Obtained by DefenseScoop and authenticated by several defense officials this week, the March 31 memo and its attached spreadsheet reveal a wide range of existing rules and guidance associated with the Defense Department’s intelligence, information technology, weapons acquisition and other portfolios that are now up for review.

The Trump administration’s new Department of Government Efficiency, or DOGE, is run by billionaire and presidential adviser Elon Musk. Since its launch near the start of Trump’s second term, DOGE has led multiple disruptive initiatives to cut what they consider wasteful spending and reduce the size of the federal workforce.

On Feb. 19, Trump signed an executive order — titled “Ensuring Lawful Governance and Implementing the President’s ‘Department of Government Efficiency’ Deregulatory Initiative” — that directs federal agencies to review and potentially cancel regulations that are deemed to be unconstitutional, innovation-stifling, not in the United States’ interests, or too burdensome on small businesses and private entrepreneurship, among other categories.

In the March 31 implementation memo that he penned to senior Pentagon leadership and defense agency and field activity directors, Feinberg designated the assistant to the secretary of defense for privacy, civil liberties, and transparency as the principal staff assistant in charge for carrying out the deregulation mandate.

He called on senior officials leading more than a dozen DOD components to go through their organizations’ regulations identified in the attachments and specify whether any “classes” from the Trump EO apply to them, and also indicate whether the rules should be changed or terminated. Some of those DOD components tasked in the guidance include the Office of the Chief Information Officer, the Pentagon’s Research and Engineering and Intelligence and Security directorates, Office of the Inspector General, as well as the Departments of the Army, Navy and Air Force.

Feinberg tasked officials to complete their spreadsheet responses and submit them by close of business April 18.

“As stated in E.O. 14219, the Administrator of [the Office of Information and Regulatory Affairs] shall consult with agency heads to develop a Unified Regulatory Agenda that seeks to rescind or modify, as appropriate, regulations that fit within the classes identified” in the memo, he wrote.

Regulations that pertain to the Pentagon CIO’s Cybersecurity Maturity Model Certification (CMMC) program appear to be among hundreds of rules up for review, according to the memo attachments viewed by DefenseScoop. Two other notable tech-aligned regulatory inclusions that are set to be evaluated are R&E guidance on protecting human subjects during research experiments and an I&S policy on cloud service offerings.

“Deputy Secretary Feinberg’s directive helps to ensure DOD fully supports President Trump’s Executive Order to cut red tape and unleash prosperity, while maintaining our focus on national defense and mission-critical priorities. This memo demonstrates that under Secretary Hegseth’s leadership, we’re actively moving out to eliminate unnecessary bureaucracy, streamline our operations, and refocus resources on warfighter readiness and strategic priorities,” Eric Pahon, spokesman for the deputy secretary of defense, told DefenseScoop Wednesday.

The post Feinberg initiates Pentagon’s implementation of DOGE-influenced regulatory review appeared first on DefenseScoop.

The final rule for the revamped CMMC 2.0 program went into effect in December, which means that defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) must meet one of three levels of CMMC compliance, depending on the sensitivity of the information they handle, to be eligible to win DOD contracts. After years of high-profile scoping and rulemaking efforts, the Pentagon plans to implement the new requirements by the middle of this year.

Contractors and defense industry observers have previously expressed concerns about the burdens that CMMC regulations would impose, particularly for smaller firms that have fewer resources to ensure compliance.

An industry report by Redspin published earlier this year found that over half of respondents did not feel prepared for CMMC’s requirements.

Another report published this week by Kiteworks and co-sponsored by Coalfire found shortfalls in gap analysis and advanced controls. Budgetary and resource constraints, technical complexity of implementing controls, scope complexity and definition challenges, and understanding requirements and documentation were cited as some of the biggest challenges related to CMMC.

“It is my understanding that the cyber capabilities of the companies in the DIB vary greatly. If confirmed, I look forward to reviewing the current state of DoD cybersecurity requirements for our industry partners and working to ensure we balance a need for security with the burdens of excessive regulation,” Duffey wrote in his responses to advance policy questions from lawmakers ahead of his confirmation hearing Thursday with the Senate Armed Services Committee.

He noted that cyberattacks on defense industrial base information systems threaten the Pentagon’s mission execution and warfighting capabilities, and put at risk U.S. technological superiority, intellectual property and national security information.

