The planned Cybersecurity Maturity Model Certification (CMMC) requirements for defense contractors are encountering significant delays, higher costs, and resistance. While these may just be growing pains, there are also alleged improprieties involving Department of Defense (DoD) and CMMC Accreditation Body (CMMC-AB) officials.
CMMC is a multilevel cybersecurity model that is supposed to be included in all defense contracts by 2025. All defense contractors, large and small, will be required to implement cybersecurity controls and be independently assessed. A perfect 100% assessment score of the implementation of the appropriate CMMC level controls will be required for certification by the CMMC-AB, meaning that contractors will not be able to delay the implementation of controls, as they can now.
In the meantime, all defense contractors that access, store, or process Controlled Unclassified Information (CUI) are now required to implement the 110 cybersecurity controls defined in NIST Special Publication 800-171, self-assess their implementation, and post a score in a federal database to qualify for new defense contracts or renewals of existing contracts.
The Defense Industrial Base (DIB) is made up of 300,000 businesses. A small percentage are prime federal contractors that bid on large projects like fighter jets, ships, military bases, and weapons systems. Because the DoD requires that a percentage of each contract must be completed by smaller businesses that subcontract to the large primes for components and services, many subcontractors are small and have fewer than 50 employees. Defense-related projects make up the majority of the revenue with some subcontractors, but many subcontractors rely more on commercial business, and defense contracting is just a small percentage of their revenue.
When CMMC was introduced in 2020, it was announced that assessor training and certification would take place by the summer of 2021. Now the goal is to have training in place by the end of 2021.
Also in 2020, the CMMC-AB announced that it expected hundreds of organizations to become Certified Third-Party Assessor Organizations (C3PAO) by the end of 2021. To date, only three companies have been certified. However, those certifications are provisional because the CMMC-AB has not yet been officially certified as an accreditation body, which will require organizational changes including spinning off its training program into a separate corporation.
An interim rule was published in the Federal Register that included several new requirements: the NIST 800-171 self-assessment, the ability for DoD auditors to validate the self-assessments, and in federal fiscal year 2026, which begins in October 2025, CMMC will be required in contracts.
It was expected that the interim rule would become a final rule by May 2021. Instead, the DoD announced that its Inspector General is conducting an “internal review” of CMMC and the current cybersecurity requirements, based on complaints about the program and alleged crimes and improprieties within the DoD and the CMMC-AB.