Concerns Arise that DoD’s CMMC Timeline is Too Aggressive
Experts are suggesting the DoD is moving forward (perhaps a bit hastily) in releasing its long-awaited Cyber Security Maturity Model (CMMC). Additionally, experts in the area of cyber law suggest the CMMC lacks an overall sense of clarity that could add complications to the 2020 rollout.
Attorneys specializing in federal cyber procurement have many questions regarding the CMMC and are not exactly confident in the DoD’s ability to achieve a smooth release. There are many unanswered questions that have yet to be clarified. For example, the five security levels that will be assigned by the DoD to its contractors are not entirely clear.
What we do know is the CMMC will consist of 5 levels; Basic Hygiene (Level 1) to Advanced (Level 5). What we don’t know, according to attorneys, are the precise requirements that will be expected for each level. The DoD says Level 3 will be the closest to the current National Institute of Standards and Technology’s (NIST) 800-171, a set of existing cybersecurity standards which most if not all DoD contractors are already familiar with. However, Level 3 in the recent DoD draft release doesn’t accurately align to the existing 800-171 guidelines, causing confusion.
Another area of uncertainty is the overall cybersecurity level and how it pertains to companies specifically wishing to team together on a contract bid. The prime contractor, of course, will be expected to meet the required level threshold. However, it’s unclear if this threshold will also be required by subcontractors, as well as every other company of the teaming arrangement. Prudence (and common sense) dictates that all parties will be expected to adhere to the same security level, although the recent CMMC draft did not elaborate on the this key specific.
The CMMC release is only months away and 300,000 contractors and suppliers will require DoD certification. With all the questions and uncertainty, this one should get interesting.