“Bolstering cybersecurity across the DIB without placing undue burdens on small and medium-sized businesses is critical. These businesses are often more vulnerable to cyberattacks due to resource constraints, yet they play a vital role in our nation’s defense,” Duffey wrote. “I recognize the critical importance of ensuring that contractual requirements for protecting DoD information are met by defense contractors. If confirmed, I will review the current requirements of the CMMC program and evaluate options to improve the requirements and implementation so that industry can affordably maintain pace with current cybersecurity best practices.”

Additionally, he told lawmakers that he would review current and potential mechanisms to assess CMMC compliance — including third-party assessment organizations — and accreditation procedures “to ensure our requirements keep pace with the threat and manage the burden on the industrial base.”

Duffey also noted that access to secure compartmented information facilities (SCIFs) can be costly for smaller companies. If confirmed, he said he will “actively explore” the feasibility of multi-use SCIFs and other shared resource models to reduce that burden for small firms and facilitate their access to classified information.

The CMMC program previously fell under the responsibility of the undersecretary of defense for acquisition and sustainment, but was transferred to the DOD Office of the Chief Information Officer in 2022. Katie Arrington, who was viewed as a key architect of the original iteration of CMMC within A&S during the first Trump administration, recently returned to the Pentagon and was quickly appointed as the acting CIO.

Duffey also has prior government experience, including at the Pentagon. He served as associate director of national security programs in the Office of Management and Budget during the first Trump administration. He’s also served as deputy chief of staff to the secretary of defense and chief of staff to the undersecretary of defense for research and engineering, among other roles.

The post Trump’s Pentagon acquisition chief nominee vows to review controversial CMMC program appeared first on DefenseScoop.

The final rule for the revamped CMMC 2.0 program went into effect in December, meaning defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) must meet one of three levels of CMMC compliance depending on the sensitivity of the information they handle. After nearly five years of high-profile and oftentimes controversial scoping and rulemaking efforts, the Pentagon plans to implement the new cybersecurity requirements for contractors by mid-2025.

However, a report published Tuesday by Redspin — an authorized CMMC third-party assessment organization (C3PAO) — found there is a significant gap in readiness for CMMC 2.0 requirements across the defense industrial base. The assessment is based on a survey conducted in September 2024 that received 107 responses from a range of military contractors.

“The largest share (42%) of respondents feel Moderately Prepared, and 16% still have a long way to go by being Slightly Prepared or Not at All Prepared. This means that 58% of respondents are not ready for a rule that is now final and effective,” according to the report, titled “Aware but Not Prepared: The State of Defense Industrial Base CMMC Readiness.”

Furthermore, 13 percent of participants indicated they haven’t taken any preparatory action to meet CMMC compliance. The report highlighted that as a “critical concern” given companies have been mandated to maintain a Supplier Performance Risk System self-assessment score since 2020, “meaning those companies are significantly behind and at risk of non-compliance and not properly safeguarding their CUI.”

While the statistic is alarming, Redspin Vice President and Chief Information Security Officer Thomas Graham told DefenseScoop that the lack of action isn’t surprising considering the CMMC program’s contentious history, and that companies should not feel like they’re alone if they are unprepared.

“Since CMMC started, you’ve had a lot of misnomers, you’ve had a lot of rumors, you’ve even had a lot of naysayers. And they are even now saying this is never going to happen,” Graham said Monday during an interview. “The reality is, it is a formal program. It’s not your implementation — your implementation has been in place for a number of years now. All CMMC is doing is just verifying that implementation.”

Graham also noted that so many contractors could be feeling unprepared because they’ve just been waiting to see if the program would actually happen.

CMMC was first conceived in 2019 as a way to protect contractor information from being exploited by adversaries by putting these types of cybersecurity requirements for the defense industrial base into federal regulations, with Pentagon leadership arguing that companies should already have those protocols in place simply because they’re working with the department. 

However, the program received pushback from others who argued CMMC would be too difficult to follow. The Defense Department later pared down the program’s scope and contractor expectations in 2021, unveiling a three-tiered framework now known as CMMC 2.0.

The new model allows contractors working with less sensitive information to conduct self-assessments of their cybersecurity compliance. More sensitive information will require companies to validate their posture from either third-party assessors or the Defense Industrial Base Cybersecurity Assessment Center.

