Selection of Industry Comments to Proposed Rule for DOD's CMMC Program
In December, the Department of Defense ("DOD") published its proposed rule for its Cybersecurity Maturity Model Certification ("CMMC") program. Briefly, the CMMC program seeks to ensure that contractors and subcontractors in the defense industrial base have implemented certain security controls – primarily under NIST SP 800-171 – to protect Federal Contract Information ("FCI") and Controlled Unclassified Information ("CUI"). The CMMC program represents a significant effort for DOD to shore up contractor supply chain cybersecurity and will ultimately apply to an estimated 221,286 companies when fully implemented.
Comments on DOD's proposed rule were due on February 26, 2024. Regulations.gov shows that DOD received 689 comments – some via attachment and others "in text" – prior to the deadline, most of which have not yet been posted to the website. In light of the impact that the CMMC program will have on the defense industrial base (and beyond) and because Regulations.gov is glitchy (at least on my end), I am compiling a list of industry comments (submitted via PDF) for ready reference. The list does not include all PDF comments or comments submitted "in text" to Regulations.gov.
If you have industry or association comments (PDFs) that you would like me to add, please ping me on LinkedIn. And while you're there, please check out one of my recent LinkedIn posts with my Law360 Expert Analysis article, "How DOD Can Improve Flexibility Under Proposed Cyber Rule."
Josh
Selection of Comments:
"The Coalition fully endorses the security objectives of the CMMC Proposed Rule, 88 Fed. Reg. 89058 (the “Proposed Rule”) and supports the CMMC framework. As discussed more fully below, however, the Coalition recommends that certain provisions of the Proposed Rule be revised and clarified. Our principal concern is that compliance with the final Rule will be prohibitively expensive such that innovative small businesses are forced out of the Defense Industrial Base (“DIB”) or choose not to sell to DoD. We also are concerned that commercial item suppliers will be forced to assume expensive compliance obligations without proportionate benefits to industrial security."
"MITRE is an active proponent of the DoD’s cyber security initiatives and acknowledges the need for the DIB to play its role in bolstering its security controls. However, we also understand the unique challenges posed to the DIB in implementing 800-171 controls and meeting the requirements of the CMMC program. As an FFRDC, MITRE is an active participant in the DIB and subject to the provisions of 800-171 and CMMC. MITRE participates in a variety of forums, exchanging ideas with peers and interacting with the DoD to request clarifications and provide feedback. MITRE’s enterprise and lab environments have undergone control assessments from multiple government entities, covering a variety of control frameworks and customized assessment methodologies. This puts MITRE in a unique position to understand the challenges the industry will face in trying to attain CMMC certifications."
"This paper outlines the program and scoping recommendations that would support the validation of a Service Provider as qualified to perform security capabilities on behalf of an OSA/OSC."
"NDIA fully supports the policy objectives of the CMMC program and has provided multiple comments on behalf of its members as the Department of Defense (DoD) formulated different iterations of the program. The CMMC proposed rule, however, presents a dramatic impact on the DIB as it imposes costs and stringent requirements for which compliance must be attested and/or independently assessed. Considering that the rule will rely heavily on DIB compliance and collaboration, NDIA would note that the short time frame to comment on the 234-page proposed rule published on December 26, 2023, diminishes the ability of industry to fully evaluate and respond to the proposal."
"The Nordic FAR/DFARS Council is a forum facilitating industry collaboration to build excellence in U.S. Government contracting in the U.S. facing Defense Industrial Base (DIB) in Sweden, Norway, Finland and Denmark. The Council actively promotes best practices related to FAR/DFARS amongst the defense supply chain in named countries. The Council was established in 2023 by leading defense companies in the Nordics. The Nordic FAR/DFARS Council appreciates the opportunity to provide a non-U.S. perspective and comment on the proposed rule DOD-2023-OS-0063, Cybersecurity Maturity Model Certification (CMMC) Program."
"These comments are submitted by the Canadian Association of Defence and Security Industries (CADSI), which represents over 700 defence, cyber and security companies that comprise the Canadian defence industrial base (DIB). Given the integrated Canada-U.S. defence industrial base, the majority of these companies will be impacted by the final Rule on the Cybersecurity Maturity Model Certification (CMMC) Program. We look forward to working with the U.S. Department of Defense (DoD) and the Government of Canada (GC) to ensure that CMMC does not become a barrier to bilateral defence trade."
"Foremost, we want to congratulate you all on the herculean effort to publish the Draft 32 CFR Part 170 Cybersecurity Maturity Model Certification (CMMC) Program rule and related documentation. Overall, we found the rule to be well written and in-line with our expectations since we began working with the CMMC Program in 2019. Given the hundreds of pages involved, disconnects and areas needing clarification were identified by our team. In the following pages, we identify those issues, try to cite the specific areas, and then try to provide suggested recommendations to address what we identified."
