The Department of Defense is collaborating with Federal civilian agencies to impose a new Federal Acquisition Regulation (FAR) rule that would apply new Cybersecurity Maturity Model Certification (CMMC) requirements to vendors that handle controlled unclassified information, according to the DoD CMMC lead.
Stacy Bostjanick, chief of defense industrial base cybersecurity within the Office of the DoD CIO, said the idea behind that move is to better protect Federal information. Toward that end, any Federal civilian contractors that handle the government’s sensitive data will have to meet basic cybersecurity standards much like those that are set to be imposed on defense contractors under the CMMC program.
“There is a FAR rule that’s going to be coming out that implements the [National Institute of Standards and Technology’s (NIST)] SP 800-171 and the 800- 172. And it’s going to go across all Federal government,” Bostjanick said during a virtual event hosted by PreVeil on April 4.
Currently, Federal contractors are required to meet 15 basic cybersecurity requirements to secure the sensitive information they handle. But, according to Bostjanick, by applying the NIST standards that requirement would be significantly expanded to the same 110 controls that fall under 800-171, which CMMC will also enforce.
“We are working with the Federal CISO Council today to try to make sure that we’re consistent across all of the Federal government, how we view those 110 controls [under NIST SP-800-171], so we’re not going to be onerous on the industry partners,” said Bostjanick.
CMMC requires a third-party assessment organization to attest that defense contractors meet all 110 of those controls. However, it’s unclear if the FAR rule would require the same assessment, or instead leave it up to contractors to self-attest.
CMMC is “coming across of all Federal government, you might as well get out in front of it and be one of the first,” Bostjanick said in a message directed to contractors that might be hesitant to kickstart CMMC compliance.
According to Bostjanick, the final rulemaking for CMMC is still in the works but should be delivered sometime later this year. Bostjanick was unable to comment on what is included in the final rule, but she did say nothing will change concerning the 110 controls the latest iteration of the program will be based on.
Bostjanick acknowledged the many contractors that have claimed that CMMC accreditation will be expensive and burdensome to them, but she explained that “CMMC is coming, it’s not going to go away, the waiting is not going to make the pain any less.”
“Complying with the NIST 800-171 is just the basics, guys. It’s not the creme de la creme protection that’s going to protect you from everything. It’s going to protect you from the basic hacker, right? And, you know, the one thing is, implementing those standards not only protects my data and meets your requirement for DoD. It also protects you,” she said.