A key criticism of CMMC has been that the requirements would penalize small businesses that can’t afford to comply with them, but Redspin’s survey found that concern isn’t exclusive to smaller companies and subcontractors. According to the report, 52 percent of respondents who indicated cost as a top preparation challenge were prime contractors and dual-role companies. 

Graham said the concern was likely caused by inaccurate information released about CMMC over the years, as well as misunderstandings about what the program is trying to accomplish.

“Larger organizations that I’ve talked with, a lot of times there’s a separation between the decision makers and the folks that are actually implementing this stuff,” he said. “And when you break it down to them, then the light bulbs start coming on and they’re like, ‘Oh my god, I never realized we were supposed to be doing this stuff for years.’ Then it becomes a different conversation.”

Despite the readiness gap, Redspin’s survey did show that three-fourths of respondents have already or are in the process of establishing a required system security plan (SSP), which outlines the cyber defenses needed to protect sensitive information.

Over half of the respondents also indicated that they were working with an external service provider (ESP) to reach CMMC certification, underscoring the importance third-party organizations have and will continue to play in maintaining compliance, according to the report. 

That means moving forward, ESPs must also ensure their own cybersecurity protocols meet requirements, Graham emphasized.

“ESPs have got to understand they’re going to be part of this, that they are being given access to information that is not theirs — much like the contractors are being given access to information that is not theirs, either,” he said. “With working with these organizations, there’s going to be certain requirements that they are going to have to provide to the [organizations seeking assessment] so now they can get through their own assessment.”

The post Report finds large gap in CMMC readiness among defense industrial base appeared first on DefenseScoop.

As part of the new role, McKeown will stand up and lead the CIO’s Cybersecurity Center of Excellence, which will focus on tackling long-range and complex innovation challenges for cybersecurity modernization. He will be responsible for a range of programs and operations that will ensure the Pentagon is prepared to meet emerging cybersecurity threats, the DOD CIO noted in a statement posted on LinkedIn.

“Establishing this new office divorces the day-to-day activities such as zero trust implementation, defense industrial base cybersecurity programs and policy development from the requirement to look over the horizon and take on the following cybersecurity threat,” the statement said. “With the Special Advisor for Cybersecurity Innovation, we are building an office to create transformational breakthroughs and drive strategic invention in cybersecurity.”

McKeown most recently served as both the deputy CIO for cybersecurity and chief information security officer since 2020 — a dual-hatted position where he led the department’s wide-ranging cybersecurity modernization efforts and associated policies. His tenure has seen the introduction of cutting-edge technologies and robust protocols to fortify the Pentagon’s cyber defenses.

He has been at the forefront of implementing the DOD’s zero trust strategy while overseeing adoption of the new cybersecurity standards at organizations across the Pentagon. McKeown has also worked to strengthen cybersecurity within the defense industrial base and helped the department revamp the Cybersecurity Maturity Model Certification (CMMC) standards. 

McKeown has over three decades of experience working in the Defense Department, including 27 years serving in the Air Force and 8 years as a government civilian employee. His prior roles include working as an Air Force cyberspace operations officer; the director of enterprise information and mission assurance for the Army’s Information Technology Agency; and the cybersecurity center chief and enterprise services center chief for the Defense Information Systems Agency’s Joint Service Provider.

Prior to joining the DOD CIO, McKeown also led the Department of Justice’s Service Delivery Staff. Prior to that role, he ran enterprise services and cybersecurity for the DOD’s Joint Service Provider.

Gurpreet Bhatia will assume the duties of acting deputy CIO for cybersecurity and CISO. He previously served as the DOD’s principal director for cybersecurity and deputy chief information security officer.

The post DOD taps McKeown to serve as new special assistant for cybersecurity innovation  appeared first on DefenseScoop.

The CMMC program is intended to protect DOD data on contractor systems from being exploited by U.S. adversaries by ensuring those firms comply with National Institute of Standards and Technology security controls.

The final rule will require defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) to meet one of three levels of CMMC compliance, depending on the sensitivity of the info they’re handling.

The journey toward CMMC implementation — a controversial initiative that has raised concerns among some contractors about the costs involved and other regulatory burdens — has been a long one. After receiving feedback from companies, the department moved away from its original CMMC framework toward a more streamlined version that officials have dubbed CMMC 2.0, which has also entailed a lengthy rulemaking process.

