New rule could impose CMMC-like cyber requirements for civilian agency contractors
It’s an idea that’s been tossed around for quite a while now: To better protect federal information, any federal civilian contractors that handle the government’s sensitive data will have to meet basic cybersecurity standards much like those that are set to be imposed on defense contractors under the Cybersecurity Maturity Model Certification program, best known as CMMC.
According to Stacy Bostjanick, the head of CMMC at the Department of Defense, that’s inevitable and now in the works.
“There is a [Federal Acquisition Regulation] rule that’s going to be coming out that implements the [National Institute of Standards and Technology’s special publication] 800-171 and the 800- 172. And it’s going to go across all of federal government,” Bostjanick said during a virtual event hosted by cloud encryption company PreVeil.
The FAR already requires federal contractors to meet 15 basic cybersecurity requirements to safeguard agency information handled by those firms. But by applying the NIST standards, that would be significantly expanded to the same 110 controls that fall under 800-171, which CMMC will also enforce.
The DOD is “working with the federal CISO Council today to try to make sure that we’re consistent across all of the federal government, how we view those 110 controls [under NIST SP-800-171], so we’re not going to be onerous on the industry partners,” said Bostjanick, who was recently promoted to chief of defense industrial base cybersecurity within the Office of the DOD CIO.
While CMMC requires a third-party assessment organization to attest that defense contractors that handle controlled unclassified information meet all 110 of those controls, it’s unclear if the FAR rule would require the same or instead leave it up to contractors to self-attest, as has been the case in the DOD until CMMC was introduced.
Members of the FAR Council at the General Services Administration and Office of Management and Budget could not be reached for comment.
An OMB spokesperson directed FedScoop to a rule proposed jointly by DOD, GSA and NASA that would apply the National Archives and Records Administration’s controlled unclassified information (CUI) program requirements “in Federal contracts in a uniform manner to protect CUI. This rule is one element of a larger strategy to improve the Government’s efforts to identify, deter, protect against, detect and respond to increasing sophisticated threat actions targeting Federal contractors.”
Speaking openly to those contractors that might be hesitant to kickstart their journey to CMMC compliance as they wait to see what might happen with contractor cyber standards on the civilian side of government, Bostjanick said: “It’s coming across of all federal government — you might as well get out in front of it and be one of the first.”
The final rulemaking for CMMC is still in the works and should be delivered sometime later this year. While Bostjanick cannot comment on what will be in the final rule, she did say nothing will change when it comes to the 110 controls the latest iteration of the program — CMMC 2.0 — will be based on.
“CMMC is coming, it’s not gonna go away, the waiting is not going to make the pain any less,” she said, acknowledging the many contractors that have claimed earning a CMMC accreditation will be expensive and burdensome to them. Complying with the NIST 800-171 “is just the basics, guys — it’s not the creme de la creme protection that’s going to protect you from everything. It’s going to protect you from the basic hacker, right. And, you know, the one thing is, implementing those standards not only protects my data and meets your requirement for DOD. It also protects you.”
The Department of Homeland Security at one point explored the possibility of a CMMC-like program for its contractors, but it’s since pivoted away from that measure to instead relying on vendors to self-attest their security compliance and overall cyber hygiene.