The Pentagon will finalize and announce changes to its Cybersecurity Maturity Model Certification program “very soon,” as it looks to strike a balance between increasing the security of the defense industrial base and addressing cost concerns about the cybersecurity auditing program, according to a Defense Department acquisition official.
Christine Michienzi, chief technology officer for the deputy assistant secretary of defense for industrial policy, said DoD is continuing to revise the CMMC program based on feedback from industry and “internal government activities.”
Deputy Secretary of Defense Kathleen Hicks launched a wide ranging review of the program earlier this spring.
“We are, again, including feedback from industry on that to make sure that this is the system that is going to be the best system for the department and for industry, to make sure our intellectual property and our advances are protected, but not be over burdensome to industry, because we need to make sure we’re partnering and fighting cybersecurity risks, but make sure that it is done in a way that benefits of us all,” Michienzi said Monday during a conference hosted by AFCEA and the Intelligence and National Security Alliance in National Harbor, Maryland.
The CMMC program is aimed at certifying the cybersecurity practices of potentially hundreds of thousands of industrial base companies. Firms would have to meet a required cybersecurity “level” before they could win a contract. DoD planned to begin rolling it out this year prior to the review.
The program entails several levels of cybersecurity, ranging from basic security practices at level one to advanced cybersecurity at level five. The Pentagon has signed a contract with an independent, third-party CMMC “Accreditation Body” made up of industry officials to oversee the auditors who will certify a business’s cybersecurity practices.
But Michienzi suggested every aspect of the program is being reconsidered as part of the review.
“Everything is currently under review to make sure that that is the best mechanism that we can use, the independent auditors versus [the Defense Contract Management Agency] versus self certification at the different levels, and what those levels need to be because the initial levels that were rolled out maybe need to be revisited,” she said.
Contractors have raised concerns about the opacity of the review process. The Information Technology Industry Council, the National Defense Industrial Association and the Professional Services Council banded together to send a letter to the Pentagon last week on the future of the CMMC program and related cybersecurity regulations affecting the defense industrial base (DIB).
“The lack of clarity during the review process has increased uncertainty throughout the DIB and among commercial vendors seeking to provide covered commercial items,” they wrote. “Changes to CMMC, for example, would conceivably impact the timeline, scope and manner of implementation for program requirements. Considering this uncertainty, contractors, subcontractors and suppliers may defer substantial investments pending communication and greater certainty about the program’s requirements.”
Asked whether companies should change what they’re doing as they await the results of the review, Michienzi said they shouldn’t make “any major changes” with guidance coming out shortly.
“We will be finalizing any changes to CMMC very soon, and we will be transmitting that to you,” she said. “But I would just continue on the way you are until that time comes, because there is going to be still the need to have cybersecurity practices in place, to have them verified and validated some in some way.”