The final rule was released for inspection in October on the Federal Register and was scheduled to go into effect Dec. 16. A follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule change to contractually implement the CMMC program was slated for publication in early to mid-2025. 

“Once that rule is effective, DoD will include CMMC requirements in solicitations and contracts. Contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award,” the Pentagon said in a press release in October.

“With the publication of this updated … rule, DoD will allow businesses to self-assess their compliance when appropriate. Basic protection of FCI will require self-assessment at CMMC Level 1. General protection of CUI will require either third-party assessment or self-assessment at CMMC Level 2.A higher level of protection against risk from advanced persistent threats will be required for some CUI. This enhanced protection will require a Defense Industrial Base Cybersecurity Assessment Center led assessment at CMMC Level 3,” per the release.

According to a notice in the Federal Register, the Pentagon estimates that 8,350 medium and large entities will be required to meet Level 2 CMMC third-party assessment organization (C3PAO) assessment requirements as a condition of contract award.

Much fewer companies are expected to be required to meet the more stringent Level 3 requirements.

“It’s Official! #CMMC 2.0 completed its 60-day Congressional Review period without any changes. Rulemaking is now complete and the new program is in effect. Companies should now begin working towards their CMMC certifications and C3PAOs can begin assessments in accordance with the guidance in the rule,” the Office of the DOD Chief Information Officer wrote in a LinkedIn post on Monday, noting that CMMC requirements won’t be included in DOD contracts until the DFARS is revised through a 48 CFR rule change is complete and effective. “At that time we will begin a 3-year phased implementation.”

The rollout of CMMC comes as the the Pentagon is taking a variety of other measures to try to improve the digital defenses of contractors.

For example, earlier this year the department released a new Defense Industrial Base Cybersecurity Strategy.

Officials plan to routinely evaluate contractor compliance with the CMMC program, the document noted.

The “increasing number of threats resulting from the evolution and expansion of the digital ecosystem drives the need for enhanced requirements for a subset of critical programs or high value assets. Future rulemaking efforts will expand existing information safeguarding requirements for these companies by implementing supplemental guidelines defined in NIST SP 800-172,” the strategy states. “While DFARS specifies the minimum DIB cybersecurity requirements for companies that process, transmit, and store CUI, the Department must also support efforts by the DIB to make risk-informed decisions to exceed these requirements.”

The department also launched a new official program that allows for independent white-hat hackers to find and analyze vulnerabilities in contractors’ systems.

The Defense Department’s Cyber Crime Center (DC3) is partnering with the Defense Counterintelligence and Security Agency on the Defense Industrial Base-Vulnerability Disclosure Program (DIB-VDP), and participation is free and voluntary for companies.

“Most of the DIB, some 200,000 companies, are small and medium-sized businesses. They are not equipped to defend themselves against advanced adversaries. And so the question becomes, how can we help them defend themselves? What can we provide to them? … And the answer is some form of cybersecurity as a service, usually focused on small to medium-sized companies, again, to provide capabilities that they would not be able to work with themselves,” Terry Kalka, director of the defense industrial base collaborative information sharing environment at DC3, said at CyberTalks in October.

Officials are working to counter a variety of malicious cyber activities.

“Phishing is always a constant threat, but I think we’re seeing phishing more as an interrupter to operations, like part of ransomware. The more prevalent threats in the last year have to do with actual exploitation and exfiltration of data. And what that indicates to me is that phishing is still effective but it’s not necessarily the most effective attack vector anymore. And so we really need to work on closing vulnerabilities, patching systems and through CISA’s leadership, secure by design, because that’s how we’re going to block adversarial attacks,” Kalka told DefenseScoop.

The post Final rule for CMMC cybersecurity program goes into effect for defense contractors appeared first on DefenseScoop.

The rule was released for public inspection on the Federal Register on Friday, and the Defense Department anticipates officially publishing the new guidelines Oct. 15, according to a Pentagon press release.

The CMMC program is based on a tiered cybersecurity framework that requires defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) to meet one of three levels of CMMC compliance, depending on the sensitivity of the information. The effort was conceptualized as a way to protect DOD data on contractor systems from being exploited by U.S. adversaries by ensuring those firms comply with widely accepted National Institute of Standards and Technology security controls.

The publication of the final rule comes after several years of work to revamp the original CMMC assessment framework initially developed during the Trump administration. Under CMMC 2.0, the Pentagon has reduced the number of assessment levels from five to three to streamline the compliance process for small and medium-sized contractors.

