Politics
With CMMC rule final, DoD focused on training, small business relief
The Pentagon’s Cybersecurity Maturity Model Certification, or CMMC, requirements are set to go live in November after years of rulemaking.
Defense Department officials are now rolling out acquisition training to get both government and industry up to speed on implementation of the CMMC program. DoD officials have laid out a “phased” implementation approach for the sweeping cybersecurity requirements.
“We’ve done the implementation plan through the rule. It’s very well laid out,” Stacy Bostjanick, chief of defense industrial base cybersecurity in DoD’s office of the chief information officer, told reporters on the sidelines of the Billington Cyber Summit in Washington on Wednesday.
“We’ve put out a lot of memos,” she continued. “I think the new things that will be coming out are the training classes. We have several training classes through [Defense Acquisition University], working on a couple of videos, vignettes for people, a YouTube kind of thing to try to help educate people. The main thing is just the training to get people up to snuff.”
A senior DoD official told Federal News Network that as of July, more than 300 students had completed DAU’s introductory course on CMMC.
Additionally, more than 1700 students had completed DAU webinars covering the basic safeguarding of covered contractor information systems and more than 1300 students had completed DAU webinars on the National Institute of Standards and Technology controls that form the basis of CMMC.
Bostjanick said the Pentagon is also working with the Small Business administration “to see if there’s any relief or anything we can do to help the small businesses financially.”
“But those conversations are just in the beginning stages,” she added.
DoD published the final acquisition requirements for CMMC in today’s Federal Register. The rule become effective 60 days after publication on Nov. 10.
The publication of the final acquisition rule marks the end of a years-long rulemaking saga to make CMMC a reality. The goal of the program is to ensure defense contractors are following existing cybersecurity standards for protecting controlled unclassified information.
The “CMMC 2.0” requirements are intended to do that through self-assessments for more benign data, as well as third-party audits for contractors handling more sensitive data, such as weapon system specifications.
“We expect our vendors to put U.S. national security at the top of their priority list,” Kate Arrington, who is performing the duties of the DoD chief information officer, said in a statement this week. “By complying with cyber standards and achieving CMMC, this shows our vendors are doing exactly that.”
In a July 28 memo to senior DoD officials, Arrington laid out, “Resources for Implementing the Cybersecurity Maturity Model Certification Program.” The memo points to various CMMC guidance, training and resources.
It also provides an overview of the “phased timeline” for CMMC implementation. A senior DoD official told Federal News Network that the goal of the memo was to ensure senior DoD leaders are familiar with the phased approach.
Source: July 28 DoD memo, “Resources for Implementing the Cybersecurity Maturity Model Certification Program”
“The DoD understands that industry has concerns about their ability to meet these requirements in a timely manner, and the implementation plan is specifically designed to begin with self-assessments,” the official said.
DoD laid out the three-year implementation plan in the CMMC program rule finalized last year. The phased plan “is intended to address ramp-up issues, provide time to train the necessary number of assessors, and allow companies the time needed to understand and implement CMMC requirements,” DoD wrote in that program rule.
The first phase beginning on Nov. 10 will last one year, and will involve DoD including CMMC self-assessment requirements in all applicable solicitations and contracts as a condition of contract award.
During the first phase, DoD programs will have the discretion to require a third-party CMMC assessment in solicitations and contracts. But it will not automatically start including the third-party requirements until the second phase of the program.
During the following stages of the phased implementation, DoD will still have the discretion to waive or delay third-party CMMC assessment requirements. But DoD’s goal is to have CMMC fully implemented and adopted in every contract or solicitation within three years of the acquisition rule becoming effective, meaning DoD’s target date for full implementation is now Nov. 10, 2028.
The DoD CIO’s office also provided program managers across the department with more guidance on CMMC implementation in a January memo.
The post With CMMC rule final, DoD focused on training, small business relief first appeared on Federal News Network.
