March 27, 2020

WASHINGTON – Today, a coalition of technology trade associations encouraged the Department of Defense (DoD) to continue its partnership with industry in its implementation of Cybersecurity Maturity Model Certification (CMMC). In a letter to Under Secretary of Defense for Acquisition and Sustainment Ellen Lord and Chief Information Security Officer Katie Arrington, the groups reiterated the importance of the CMMC’s objectives and offer recommendations for improving its implementation, administration and enforcement.

As the producers and operators of some of the most sophisticated and widely used information technologies, the associations – Information Technology Industry Council (ITI), Alliance for Digital Innovation, BSA: The Software Alliance, Cybersecurity Coalition, Internet Association, and The Computing Technology Industry Association (CompTIA) – have considerable first-hand knowledge of the challenging and evolving nature of the most persistent cyber threats. To that end, their recommendations aim to ensure the federal government’s front-line cyber defenses stay current and are equipped with the tools and techniques to protect sensitive systems and information of the government and industrial partners and offer clarity and predictability in key areas to avoid confusion, delay and associated costs for industry.

“We strongly support efforts to improve defense industrial base (DIB) cybersecurity and appreciate the Department’s openness in meeting with and accepting input from industry about the CMMC,” the associations wrote. “We stand ready to assist DoD in optimizing the CMMC’s effectiveness. Considering and incorporating IT industry feedback will help ensure that DoD implements a structurally sound and holistic initiative from the beginning. Doing so will also help to meet our shared goal of improving DIB cybersecurity in a manner that is aligned with other federal government initiatives and requirements to address supply chain security.”

In their letter, the associations identified several challenges in the current CMMC that could lead to the DIB being even less secure, if left unaddressed. To that end, they encouraged DoD to thoroughly consider the following suggestions and questions as the CMMC evolves during its implementation:

  • Enhance Clarity about CMMC’s scope, applicability, and implementation timeline.
  • Certification and recertification, specifically how to manage certifications for a complex and multinational entity, and how companies that are not currently part of the DIB will be prioritized for certification.
  • Streamlining federal cybersecurity requirements to align and promote reciprocity between the DoD Cloud Computing Security Requirements Guide (SRG), DFARS 252.204-7012 and FedRAMP.
  • Ensure no new risks are created by providing additional clarity on how CMMC assessment results, which will contain very sensitive information, will be handled and stored, and by considering the security control requirements of high security and high availability systems.

Read the letter here.