The Defense Department published its proposed rule for CMMC 2.0 in December 2023 to kickstart the federal rulemaking process. Another proposal to amend the Defense Federal Acquisition Regulation Supplement (DFARS) and implement cybersecurity compliance requirements in Pentagon contracts was later released in August of this year.

Moving forward, the Pentagon intends to publish the follow-on DFARS rule change by mid-2025, according to the department. 

“Once that rule is effective, DoD will include CMMC requirements in solicitations and contracts. Contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award,” the Pentagon press release stated.

The new model will allow contractors working with less sensitive information to conduct self-assessments of their cybersecurity compliance. More sensitive information will require companies to complete either third-party assessments or one conducted by the Defense Industrial Base Cybersecurity Assessment Center that will verify the implementation of the standards.

The CMMC program has received criticism in the past, as some defense contractor advocates have argued that it will be expensive, difficult and confusing for companies to comply with — especially small businesses and non-traditional contractors. In response, the Pentagon has worked to provide industry with resources to assist in their efforts to meet the cybersecurity standards.

In addition, the revised CMMC program will introduce “Plans of Action and Milestones” (POA&Ms), which allows contractors that do not meet every cybersecurity standard to receive a conditional certification for 180 days as they work to achieve compliance, according to the Pentagon.

“The Department understands the significant time and resources required for industry to comply with DoD’s cybersecurity requirements for safeguarding CUI and is intent upon implementing CMMC requirements to assess the degree to which they have done so,” the press release stated. “Businesses in the defense industrial base should take action to gauge their compliance with existing security requirements and preparedness to comply with CMMC assessments.”

The post DOD releases final rule for CMMC, setting the stage for implementation next year appeared first on DefenseScoop.

The Department of Defense submitted a proposed rule that, once approved, would incorporate new cyber requirements into all contracts for vendors who want to do business with the U.S. military that involves sensitive but unclassified information.

Under the CMMC 2.0 program, any contractor or subcontractor that does work with the DOD involving what’s referred to as controlled unclassified information or federal contract information must obtain — or in some cases self-attest to — one of three levels of CMMC compliance, depending on the sensitivity of the information involved in the work.

Specifically, the new proposal, published in the Federal Register, aims to amend the Defense Federal Acquisition Regulation Supplement to implement those cybersecurity requirements in contracts as part of the larger CMMC 2.0 program — which itself is in the middle of the federal rulemaking process kickstarted with a separate rule proposal last December after a previous iteration of the CMMC program with more stringent requirements failed.

That previous proposed rule put forth in December 2023 would establish the CMMC program into federal law, laying out “requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have … implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs.”

This latest proposed rule looks to complement that by spelling out how that program will be implemented in DOD contracts.

“These amendments require at the time of award the results of a current CMMC certificate or CMMC self-assessment, at the level required, for all information systems that process, store, or transmit FCI or CUI during contract performance, when a CMMC level is included in the solicitation,” the proposed rule reads.

It also includes a few other key clarifications for the administration of CMMC in defense contracts once these two rules are final. Notably, Thursday’s proposal spells out a phased rollout of requirements into contracts over the subsequent three years.

“In order to implement the phased rollout of CMMC, inclusion of a CMMC requirement in a solicitation during this time period will be determined by the program office or requiring activity after consulting the CMMC 2.0 requirements” laid out in the December 2023 proposed rule, the latest proposal says. “During the phase-in period, when there is a requirement in the contract for CMMC, CMMC certification requirements must be flowed down to subcontractors at all tiers, when the subcontractor will process, store, or transmit Federal contract information (FCI) or CUI, based on the sensitivity of the unclassified information flowed down to each of the subcontractors in accordance with the proposed CMMC 2.0 requirements.”

Once that period ends, CMMC will be in effect for all DOD contract solicitations.

More granularly, the newly proposed rule sets requirements for contracting officers to ensure bidding contractors are CMMC compliant, issues an updated definition for controlled unclassified information — the distinguishing element for contracts that require CMMC compliance — and introduces a provision to notify contractors when there are CMMC requirements in a contract, among other things.

Now, the clock starts on the comment period for the proposed rule, which will run through Oct. 15. At that point, the DOD will sort through any comments and make tweaks as necessary before submitting the rule for final approval to the Office of Information and Regulatory Affairs to be issued as a final rule.

