DOD's silence on CMMC is worrying industry, trade groups claim

In a Sept. 8 letter to Deputy Defense Secretary Kathleen Hicks, the Information Technology Industry Council, National Defense Industrial Association, and Professional Services Council called for more transparency and communication from the Pentagon on the CMMC program.

"We believe it is important for the Department to remain publicly committed to the CMMC program to underscore the program's importance for national and supporting global cyber ecosystems," the letter states.

"This public commitment should be communicated promptly and is particularly important in the context of the Department's continued internal review, updates to [Supplier Performance Risk System] tracking and reporting, and the pending publication of the Government Accountability Office's report on CMMC."

The Pentagon has been reviewing the program and is expected to reveal findings later this year. Meanwhile, the CMMC Accreditation Body, which is in charge of standing up the necessary processes and organizations needed to conduct training and assessments, has pushed forward with training individual assessors and organizations.

"The lack of clarity during the review process has increased uncertainty throughout the [defense industry base] and among commercial vendors seeking to provide covered commercial items. Changes to CMMC, for example, would conceivably impact the timeline, scope and manner of implementation for program requirements," the group said, also mentioning that additional federal government cyber requirements could lead to "operational impacts that result in procurement inefficiencies and contractual modifications that are passed on to the government."

The letter comes nearly a year after the CMMC interim rule passed and months since the DOD has publicly talked about the program's status.

Jesse Salazar, the deputy assistant secretary of defense for industrial policy, told a Senate committee in May that CMMC was the Defense Department's "most ambitious cybersecurity program for the DIB to date" and required additional considerations, including making adjustments to "de-conflict and streamline multiple cybersecurity requirements to prevent duplicative assessments."

But DOD's communication with industry, directly and more frequently, was a common theme throughout the six-page letter from the trade groups, particularly regarding how a lack of guidance can impact companies trying to prepare to meet the standard and set internal budgets.

The letter also included several recommendations for DOD, such as clarifying policy and process questions around the DFARS requirements, aligning CMMC and cybersecurity directives in contract language, and standardizing the labelling of controlled unclassified data.

"With urgency and criticality, if DoD is considering major changes to CMMC, we strongly recommend that these be aired with industry before any final decisions are made since it is industry that bears the responsibility to meet the Department's security requirements," the groups wrote.