By John K. Higgins
Jul 7, 2020 4:00 AM PT
With billions of dollars of federal contracts at stake, information technology providers are being swept up in the tide of a new U.S. Department of Defense information security requirement that will become mandatory for IT providers and other companies doing business with DoD.
While IT companies already incorporate data protection elements in the products and services they provide to DoD, the department is raising the bar on the way vendors should handle information security. DoD is concerned about protecting “controlled unclassified information,” (CUI) which covers a broad range of topics including weapons and defense matters, nuclear issues, proprietary information, intelligence, and critical infrastructure.
The major difference between existing DoD measures and the new program is a requirement for independent ‘third party’ validation of vendor security capabilities, versus the current self-certification process. The Defense Department aims to include the Cybersecurity Model Maturity Certification (CMMC) requirement in a limited number of new vendor pilot contracts by year end, and then ramp up significantly in the next few years as the program will impact nearly 300,000 vendors in the “defense industrial base” (DIB).
Even with recently adopted data security measures including DoD regulations, and National Institute of Standards protocols, the department felt that security assurances provided by contractors themselves, fell short. “Unfortunately, self-verification was inadequate and didn’t provide a level of security that could consistently safeguard sensitive information. While some contractors complied with the requirement, others failed to meet the standards,” according to an analysis by Peerless Tech Solutions, a provider of cybersecurity services.
Certification Process Gearing Up
DoD will manage the security validation through the CMMC process, which it hopes to launch on a limited basis later this year — less than a year after announcing the initiative last January. The department is currently taking steps to incorporate CMMC in defense acquisition regulations known as DFARS.
“Once that process has been completed, CMMC will be able to be included as a requirement in solicitations,” said Katie Arrington, chief information security officer for defense acquisition and sustainment. “The department plans to release requests for information this summer to support initial CMMC pilots with our services and some of our defense agencies,” she told the E-Commerce Times.
While IT companies represent just one of many industries affected by the program, CMMC status will still be a major challenge, even for companies familiar with information security issues. The IT industry “will naturally be one of the most impacted sectors,” said Deniece Peterson, director, federal market analysis, at Deltek. “By its nature, IT requires vendors to collect and manage vast amounts of the department’s CUI,” she told the E-Commerce Times.
Those challenges include DoD’s ambitious timetable for launching the program, as well as inherent flaws in the design of the program, according to a letter sent to DoD by several IT industry associations, including the Computing Technology Industry Association and the Business Software Alliance.
“We are concerned that current plans for implementing CMMC lack sufficient clarity and predictability in key areas, and as a result may unnecessarily generate confusion, delay and associated costs. These challenges could lead to the DIB being even less secure, if left unaddressed,” the groups said in a joint letter to DoD. The groups pledged to work with DoD to resolve the issues.
Security Includes Multiple Layers of Protection
The CMMC program builds on current security protections but adds an additional element through a multi-layered approach to protect “information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government” which involves “safeguarding or dissemination controls.”
DoD vendors must obtain a CMMC certification for at least one of seven levels of security related to the importance of the covered information, crosscut by 17 operational “domains” including access control, incident response, and identification and authorization.
DoD will implement the program through a non-government and not for profit “accreditation body” known as CMMC-AB, which was incorporated earlier this year. The CMMC-AB will establish a group of approved assessors who will examine a DoD vendor’s security capability and then issue certification at the appropriate level. CMMC-AB asked interested parties to provide market research on implementing the security assessment process by mid-June. The agency is currently preparing assessment methods based partially on the responses.
Gearing up for certification at the same time DoD is issuing requests for contract proposals or requests for information. This could be a little tricky for vendors. The CMMC Accreditation Body was set to begin training assessors at the end June 2020, after which it will start accrediting CMMC Third Party Assessor Organizations (C3PAOs). The department will not issue the first acquisitions with a CMMC requirement until the second quarter of the federal 2021 fiscal year, which starts in January 2021.
“The department’s initial rollout of the CMMC requirement will be a small number of selected solicitations. This timeline will give these companies six months to complete the appropriate level of certifications required by those selected solicitations,” DoD’s Arrington said.
Another issue for IT providers will be the cost of compliance with the CMMC program. Cloud providers already face increased costs for doing business with the DoD because of security requirements of the existing Federal Risk and Authorization Management Program (FedRAMP), noted Alex Rossino, senior principal research analyst at Deltek. “Because the DoD wants to make FedRAMP certification and CMMC reciprocal in the future, those costs could be mitigated somewhat. It is just too early to say one way or another. Non-cloud providers will definitely see increased costs related to achieving and maintaining CMMC,” he told the E-Commerce Times.
Compliance Cost Should Be Manageable
CMMC assessment costs “will depend upon several factors to include the CMMC level, the complexity of the DIB company’s network, and other market forces,” DoD said in a website posting. “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive,” DoD said.
While industry groups work with DoD to resolve CMMC issues, they are also advising members on compliance. “We are looking now at how CompTIA can best support” the IT community, said spokesperson Steve Kidera. The organization’s programs and training capabilities are “ideal ways companies can give their employees a solid foundation for CMMC,” he told the E-Commerce Times. BSA held a CMMC webinar for members in late June.
The program could provide a boomlet in business for Managed Security Services Providers (MSSPs) which offer cybsersecurity advice and related data services. When DoD began preliminary work on CMMC, Peerless restructured its organizational strategy “to align our offerings with the regulations outlined by early CMMC model releases,” said Brian Seeling, CEO and managing partner. The websites of such firms, whether large or small are, increasingly promoting their CMMC capabilities.
“In the beginning we did not see many competitors in our space, but have witnessed a marked increase in CMMC consultation services being offered since the official release of the CMMC protocol,” Seeling told the E-Commerce Times. “As CMMC level requirements begin to be included in requests for proposals released by DoD, we fully expect to see the rise of more and more CMMC focused MSSPs,” he said.