Given the current timing, if things go smoothly during the next steps of the rulemaking process, the phased rollout of CMMC could begin sometime in mid-to-late 2025.

The post Pentagon a step closer to CMMC starting line with new contract rule proposal appeared first on DefenseScoop.

The Defense Industrial Base Cybersecurity Strategy, released Thursday, is intended to steer the department and industry’s response to threats. Signed by Deputy Secretary Kathleen Hicks, it aims to strengthen companies doing business with the Pentagon — including small businesses and subcontractors — against adversaries seeking access to sensitive data, proprietary information and intellectual property of weapon systems and production nodes.

As part of that effort, the Pentagon will work with the defense industrial base (DIB) to enhance their network posture while also providing more cohesive strategic guidance for companies, according to David McKeown, deputy chief information officer for cybersecurity.

“Over the last several years the DIB has made great strides in improving cyber resiliency, security, compliance and understanding the threat landscape,” McKeown told reporters Thursday ahead of the document’s release. “Together through the DIB cybersecurity strategy, we will further advance our goals and improve DIB cybersecurity.”

The document outlines four main goals as well as corresponding objectives that cover activities from fiscal 2024 to 2027. It notes that while many of the efforts listed have either already begun or are part of the Pentagon’s broader approach to industrial base cybersecurity, the strategy will “sharpen the focus, collaboration and integration” of those objectives.

A key aim for the Pentagon will be working with the DIB to enhance companies’ protection against advanced threats. To do so, the department will continue to routinely evaluate contractor compliance with its cybersecurity requirements — largely through the Cybersecurity Maturity Model Certification (CMMC) program.

However, “[the] increasing number of threats resulting from the evolution and expansion of the digital ecosystem drives the need for enhanced requirements for a subset of critical programs or high value assets,” the strategy states. Therefore, the department will engage in future rulemaking that will expand on current requirements for the industrial base and introduce supplemental guidelines for those handling controlled unclassified information, it noted.

Compliance efforts like CMMC have come under scrutiny in the past, especially among small businesses and non-traditional defense contractors that believe the regulations will be expensive and arduous to keep up with.

McKeown emphasized that the new strategy takes contractors of all size into consideration, and that the department is committed to helping small firms strengthen their cybersecurity posture through a number of free resources.

In addition, McKeown’s office has been working with the Office of Small Business on a pilot to develop a secure, cloud-based environment for smaller companies to use and conduct work in, he said. Officials want to have around 50 to 75 companies involved in the program and begin work this year.

The goal will be to “prove out whether or not we can leverage the cloud to ensure that the data is secure in this cloud environment for the small businesses,” McKeown said. “And then we’ll have to look at how we scale that up and offer that to more and more small businesses over time, or how we get a price point which they can afford and just start leveraging themselves.”

The department also wants to create a new framework for sharing threat information with the industrial base; conduct analysis on potential cyber vulnerabilities in contractors’ IT ecosystems; improve how firms recover from malicious cyber activities to minimize loss of information; and measure the overall effectiveness of the DOD’s cybersecurity requirements. 

Other goals detailed in the strategy include strengthening the Pentagon’s internal governance structure for DIB cybersecurity, preserving the cyber resiliency of the defense supply chain, and boosting overall collaboration among government agencies and contractors on cybersecurity matters.

Stacy Bostjanick, chief of defense industrial base cybersecurity in the CIO’s office, emphasized that the Pentagon is dedicated to working with contractors, as well as an array of stakeholders across government, to execute the strategy.

“Our mission is to protect sensitive information, operational capabilities and product integrity by ensuring the generation, liability and preservation of U.S. warfighting capabilities,” Bostjanick told reporters. “Our vision is simple: a secure, resilient, technologically superior DIB.”

The post New DOD strategy aims to improve contractors’ cybersecurity, resiliency appeared first on DefenseScoop.

Top cybersecurity officials with the military components speaking on a panel Thursday at the Google Defense Forum, presented by DefenseScoop, said they are working on initiatives to provide those small contractors with secured virtual desktops that would ensure any transaction of sensitive Department of Defense data meets the DOD’s security requirements.

These initiatives come as the Pentagon’s Cybersecurity Maturity Model Certification nears becoming an official rule. The certification program is currently a proposed rule and the department is accepting comments on it until Feb. 26.

