White House approves interim CMMC rule

NOTE: This story first appeared on FCW.com.

The White House approved an interim rule requiring defense contractors to prove they adhere to existing cybersecurity standards, clearing an important hurdle for the Defense Department's planned universal cybersecurity standard.

The Office of Information and Regulatory Affairs at the Office of Management and Budget approved an interim rule to will require defense contractors comply with the National Institute of Standards and Technology Special Publication (NIST SP) 800-171.

The text of the interim rule is pending publication but the publicly available abstract indicates that contractors would have to submit self-assessments regarding their implementation of "the system security requirements identified in the [NIST SP 800-171] on their information systems that process controlled unclassified information."

The interim rule is expected to come out by the end of this year with a delayed effective date, a DOD spokesperson told FCW in a statement.

"The rule has finished interagency review, and we are still expecting the rule to come out by the end of the calendar year," a DOD spokesperson said. "The [Defense Federal Acquisition Regulation Supplement] rule will be published as an interim rule with a delayed effective date. DOD will consider all public comments received on the interim rule in the development of the final rule."

That appears to mean that vendors will have to begin compliance immediately with the interim rule and their comments on that process will be taken into account when it comes to the formulation of the final rule.

"Defense contractors have not fully or consistently implemented the NIST SP 800-171 security requirements on their covered information systems," the summary text states in an "emergency justification" section that explains why the interim rule should take effect immediately in advance of a comment period. "Authorizing collection of this information on the effective date will motivate defense contractors and subcontractors who have not yet implemented existing NIST SP 800-171 security requirements, to take actions to implement the system security requirements on covered information systems that process controlled unclassified information."

But officials leading the CMMC project urged vendors to wait for the publication of the interim rule.

Katie Arrington, the chief information security officer for DOD acquisition, aimed to quell "rumors" about the content of the interim rule in a Sept. 24 LinkedIn post, writing that "any statements about the 'interim rule' content are premature."

"DOD will replace the current self-attestation method with DOD Audits and move to the CMMC (as the DOD has been clearly stating for over a year) and has always been based on the NIST 171," Arrington wrote.

Eric Noonan, the former global CISO for BAE Systems who is now CEO of CyberSheath, told FCW the new regulation was "calling industry's bluff" on cybersecurity.

"The Department of Defense has almost universally accepted self-attestation with contractors saying 'trust us, we met all of the requirements,' and the risk of being audited has been statistically very low," Noonan said. "The net result of all this has been a severely non-compliant supply chain with material weaknesses in some of the most basic aspects of cybersecurity."

Noonan added: "To prove that contractors have met their contractual legal obligations around cybersecurity, the Department of Defense is requiring the collection of assessment data from contractors related to the existing and fully enforceable clause," pertaining to the NIST 800-171.