Last week we reported on developments in the Department of Defense (DoD) efforts to implement enhanced Defense Industrial Base cybersecurity requirements. Following our report, Katie Arrington, DoD Chief Information Security Officer in the Office of the Undersecretary of Defense for Acquisition and Sustainment, confirmed our thoughts that the DoD’s roll out of Cybersecurity Maturity Model Certification (CMMC) requirements in Requests for Proposals (RFPs) was likely to be impacted by COVID-19.
Specifically, she advised that the pilot RFPs to include CMMC are now on track to be released in November, approximately 60 days later than the originally targeted September roll out. She indicated that CMMC will not be included in DoD contracts until the rule is “completed.” The rule, which we understand will be a revision of the current DFARS clause, 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, to include CMMC rules, is now identified for completion in October. However, this schedule may change depending on whether DoD follows through on its statements that it is going to have the rule go through a formal public hearing and rulemaking before being finalized. Given COVID-19 shelter-in-place rules and travel restrictions, hosting an in-person public meeting on the proposed rule could pose challenges to this schedule. Perhaps DoD will instead host a virtual meeting to receive input into the revised rule. If so, it will have to take care to protect against cybersecurity hacking.
It is clear that China and other countries are increasing attacks on cyber targets. DoD contractors and their supply chains should be taking steps now to enhance their cybersecurity in accordance with the current version of CMMC. It is not a question of whether DoD will proceed to implement CMMC, but when. Further, contractors that have a Plan of Action and Milestones (POAM) to implement NIST SP 800-171 requirements should continue that implementation to ensure that they are complying with their contract requirements.
Notwithstanding the above, Ms. Arrington did advise that DoD Requests for Information for incorporation of CMMC rules into contract requirements are still planned for release in June.
Stay tuned for further developments.