Under CMMC, most defense industrial base companies that handle controlled unclassified information under contract with the DOD would need to meet security requirements laid out in National Institute of Standards and Technology Special Publication 800–171 and attest — either through a self-assessment or a third-party assessment, depending on the sensitivity of information shared — to meeting those requirements.

Many small businesses are worried that the assessment process is too burdensome and could keep them from doing business with the DOD.

But the military services don’t want to miss out on the innovation generated by those smaller contractors. That’s why they’re engineering solutions that could keep that partnership alive if a company itself can’t afford to enhance its cybersecurity in the near term.

“We’re exploring virtual desktops … how we may have been able to extend virtual desktops out to our partners, how our department primes and large companies can extend virtual desktops out to medium- and small-sized businesses, affording them additional protections for their data,” Tony Plater, chief information security officer of the Department of the Navy, said on the panel.

While many of the primes the Navy works with already have the measures required by CMMC in place with robust security operations centers, Plater said the Navy has “learned that the medium- and small-sized companies struggle to meet those requirements.” So the Navy is continuing to look strategically at ways to uplift those partners.

“We have to keep in mind how they can meet those requirements,” he said.

The Army similarly is working on an initiative partnering with Google and others to “extend a secure work environment to small businesses,” said Matthew Picerno, chief cyber acquisition officer for the Army. The service is currently “thinking through the challenges of that, legalities, if we build it will they come?” Picerno said.

Both Plater and Picerno also emphasized that, outside of the technical requirements that will be enforced by CMMC, it’s important to treat those small companies as an extension of the services by supporting the development of the personnel across those organizations and ensuring that threat intelligence is shared openly.

“It’s not just about IT. I think about anything that we talked about today, a lot of it’s going to be about the people,” Picerno said. “So the training, understanding what the data is, what we’re trying to present, understanding, you know, what the crown jewels are, and ensuring that we take a holistic organizational phased approach, not just thinking that, you know, some basic IT is going to solve everything.”

For the Navy, as it looks to automate its own assessments of threats and adversaries, Plater said the service is looking for ways to push that intelligence to its defense industrial base partners.

“We need to know what our security posture looks like to the adversary,” he said. “So as we continue to learn and have to have agility and protection internally, we recognize … the importance of the information and technological advantage and innovation that our partners are holding is extremely important. So in order to be a win-win, you got to work together to share that information.”

The post With CMMC looming, military services explore ways to extend secure environments to small businesses appeared first on DefenseScoop.

The updated estimates were included in a proposed rule for CMMC 2.0 that was published Tuesday in the Federal Register.

The program would mandate that defense contractors and subcontractors who handle federal contract information and controlled unclassified information (CUI) implement cybersecurity standards at various levels — depending on the type and sensitivity of the information — and assess their compliance.

“The CMMC initiative will require the Department of Defense to identify CMMC Level 1, 2, or 3 as a solicitation requirement for any effort that will cause a contractor or subcontractor to process, store, or transmit FCI or CUI on its unclassified information system(s). Once CMMC is implemented in 48 CFR, DoD will specify the required CMMC Level in the solicitation and the resulting contract,” the proposed rule explains.

More than 200,000 companies in the defense industrial base could be affected by the rule.

The Pentagon is planning for a phased implementation. It intends to include CMMC requirements in all solicitations issued on or after Oct. 1, 2026, when applicable, although waivers could be issued in certain cases before solicitations are issued.

Depending on the required security level, contractors and subcontractors will have to do self-assessments or be evaluated by a third-party organization — known as a C3PAO — or government assessors.

Costs would be incurred for related activities such as planning and preparing for the assessment, conducting the assessment and reporting the results.

“In estimating the Public costs, DoD considered applicable nonrecurring engineering costs, recurring engineering costs, assessment costs, and affirmation costs for each CMMC Level,” per the proposed rule.

“For CMMC Levels 1 and 2, the cost estimates are based only upon the assessment, certification, and affirmation activities that a defense contractor, subcontractor, or ecosystem member must take to allow DoD to verify implementation of the relevant underlying security requirements,” it notes. “DoD did not consider the cost of implementing the security requirements themselves because implementation is already required by FAR clause 52.204–21, effective June 15, 2016, and by DFARS clause 252.204–7012, requiring implementation by Dec. 31, 2017, respectively; therefore, the costs of implementing the security requirements for CMMC Levels 1 and 2 should already have been incurred and are not attributed to this rule.”

