 to v2.0

The DoD CMMC website offers further exploration of CMMC v2.0, which attempted to simplify v1.0.

DFARS Rule Making

What are Rules? Sometimes called regulations, they are legislative (or substantive), non-legislative, and organizational/procedural policies and procedures for the acquisition of supplies, services, and construction. The Defense Federal Acquisitions Regulation Supplement (DFARS) rulemaking process is extensive – 12 months being the standard timeline.

DFARS rule making is a process where the DoD proposes, publishes and finalizes new or updated regulations that supplement the FAR. This process includes a public comment period, where stakeholders can provide feedback on the proposed rules, and a final rule publication in the Federal Register.

The DIB is waiting for the publication of the final rule to solidify their full understanding of the requirements for the CMMC. The release of v2.0 gives them all a great aim that shouldn’t shift too far from its present model. However, the DoD continues to push the date out for the publication of the final rule. This is exemplified in the disparity of DFARS Case 2019-D041 report due date from February 2022 and January 2023 (Both pictured below).

“We are currently in the deliberative process and hoping to move into formal rulemaking imminently,”, Stacy Bostjanick, CMMC Program Director said during an interview with Inside Cybersecurity

Challenges

Despite the progress made, the CMMC implementation still needs to address several challenges moving forward. One of the biggest challenges is the cost and burden of implementing the CMMC for small and medium-sized DIB companies.

The lack of clear guidance on how to integrate the CMMC into existing cybersecurity compliance frameworks, such as the Federal Risk and Authorization Management Program (FedRAMP) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), poses another challenge. The DoD has stated that the CMMC will be complementary to these existing frameworks, but it is still unclear how the integration will work in practice. However, many believe that CMMC will integrate with FedRAMP for cloud service providers following the passage of the FedRAMP Authorization Act. In an interview with Inside Cybersecurity, Ms. Bostjanick stated that the requirements for Managed Service Providers (MSP) and Managed Security Service Providers (MSSP) would be leveraged, but they would not be disclosed until the rule is published.

Despite these challenges, the DoD Cybersecurity Maturity Model Certification rule making process has made significant progress.. The CMMC will be a valuable tool for enhancing the cybersecurity posture of the DIB, and will help protect the CUI that is so vital to the security of our nation. However, more work needs to be done to address the challenges and ensure the successful implementation of the CMMC.

Way Ahead

Should members of the DIB delay implementation of the CMMC requirements until the publication of the final CMMC rule? Not at all! If the organization does not have their CMMC certification or self-attestation uploaded by the time of contract award, then they are not eligible for the award of a contract requiring the processing, storing, or transmitting Federal Contracting Information (FCI) or CUI (inclusive of CTI, CDI, and ITAR controlled data). Priority Defense stands ready to provide full support to SMBs as they strengthen their security posture and effectively compete for contracting opportunities.

Download our FREE Self-Assessment Workbook

Stay up-to-date!
Get insights and tips from experts