Ready or not, the Department of Defense Cybersecurity Maturity Model Certification Program is here. The proposed rule has been released and the industry is commenting on what it believes will be a costly burden for contractors. Rogers Joseph O'Donnell attorney Bob Metzger assisted the Government Procurement Coalition in preparing its comments.he participated Tom Temin and Federal Drive In the studio earlier.
bob metzger I think the Department of Defense actually wants this rule to go into effect and go into effect in October 2024. They want to do that in part because there's something called the Congressional Review Act. This gives Congress 60 consecutive days in a single session to consider important rules. Decide whether to recommend to the president that he effectively exercise his veto power. Well, if the rules are released near the election, the 60-day period will last from next year until the next Congress. And that would not only delay things to the first or second quarter of 2025, but if we have a president who is hostile to this rule, he could actually decide not to move forward with that rule. So the Pentagon, you know, he's targeting to release this in October. The rule is scheduled to come into effect in fiscal year 2025, starting October 1st of this year. However, there are two parts to the rule. This is a proposed Title 32 of the Code of Federal Regulations, which the Department of Defense was kind enough to propose to industry the day after Christmas. I think it was 232 pages in single-spaced format, but the Federal Register reduced it to just 81 pages. This is an absurdly long rule that doesn't really change as much as the Pentagon promised. Well, there were a lot of comments. If the Department of Defense wants the industry to say, “Great, we love it,'' stop it already. Therefore, the Department was able to quickly complete adjudication of comments. I think the Department of Defense has a little bit of a challenge because there are a lot of them. There are hundreds of comments, some quick and light, some small and simple, but quite a few very substantive.
tom temin And it's not just robocomments where people send 10,000 postcards. So people are thinking seriously about this because hundreds of thousands of businesses could be affected.
bob metzger That's right, there are 220,000 businesses affected through all three levels of the CMMC, with approximately 75,000 businesses in Level 2. These are the ones that will ultimately require a certified assessment. Additionally, there are approximately 1500 companies in the more demanding Level 3. And these, too, will require evaluation, albeit in different forms. There are so many companies out there, each one different and with a somewhat different perspective on this. And one of the challenges of this rule is to match the complexity of this huge maze to the actual defense industrial base, which is no longer the same anywhere. And it's about finding something that's actually feasible, affordable in terms of human, financial, and technical resources, and that actually succeeds in increasing the protection of the DIB against leakage of sensitive information.
tom temin We're talking with Robert Metzger, an attorney at Rogers Joseph O'Donnell, who says that the context for all of this is a shrinking defense industrial base and a decline in small business participation in federal procurement in general. I also have problems. I think part of it is the huge increase in requirements and compliance regulations that small businesses have to go through, not just in cybersecurity, but in many other areas. Companies will say, “What do we need this for?”
bob metzger It's a basic tension. Approximately 70,000 to 75,000 companies manage non-classified information and must undergo certification assessments when the time comes for that requirement to be included in contracts. 75% of them, or about 50,000 companies, are actually small and medium-sized enterprises. Right now, the Department of Defense has been telling industry that it already needs to comply with the basic cyber obligations of NIST Special Publication 801-71. But there's more to it than just checking the 110 requirements in the rules. Each of these is just one sentence. In fact, you must meet all 320 assessment objectives listed in the assessment guide that comes with the standard. There's a bit of an iceberg effect here. If you just say you're compliant with the 110 standard, that's relatively easy. But suppose a third-party evaluator were to examine your information system and look for evidence to support the achievement of 320 individual evaluation objectives. This means doing more work upfront and spending more money hiring professionals. And this is an important question. Deputy Secretary of Defense Hicks has repeatedly and vocally emphasized the importance of keeping small businesses in the DIB. More importantly, she emphasizes the need for national security to bring small, innovative companies into the DIB. But there's a huge burden of well-intentioned cyber rules at stake here, and I'm not sure the Pentagon has fully sorted out how to balance the actual burdens with the costs and benefits. It will not help the DIB if a small or medium-sized important participant decides to leave. Some of them are essential in certain supply chains.
tom temin and contact the coalition for comment on government procurement. Your comment was 19 pages long and quite comprehensive. I can't go through it line by line, but the bottom line is what is it telling the Department of Defense? Scrap it, change it, reduce it, or what?
bob metzger Well, we support this rule. But of course, every industry association, every comment starts with this word.
tom temin Yes, thank you for the opportunity. yes.
bob metzger We believe in national defense and others, but we support this challenging rule because the reason behind it is the acceleration and worsening of threats. And the regulations clearly state that the threats have worsened since the CMMC program began, and that the threats could have a devastating impact on U.S. mission capabilities. Unless we can prevent the Chinese and others from cyber infiltrating our defense industrial base. There are several important points. One is that this rule needs to be more flexible. You know, the way it's written now, there's a little bit of play in the joints, but not a lot. And this doesn't fit well. There are long and complex rules behind this arcane maze, and if we want them to work for all 70,000 companies at Level 2, or even 1,500 companies at Level 3, we have to have more discretion. not. We have to find a way to be able to accept that enough is enough. In other words, instead of evaluators maximizing their demands and insisting that every contractor they evaluate has evidence for all of their evaluation objectives, as much as possible; Companies need to be clear about what they can do. A good enough answer will satisfy your requirements, even if there are probably better or more expensive answers elsewhere. This is very important. Another point we would like to make is regarding this level 2. Sorry, Level 1. Level 1 is for federal contract information. It is a FAR requirement. Although it contains important information for all civilian agencies and the Department of Defense, approximately 150,000 companies covered by CMMC are subject to this Level 1 self-assessment and annual review of compliance. We say in coalition comments that the Pentagon should hold off and perhaps decline to pursue it. Level 1 is: Is it worth it? Level 1 essentially imposes the same rating on 150,000 companies that don't expect this. Stringency applies only to 15 requirements. And will they be able to get anything meaningful? Federal contract information does not have the same importance or impact to the Department of Defense. So if you really want all of this to be plausible, you should think about deferring the level 1 affirmation. And we use the same evaluation method.
Copyright © 2024 Federal News Network. All rights reserved. This website is not directed to users within the European Economic Area.