As the Department of Defense (DoD) pushes to overhaul cybersecurity requirements with a new Cybersecurity Maturity Model Certification (CMMC) program to be implemented in the fall of 2020, I recently provided insights for an article in Law360 that highlighted some potential challenges the quick rollout and still-unanswered questions could present. Contractors generally welcome the unified and modernized approach to cybersecurity, but because there are many questions left unanswered since the initial drafts released in May and in September, there are concerns among some that the perceived rush is creating undue stress and confusion.
As a result, the September draft of the CMMC program received a large volume of public comments, which Todd noted was unusual given the limited time available for comment. For solutions the DOD could address in the final rule, I suggested the Department ensure minimum cybersecurity levels are included in contracts as pass-fail threshold requirements, rather than as subjective assessments that potentially open up new grounds for bid protests.
Another challenge is the need to certify an estimated 300,000 contractors through third-party auditors. The Pentagon only recently called for nonprofits to express interest in conducting oversight on those auditors, and it will take time for any interested nonprofits to get started – which will be even further delayed if any related contract is protested.
“Think about the volume of contractors that will be required to go through this third-party assessment, or audit,” I said in the article. “That’s just a lot of companies. So it’s a little concerning … as to how we’re going to be in a place a year from now where this has not become a barrier to entry.”
The full article, “DoD’s Haste May Spell Turbulent Start for Cybersecurity Plan,” was published by Law360 on October 24, 2019, and is available online.