Industry opinion on the latest CMMC regulations

After much anticipation, the FAR Council has unveiled a proposed rule that will introduce the requirements of the Defense Department’s Cybersecurity Maturity Model Certification program into the contracting process. As you might imagine, those who will have to comply with these regulations have some thoughts about what they will mean in the future. To find out what those will be, Federal Drive with Tom Temin welcomes Stephanie Kostro, vice president of policy at the Professional Services Council.

Interview transcript:

Eric White After much anticipation, the FAR Council has unveiled a proposed rule that will introduce requirements from the Department of Defense’s Cybersecurity Maturity Model certification program into the contracting process. As you might imagine, those who will be required to comply with these regulations will have some thoughts about what they mean in the future. To find out what it is, we invite StephanieStephanie Kostro, vice president of policy at the Professional Services Council. Ms. Kostro, always a pleasure.

Stephanie Kostro Thank you very much for the invitation.

Eric White So why don’t we just start, just for the top level and just for those who may not be avid fans of the Federal News Network, because this is something we’ve covered extensively, the Cybersecurity Maturity Model certification program. What does it do and what is its purpose?

Stephanie Kostro Thanks for the question, Eric, and it’s always good to set the bar to make sure that everybody knows what we’re talking about. This latest proposed rule is something that we’ve been waiting for for a couple of years. Let’s call it the CMMC program. So I don’t have to go through the whole gamut of what you just went through, but the proposed rule that came out last week contains proposed changes to DFARS with actual clauses, with actual requirements around cybersecurity. It’s going to affect tens of thousands of government contractors who work in the defense sector. And let me just unpack that, because you mentioned there are a couple of rules. There was a proposed rule that came out late last year, in December 2023. It affected the federal group code, Title 32 of the federal regulations as an overview of what CMMC is. This latest proposed rule is where theory meets practice. It actually sets out clauses that contain requirements. And it’s something that we’ve been eagerly awaiting, as I said, for years.

Eric White It took a long time. So it was almost like DoD knew what was going on before they set these new parameters. If you can give us an equally good summary of the CMMC program itself, can you give us a quick overview of what these two new rules are and what exactly they mandate for contractors who want to do business with the Pentagon?

Stephanie Kostro The earlier proposed rule that came out in December 2023 was an overview of the CMMC program and what it does and doesn’t do. This latest proposed rule, and I should hurry, this initial proposed rule that came out a few months ago, is now in the final rule phase, supposedly in the Office of Management and Budget. We’re eagerly awaiting what that final rule says. But this second rule that came out last week, which focuses on the CFR, is Title 48 of the rules. They talk about how contractors have to assess their cybersecurity measures. This proposal requires that contracts maintain a third-party cybersecurity assessment. What we’re seeing now is that some companies can do their own assessment. Some companies have to get that third-party assessment. And there are requirements that flow through the supply chain to subcontractors, and that’s going to be very, very difficult to do. So again, as I said, this is where theory meets practice. We’ll have a lot of feedback on the feasibility of how far we can pass these requirements on to subcontractors. Frankly, some of them may not even know they’re on a defense contract and that they have to do this. And so it’s going to be a long implementation process, with hopefully a lot of opportunity to get feedback from industry as we go along.

Eric White We’re talking to Stephanie Kostro. She’s the vice president of policy at the Professional Services Council. Getting away from just the specific rules when it comes to this implementation process and giving everyone enough time to analyze and prepare, how do you measure that and how do you evaluate the work that the CMMC program is doing to make sure that it’s not just passing it on to too many, as you mentioned, contractors and subcontractors who may not even know that this is affecting them?

Stephanie Kostro That’s a great question, Eric. There’s a three-year implementation period built into this proposed rule. And if the rulemaking process is any indication, we have until October 15th to submit comments. They got over 400 comments last time on the previous proposed rule. So they’ll get hundreds of comments on this one as well. They’ll integrate them, hopefully, into the final rule and we’ll see that in 2025, I think, and then the three-year countdown will start. I think it’s going to be interesting to see how seriously the government takes industry feedback and stakeholder feedback more broadly. It’s not just about profit, private contractors. It’s academics and other entities that work with the Department of Defense. Frankly, we really want to see how contracting officials are going to implement these requirements into the procurement, how they’re going to require them, and then what the evaluation, award, and implementation elements are going to look like. And we really have questions about whether these requirements are making companies more cybersecure. And I’ll give you an example, Eric. One of them is the recent hacking that we’ve seen in political campaigns. We’ve seen both political parties recently suffer from hacking attacks. Would the measures that are being implemented in the CMMC prevent these types of hacking attacks? I think the answer is probably no. And so, moving forward, we’re looking at a very practical way for contracting officers to implement these requirements into contracts, but we’ll also want to assess whether that makes a difference or whether it’s really a compliance and documentation exercise, which I think we all want to avoid. We want to avoid the appearance of cybersecurity without the actual cybersecurity, so that’s something that we’re watching very closely. One of the reasons that CMMC has been so difficult to implement to date is that the cybersecurity requirements change so often. You always have to stay ahead of potential adversaries, and that’s incredibly difficult. I want to make sure that CMMC and the program that we’re implementing is flexible and agile so that we can respond to whatever needs arise to maintain cybersecurity.

Eric White Beyond trying to avoid “security theater” and simply provide security for security’s sake, does the contracting community support CMMC in general because it will provide some uniformity in what is needed to fulfill a defense contract, rather than having to address different needs and different considerations piecemeal or on a “salad bar” basis?

Stephanie Kostro I like that term, the salad bar. I think, yeah, that’s an interesting question because contractors don’t typically like compliance requirements, right? I mean, it makes their lives a little bit harder, even though they see the need for them. That said, there’s a lot of interest in making sure that the requirements are consistently applied so that when you meet the requirements, you know that you’re meeting them, you have confidence in that, and then you can go out and bid and win and execute contracts. I would also say that PSC is active in one area, and that’s because of our 400-plus member companies, a fraction of them are defense contractors. A large portion of them are not defense contractors. They work for HHS, Homeland Security, other agencies in the federal government. It’s going to be an expensive undertaking to become CMMC compliant and maintain that compliance over time. It’s going to be a burden on defense contractors that’s not necessarily a burden on civilian agency contractors. And as we move forward, that level of consistency, what’s required to be cybersecure? You should be able to answer that question across the government, whether you work for DHS or DOD or one of the intelligence agencies or Veterans Affairs. Cybersecurity is one of those things that we all have in common, so I think that’s the question where we’re looking for consistency across defense contracts, but also consistency across the board.

Eric White Well, we’ll see how the implementation process goes. This is Stephanie Kostro. She’s the executive vice president of policy at the Professional Services Council. Thank you very much for sharing that information with us.

Stephanie Kostro Thanks Eric, take care.

Eric White And you can find this interview to share or listen to on our website. Go to federalwsnetwork.com/federaldrive.