The Department of Defense (DoD) has had an ongoing problem – the cybersecurity of its defense industrial base contractors. An interim rule scheduled to be published in the Federal Register tomorrow is the department’s next step in addressing that problem.
The rule – posted as an unpublished document in the Federal Register today and set to be published on Sept. 29 – adds a mechanism to begin immediately assessing if contractors are implementing the cybersecurity requirements while DoD’s Cybersecurity Maturity Model Certification (CMMC) and the processes with the related Accreditation Body (AB) are solidified.
That step is not unlike companies’ self-attestation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 controls that has happened in the past. But the self-attestation will have the force of future regulation following soon behind it.
“In fact, while this rule includes a delayed effective date,” said the document, which becomes effective 60 days after its publication, “contractors and subcontractors that are required to implement NIST SP 800-171 pursuant to DFARS [Defense Federal Acquisition Regulation (DFAR) Supplement] clause 252.204- 7012, are encouraged to immediately conduct and submit a self-assessment as described in this rule to facilitate the Department’s assessment.”
The CMMC marks a change from the previous system where “neither the FAR clause, nor the DFARS clause, provide for DoD verification of a contractor’s implementation of basic safeguarding requirements or the security requirements specified in NIST SP 800-171 prior to contract award.” The way the process works now is companies “self-attest” that they have implemented basic security requirements, said Katie Arrington, the DoD’s CISO for Acquisition and Sustainment, during a March event.
A 2019 DoD Inspector General report found that “contractors did not consistently implement mandated system security requirements for safeguarding CUI [classified uncontrolled information].” Some of these cybersecurity requirements have been in effect since 2013, but there has not been a departmental mechanism to check and verify they are being implemented.
As the interim rule is published, the CMMC-AB is continuing forward to develop the process of assessment and verification.
“We’re continuing forward to develop the ecosystem,” said Karlton Johnson, now chairman of the CMMC-AB after a September change in the organization’s leadership. He said earlier this month that the first provisional training of 25 assessors had been “just completed.”