It’s your last day to comment on one of the biggest cybersecurity rules ever

Tom Temin: And you’ve been following this for, I believe, it’s seven years now.

David Berteau: Yeah, you’re right Tom. DoD has been building the CMMC program for seven years now. Started in 2018 and this latest iteration is a set of two proposed rules. This is the second of two proposed rules and comments are due today. We’re going to be submitting those comments from PSC just as we’ve been submitting comments on every iteration all the way back to CMMC 0.4 in 2018. But this is really the critical one because this is how the requirements of CMMC, which could change over time as the threat changes, will be incorporated into contracts themselves.

Tom Temin: Right. So the operational aspects of this are really still unknown, even though they have gelled it into parameters that they can express in rule making. Fair way to put it?

David Berteau: Yes, that’s a great way to put it. There are so many questions that remain unanswered here and they’re actually almost independent of what cybersecurity objectives you’re trying to achieve. It’s how do you actually operationalize and get those in. So there’s two separate rules being debated here. One was submitted last December. We commented on it in February and that rule is now released in this morning’s Federal Register. The preregistration notice was 470 pages long, but.

Tom Temin: No less.

David Berteau: Rule is with no less than, in fact, we’re incorporating that into our comments that we’re submitting later today.

Tom Temin: So you will have had some time to digest this. It’s going to take time to read through the 470 pages, or is most of that been gone over and it’s just simply incorporate some of the rule making comments they might have gotten?

David Berteau: We had an extensive set of comments that we submitted as did quite a number of others back in February and a number of those comments have resulted in changes, but we haven’t really yet finished tracking the comments to the changes.

Tom Temin: In other words, you have to read all 470 pages?

David Berteau: You do have to read the whole thing to know what it actually is. Now this is important because these are the standards which will be implemented by the contract language in the proposed rule, which we’re submitting comments today. They don’t affect how the contracting language goes. They affect how the contracts will go. That first rule was really on what are the requirements the National Institutes of Standards and Technology standards 800-171 which is the basis for that. This is the one that says, ‘OK, how does it get into a contract?’ But we’ve got some history here that’s worth looking at.

Tom Temin: Right. And one of the questions you are raising is when will it actually be implemented through the contracting officers as clauses, basically? And that’s really still an unknown. The other one is the capacity of the so-called C3PAOs. It sounds like a robot from Star Wars. These accrediting organizations that are supposed to objectively say this contractor is good to go. What’s going on there that you see as a challenge?

David Berteau: Well, there is an accreditation body. It’s been in place for a number of years now, and that accreditation body has been issuing the accreditation for C3PAOs. These are the CMMC third party assessment organizations. So they’re independent of the government, independent of the accreditation body, but essential to the certification of contractors to be able to bid and win contracts. The current capacity has been building, but it’s nowhere near the ability to get thousands and thousands of contractors certified and subcontractors certified at a time that would be a rapid implementation. So two things have to happen here. One is, we do need the final rule, not only for the standards, the requirements which I think that final rule. In fact, at our conference last week, a senior DoD official said release of that final rule was imminent. He also, though, said that the pace is glacial. So I don’t know whether imminent means the glacier is about to calve a large iceberg or whether we’re going to melt a little bit longer.

Tom Temin: I guess it depends on your timeline.

David Berteau: Do we work in geological era?

David Berteau: Or fiscal years? But I do think it’s about to come out. But the second rule will have to be finalized before it can go into contracts, and that’s the rule on which we’re commenting today. How fast can that rule be finalized? Well, that will depend in part on the complexity and magnitude of the comments that are coming in and adjudicating that and get it through. The earliest we could see that rule come out I think would probably be January, given that it’s mid-October right now, and that would be kind of about the time of the change of administrations. But then you get the question that you’ve raised, which you can’t put it in every contract right away because you’d have to phase in the implementation. There’s no way you have the magnitude of companies which contracts get picked first. How does DoD make sure that the companies that would bid on that contract are first in line to get the certifications required? In fact, there’s even a question of when do you need to be certified? Do you need to be certified at the time you submit the proposal? Do you need to be certified at the time the government evaluates those proposals? Or do you need to be certified at the time of award? And these are questions, as you well know Tom, sometimes it takes months or even years between a solicitation and the final award of the contract. So this stuff is very much up in the air.

Tom Temin: Right.

Tom Temin: We are speaking with David Berto, president and CEO of the Professional Services Council. And it seems like there’s a lot of discretion that will still be available to contracting officers. For example, what level of certification will they accept for a given deal? Self assessment is one which is the easiest on everybody, but that also has the most risk if something goes wrong with actual cybersecurity later on.

David Berteau: That’s right. In fact, one of the reasons that DoD has continued to push for this CMMC program is it wants to go beyond the self assessment that’s really in the current DFARS requirement and for contractors. I think that what would a contracting officer do? Well, self assessment is the easiest one. But in my experience, most contracting officers are not risk seeking, their risk averse, and so there’s less risk by requiring your contractor to be certified, as opposed to self certification or self assessment. But then the question is at what level do you need to be certified? The Level 2, which is the basic level, might be sufficient for protecting most data and most systems for the company, but will a contracting officer say, ‘Level 2 is not good enough. I want the highest possible level of protection here.’ Again, DoD’s calculations are only a relatively small number of contracts and contractors will be required to go to Level 3. I don’t know how they’re going to manage that. I don’t know what kind of guidance they’re going to put out to contracting officers. It says, take more risk, stick with Level 2.

Tom Temin: And then there’s the question of your subs, which is always a question. It seems procurement issue these days is, how do you deal with the subcontractors?

David Berteau: Right. So subcontractors, of course, are an essential element. The requirements will flow down to subcontractors. And there are many questions associated with that, which includes, what are the responsibilities of DoD and the response, what are the responsibilities of a prime contractor to ensure certification, as well as by when does that certification need to be there? You may not need a subcontractor until the second year of a contract. So do they need to be certified at the front end? Or you can include them in your bid? These are big questions that remain to be answered.

Tom Temin: Right. And I was also wondering this is more of the philosophical end of this, perhaps, but does this really make for better cybersecurity? Because it’s an enormous compliance and bureaucratic exercise, which DoD is really good at to its detriment. But will it make data and contracting and DoD systems ultimately more secure? I wonder if they have a mechanism for measuring that.

David Berteau: This has been a key question that PSC has been raising from the beginning. We’ve approached our engagement with the government on cybersecurity, not just in CMMC, but in the dozen other proposed rules and regulations that are floating out there still today. From the following perspective, No. 1, we know the threat is real. We know the threat is growing every day. There’s greater threat, right? And so you’ve got to be cognizant of that fact. The second is, clearly, what we’re doing now is not good enough because every day you read about another breach, right? Another cybersecurity, another hack, etc., even apparently relatively secure systems, right? And so the real question is, what do you do to make that better and how do you tell if it’s better? So the way I look at the CMMC proposed rules is they create a level of cyber hygiene that is the baseline, right? The standard below which you’re not supposed to go. It may not, in and of itself, create more cybersecurity, but failure to do so will certainly create more vulnerability. So that baseline is there. But then the question is, what do you need beyond that baseline? Many of our member companies are already well beyond NIST standard 800-171 even the newest revision, Rev 3, which you’ve covered on your show a number of times. But not every subcontractor is going to be that way. And how do you maintain that? How do you keep the competence, the competition levels, etc.? These are huge challenges that remain to be worked out.