"As a Managed Service Provider (MSP) and Managed Security Service Provider (MSSP) to over 300 clients operating in the Defense Industrial Base (DIB) – as well as being a defense contractor ourselves – we appreciate the opportunity to provide constructive feedback on the CMMC proposed rule. We commend the DoD for recognizing the critical role that MSPs and MSSPs (referred to herein collectively as “MSPs”) play in securing the DIB. Many of our DIB clients, most of them small businesses, express that they could not implement their contractual requirements to protect CUI without the help of an MSP."
"Encouraging and facilitating consistency and understanding of the Cybersecurity Maturity Model Certification (CMMC) assessment process is critical to promoting and ensuring the ongoing integrity and credibility of CMMC certification. With participation from CMMC 3rd Party Assessment Organizations (C3PAOs) across the CMMC ecosystem, this forum facilitates communication and professional practices among its members and educates Organizations Seeking Certification (OSCs), prospective C3PAOs, assessors, and others about the CMMC accreditation, assessment, and certification processes."
"The CMMC Proposed Rule is misaligned with the reality that is small business cybersecurity posture and because of establishing mandates built on the false premise, the Rule will not have its intended effect on protecting national security data."
"Thank you for the opportunity to provide feedback on the proposed Cybersecurity Maturity Model Certification (CMMC) Policy. With the breadth of content from DoD Policy to formulating the Cybersecurity Ecosystem, ND-ISAC focused this feedback on the Defense Industrial Base (DIB) Sector Specific Subordinate Parts designated as 32 CFR 170.14 – 170.24. As both Titles 32 and 48 continue in rulemaking ND-ISAC encourages the following positions to avoid undue operational impacts:"
Update (February 29, 2024):
"RTX Corporation (RTX) greatly appreciates the Department of Defense’s (“the Department” or “DoD”) past and continuing collaboration with RTX and the Defense Industrial Base (DIB) during the development and enhancement of the Cybersecurity Maturity Model Certification (CMMC) program. We share the Department’s goal of safeguarding Covered Defense Information (CDI) and Controlled Unclassified Information (CUI) throughout the DIB supply chain. However, we note that the proposed rule poses implementation and interpretive difficulties, and our comments and recommendations are included below."
"We welcome the Department’s continued commitment to improving the cybersecurity hygiene of the defense industrial base (DIB) by advancing the Cybersecurity Maturity Model Certification (CMMC) program. We greatly appreciate that the Department of Defense (DoD) has addressed many of the recommendations that it received as part of the previous public comment periods. We were particularly pleased to see that this rule and the supporting documents clarify the process for scoping the CMMC assessments while also prioritizing incremental progress on harmonizing the regulatory landscape by providing some pathways for reciprocity."
"CTIA is pleased to submit comments on the Department of Defense (“DOD”) draft rule updating its Cybersecurity Maturity Model Certification (“CMMC”) program (“Proposed Rule”). CTIA has previously engaged in this and related proceedings, including the Defense Federal Acquisition Regulation Supplement (“DFARS”) cybersecurity assessment rule, the Federal Acquisition Regulation (“FAR”) Proposed Rule on Cyber Threat and Incident Reporting,5 and National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,6 to offer the unique perspective of the wireless segment of the communications sector. CTIA members have a unique role as government contractors providing connectivity via commercial networks."
"NRECA appreciates the opportunity to provide comments on the DOD December 26, 2023, proposed rule to implement an Assessment Methodology and Cybersecurity Maturity Model Certification (CMMC) program to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information with the DOD supply chain. NRECA’s comments are provided below."
"On behalf of the Aerospace Industries Association of Canada (AIAC), our industry members - including small businesses contributing to the supply chain and large OEMs acting as contract primes to the U.S – and other stakeholders, we are highlighting three (3) key considerations for the Department of Defense to make as it considers CMMC’s impact on the US defense supply chain and Canadian industry."
"The Department of Defense (DoD) has greatly refined the CMMC Program requirements in the proposed regulations, and our communities commend the department for its efforts. Our comments highlight specific points that reflect significant progress in the ongoing development of the program while also drawing attention to areas where further clarification or potential changes may be beneficial to all CMMC stakeholders."
"Thank you for providing the opportunity to comment on the Cybersecurity Maturity Model Certification Program (CMMC 2.0) proposed rule (RIN 0790-AL49). The proposed rule lays out an important set of baselines and standards for the defense industrial base that will be critical to maintaining the security and resiliency of America’s defense community."
"We were pleased to see that the proposed rule addresses many of the recommendations that were previously provided by industry stakeholders. We appreciate the rules’ general alignment with the policy objectives that were communicated as part of the move from CMMC 1.0 to CMMC 2.0 and in subsequent engagements. We believe the rule provides much needed clarity on key questions, including the streamlining of Assessment Levels, a more flexible process of flowing down CMMC requirements to subcontractors, and a clearly defined roll out period that provides enough time for contractors to fully implement the program’s requirements."
. . .
