CMMC reciprocity in sight for 2021
The Defense Department is still figuring out how to give contractors reciprocity with the Cybersecurity Maturity Model Certification program and similar certifications, but the end is close, officials say.
The Defense Department is still figuring out how to save contractors money with its unified cybersecurity standard by authorizing reciprocity for mutliple government certification programs, but an answer could come by the end of the 2021 fiscal year.
One of the key pledges DOD needs to fulfill for its Cybersecurity Maturity Model Certification program is building on work contractors have already done to meet security requirements for programs like the Federal Risk and Authorization Management Program (FedRAMP).
Stacy Bostjanick, CMMC's director at the Defense Department's Office of the Undersecretary of Defense for Acquisition and Sustainment, said a team is working with the General Services Administration and DOD to align the requirements, methodologies, and levels of the two programs.
"FedRAMP allows for [plans of action and milestones] and CMMC does not," Bostjanick said Feb. 10 during an AFCEA NOVA event on IT and the intelligence community. "You've either got it or you don't."
Additionally, DOD has completed its reciprocity assessment for the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) that was stood up in 2019 and performed provisional audits, Bostjanick said, and a guidance memo is awaiting signature. FedRAMP guidance should follow suit by the end of the fiscal year.
The call for reciprocity has been a key sticking point for saving contractors money to comply with the new standard that is expected to be included in all Defense Department contracts by 2025.
Bostjanick said when it comes to allowable cost, what contractors can bill the government for reimbursement, "up to [CMMC] level 3 will be included in your indirect rates. So, you don't get a direct charge to do it, but you do get to recoup the cost over time; you have to spread it across all of your business."
CMMC Levels 4 and 5, the most expensive and technically challenging levels, would most likely be a direct charge to the contract, she said.
The call for increased defense industrial base security has heightened in the wake of the widespread, ongoing supply chain campaign that leveraged weaknesses in multiple technology vendors, including SolarWinds.
Bostjanick said that while CMMC, if fully implemented, wouldn't necessarily have prevented the attack, it would've allowed companies to be more aware.
"Everything that we've put in place is not going to 100% protect you against advanced persistent threats. It most probably, up to Level 3, would not have protected you against SolarWinds; it may have given you some indication that it was there," she said.
But the goal, she said, is for CMMC to become irrelevant as elevated cybersecurity practices become the norm.
"CMMC, really, my hope and prayer is that one day we don't even need it anymore because companies all become so aware and they have a culture of security and they start thinking in advance of these threats," Bostjanick said.