An annual Level 1 self-assessment and affirmation would assert that a company has implemented all the basic safeguarding requirements to protect federal contract information as set forth in 32 CFR 170.14(c)(2).

For Level 1, the Pentagon estimates that the cost to support a self-assessment and affirmation would be nearly $6,000 for a small entity and about $4,000 for a larger entity.

Triennial Level 2 self-assessments and affirmations would attest that a contractor has implemented all the security requirements to protect CUI as specified in 32 CFR 170.14(c)(3). A triennial Level 2 certification assessment conducted by a C3PAO would verify that a contractor is meeting the security requirements.

“A CMMC Level 2 assessment must be conducted for each [organization seeking certification] information system that will be used in the execution of the contract that will process, store, or transmit CUI,” the proposed rule notes.

A Level 2 self-assessment and related affirmations are estimated to cost over $37,000 for small entities and nearly $49,000 for larger entities (including the triennial assessment and affirmation and two additional annual affirmations). A Level 2 certification assessment is projected to cost nearly $105,000 for small entities and approximately $118,000 for larger entities (including the triennial assessment and affirmation and two additional annual affirmations).

“Receipt of a CMMC Level 2 Final Certification Assessment for information systems within the Level 3 CMMC Assessment Scope is a prerequisite for a CMMC Level 3 Certification Assessment. A CMMC Level 3 Certification Assessment, conducted by [the Defense Contract Management Agency] Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), verifies that an [organization seeking certification] has implemented the CMMC Level 3 security requirements to protect CUI as specified in 32 CFR 170.14(c)(4),” per the proposed rule.

A triennial Level 3 certification assessment would have to be conducted for each company information system that will process, store, or transmit CUI, in the execution of the contract.

Level 3 certification would require “implementation of selected security requirements from NIST SP 800–172 not required in prior rules. Therefore, the Nonrecurring Engineering and Recurring Engineering cost estimates have been included for the initial implementation and maintenance of the required selected NIST SP 800–172 requirements,” according to the proposed rule.

The total cost of a Level 3 certification assessment includes the expenses associated with a Level 2 certification assessment as well as the outlays for implementing and assessing the security requirements specific to Level 3.

For a small organization, the estimated recurring and nonrecurring engineering costs associated with meeting the security mandates for Level 3 are $490,000 and $2.7 million, respectively. The projected cost of a certification assessment is more than $10,000 (including the triennial assessment and affirmation and two additional annual affirmations).

For a larger organization, the estimated recurring and nonrecurring engineering costs associated with Level 3 safeguards are $4.1 million and $21.1 million, respectively. The projected cost of a certification assessment and related affirmations is more than $41,000 (including the triennial assessment and affirmation and two additional annual affirmations).

Level 3 standards are expected to apply only to a “small subset” of defense contractors and subcontractors, the proposed rule states.

For the calculations, officials tried to account for organizational differences between small companies and larger defense contractors. For example, small firms are generally expected to have less complex, less expansive IT and cybersecurity infrastructures and operating environments. They are also more likely to outsource IT and cybersecurity to an external service provider, according to the proposed rule.

Additionally, officials anticipate that organizations pursuing Level 2 assessments will seek consulting or implementation assistance from an external service provider to help them get ready for assessments or to participate in assessments with the C3PAOs.

The annualized costs for contractors and other non-government entities to implement CMMC 2.0 will be about $4 billion, calculated for a 20-year horizon. For the government, they will be approximately $10 million, according to the projections.

The Pentagon is seeking public feedback on the proposed rule. Comments are due by Feb. 26, 2024.

The costs and procedural requirements associated with implementing CMMC have been a major concern for defense contractors and trade associations.

“Burdensome regulation has long been a hurdle, particularly for small and medium-sized businesses that contribute to the defense industrial base. It’s critical for defense companies to have the tools — and the standards — to keep our nation’s sensitive unclassified material secure while not deterring companies from contributing to the defense industrial base,” Eric Fanning, president and CEO of the Aerospace Industries Association, said in a statement Tuesday. “We look forward to reviewing the proposed rule and providing full feedback to ensure the Department has what it needs to implement a final rule that accounts for the complexities within the defense industrial base.”

The post Pentagon reveals updated cost estimates for CMMC implementation appeared first on DefenseScoop.