A group of technology industry groups have raised concerns with the Pentagon’s new cyber security contracting standards, offering recommendations aimed at ensuring the department avoids limiting competition and reducing access to new capabilities.
The six groups are specifically seeking to improve the implementation, administration and enforcement of the Cybersecurity Maturity Model Certification (CMMC), which is set to roll out this summer in 10 programs before being included in all contracts starting in 2026.
“We are concerned that current plans for implementing CMMC lack sufficient clarity and predictability in key areas, and as a result may unnecessarily generate confusion, delay and associated costs. These challenges could lead to the DIB being even less secure, if left unaddressed,” the groups wrote in their March 26 letter.
The letter from the Alliance for Digital Innovation, BSA: The Software Alliance, Cybersecurity Coalition, Information Technology Industry Council, Internet Association, The Computing Technology Industry Association was sent to Ellen Lord, the Pentagon’s top acquisition official, and Katie Arrington, the lead for CMMC.
The group notes it supports the Pentagon’s phased approach to rolling out CMMC, which will assign vendors a cyber security certification on a five-point scale, while expressing concerns standing up a new auditing body for the program and seeking clarity on procedures for subcontractors.
“That said, we are concerned that standing up a completely new third-party auditing process that will enable enterprise scale audits in 2020 is very ambitious and believe that more clarity about the CMMC’s scope and applicability is needed, if the timeline is to be met,” the group wrote. “It is conceivable – potentially even likely – that a subcontractor may be required to attain one level of certification for one contract or component, only to find out that a higher level is required on another contract.”
For subcontractors, the group is calling for the Pentagon to clarify a centralized approach to address “flow-down risk” and avoid having prime contractors “set different level requirements for substantially similar services.”
“This approach could require contractors and subcontractors to undergo certification multiple times at different levels, based on changing contract requirements – a scenario that is costly and inefficient,” officials wrote in the letter. “A more efficacious approach might be for DoD to evaluate, based on previous contracting histories, the anticipated certification requirements for contractors and subcontractors and provide upfront notification of these determinations or at least of illustrative examples, especially where there are multiple sets of cybersecurity requirements to consider.”
The CMMC rollout has also left questions on the scope of certification requirements, including dealing with subcontractors that don’t handle controlled unclassified information and how the standards will be applied to cooperative agreements and grants.
The group is also seeking clarification on whether contractors covered under this year’s CMMC pilot programs will need to recertify in three years, even though the program won’t be fully implemented until 2026.
“More guidance is needed about how to define organizational and logical system boundaries in order to determine the appropriate level of CMMC certification,” the group wrote. “At the current implementation speed, unless there is a continued commitment to improving CMMC in the areas noted, we are concerned it may limit competition and reduce the government’s access to new technologies, while also recreating many of the previously experienced FedRAMP accreditation issues that resulted in years-long delays for both government and industry.”