The US Department of Defense (“DoD”) recently transferred control of the Cybersecurity Maturity Model Certification (“CMMC”) program from the Office of the Undersecretary of Defense for Acquisition and Sustainment (“OUSDA&S”) to the Office of the Chief Information Officer (“CIO”). On Thursday, February 10, 2022 the DoD CIO’s office held the first of three “identical” town halls. The recording of the town hall can be viewed here:

The CIO’s office was joined by representatives from the National Security Agency (“NSA”) and the DoD Cyber Crime Center (“DC3”) to discuss how those groups can help defense contractors and others enhance their cybersecurity programs. The CIO’s office also discussed CMMC 2.0.

Regarding CMMC 2.0, the CIO’s office raised a few new points, including:

  • The CMMC rulemaking process is progressing, but the CMMC DFARS rule (DFARS 252.204-7021) will likely not be finalized for another 24 months. This is longer than previously stated by DoD (they originally stated it would take 9-24 months back in September 2021).
  • The implementation/effective date for CMMC may be pushed back beyond the date the DFARS rule becomes effective. They commented that it might be as much as three (3) years from now before the CMMC DFARS clause will appear in contracts.
  • After careful analysis, DoD has concluded that the vast majority of companies handling Controlled Unclassified Information (“CUI”) will need a third-party CMMC certification. That is, those companies will not be permitted to only “self-attest” under CMMC 2.0.
  • DoD is looking at ways of incentivizing companies to get certified over the next few years before the CMMC DFARS rule fully takes effect.
  • DoD is STRONGLY encouraging contractors to start their CMMC assessment preparations now.

Analysis:

The Q&A session at the end was very informative. One topic of particular interest for contractors was the question of CUI training for DoD staff. According to the CIO’s office, DoD recognizes the need for their staff to understand how to properly identify and mark CUI. However, this type of training is being led by other groups within DoD, and the CIO’s office appears to have little to no visibility into this program. They weren’t even sure which group in DoD is responsible for the training. We have seen several examples of over-marking of DoD’s information, and under-marking of contractor and third-party information, and the implications for contractors can be significant. We hope that senior DoD officials and others receive appropriate training to better protect all parties’ information.