Fingers crossed: DOD's CMMC lead anxious for November release

“November” was about all that Stacy Bostjanick could say about when the proposed rule for the Defense Department's new cybersecurity standard and certification for contractors will be released for public comment.

The leader of DOD's Cybersecurity Maturity Model Certification initiative also crossed her fingers or made the sign of the cross whenever the topic of CMMC came up during her Monday session at the 2023 Imagine Nation Executive Leadership Conference in Hersey, Pennsylvania.

Imagine Nation is an annual gathering of industry and government officials to discuss current challenges in the public sector, plus ways for them to collaborate.

Bostjanick told attendees she is as much in the dark about the exact timing of the release as the rest of industry.

The proposed rule, which will govern how contractors secure government data on their systems, is still under review at the White House's Office of Information and Regulatory Affairs.

OIRA apparently extended the review period by another 30 days last week. That extends the review until approximately Nov. 27. However, OIRA has the option of releasing the draft for comment anytime between now and then.

Everyone is anxiously awaiting the release. But Bostjanick can't talk about it, even as much as she wants to.

But she can talk about the need for stronger cybersecurity postures across the government. During her session, she used the example of China stealing plans for the F-35 fighter jet as a dramatic illustration of the challenge.

China has built a new copy of the F-35, all the way down to a flaw in the cockpit.

“They didn’t even try to fix that because they are cheaters,” she said.

Now instead of U.S. pilots relying on superior technology to survive, they have to lean on their individual skills to come home.

It’s not just the threat of stolen military secrets. It's about personal information, supply chains and just about anything else.

“They are coming for us,” she said.

CMMC will be critical component of protecting government information, but Bostjanick also said the Defense Department recognizes that it won’t come cheap and particularly for many small businesses.

DOD has launched programs such as Project Spectrum with the Navy to help small businesses with training and assessments of their IT systems.

The department is also working on pilot program to create an environment that small businesses could plug into that would bring them into compliance with CMMC, Bostjanick said.

That pilot is starting out with 25 small businesses. But Bostjanick also acknowledged concerns about the costs of expanding it to the tens of thousands of small businesses in the federal market.

As her panel closed on Monday, Bostjanick issued a piece of advice we’ve heard multiple times as we’ve covered CMMC over the last two years – Do not wait to be ready..

Don’t forget about our CMMC Summit coming Nov. 8. The rule may or may not be out by then, but in either case there will be plenty to talk about. Click her to register.