Industry seeks more clarity on final CMMC rule
The cybersecurity certification will move forward even as companies continue to have questions about what defines controlled but unclassified information, cloud services and other requirements.
The final rule for the Cybersecurity Maturity Model Certification released Oct. 11 did not contain many significant changes, but there are still some areas that industry wants more clarification and guidance on.
CMMC is the Defense Department’s effort to secure so-called controlled but unclassified information that resides in contractors’ systems. The rule sets up a program for third-party certification for compliance with the National Institute of Standards and Technology's 800-171 standard.
One area that still needs clarification is the definition of what exactly is CUI, according to Eric Crusius, an attorney at the law firm Holland & Knight.
“DOD understandably stated [a definition] was not part of this rulemaking," Crusius said via email. But “it is such an important piece of the puzzle and there is not uniform understanding within government and outside government on how it is defined.”
In its comments to DOD, the Professional Services Council asks for guidelines on who contracting officers will determine CMMC requirements for “hundreds of thousands of DOD contracts each year.”
Crusius also raised the question of how DOD will apply CMMC to non-defense government-wide contracts such as the General Services Administration's Schedules and other vehicles.
Max Shier, chief information security officer at Optiv, said DOD needs to further explain CMMC requirements around cloud services.
“There is a lot of confusion still as to the requirements for cloud-based services and FedRAMP equivalency,” Shier said.
Redspin's CISO Thomas Graham raised a similar point.
“We expect that the community will ask for clarification on the responsibilities for FedRAMP equivalency and the adjudication process,” Graham said. “Granted, this falls outside the scope of the rule, but potentially impacts a number of organizations.”
The Coalition for Government Procurement is asking for more clarity on when CMMC requirements will flow to subcontractors and how many tiers of suppliers CMMC will touch.
Risk “varies enormously among contractors and is highly dependent upon the context of the information shared and the scope of work assigned to individual suppliers,” the COGP said in its comments.
The CGP also said that while commercial products do not have a CMMC requirement, there is concern that a contracting officer may push CMMC requirements onto those products unnecessarily.
The coalition wants DOD to have a mechanism for COTS suppliers to demonstrate that a CMMC requirement is not necessary.
Industry officials we spoke with pointed to areas that needed more clarity or guidance, but no one criticized the rule or the need.
Several commented that the final rule is another sign of how seriously DOD is taking CMMC and the risk posed by poorly protected CUI.
The road to get to this point has taken years and DOD has taken that into account with its rollout plans, one commenter said.
“It should be clear now that DOD is dedicated to this program and launching it quickly. It is their opinion that contractors have had more than enough time to get ready,” Crusius said.
Crusius and and others praised DOD’s decision to extend the length of phase 1 of the rollout by six months.
Originally, the plan for phase 1 was six months and then phase 2 would begin. But with the final rule, DOD said phase 2 would begin 12 months after phase 1 began.
DOD is using a four-phase rollout plan for CMMC. Phase 1 begins with the effective date of Dec. 13, unless Congress acts to block it, which is highly unlikely.
During phase 1, companies are to plan and prepare for a self or third-party assessment. During phase 2, companies will complete either a self-assessment for a Level 1 certification or a third-party assessment for Level 2 certification.
Phase 3 begins one year after phase 2 and requires companies to report their assessment results.
Phase 4 starts one year after phase 3 and requires that company complete any open items from their assessments. This particularly applies to companies seeking a Level 3 certification, the highest CMMC certification.
The consensus expectation is that DOD will require CMMC in all of its contracts by Oct. 1, 2026.