WASHINGTON – In comments submitted today, global tech trade association ITI called on the U.S. Department of Defense (DOD) to further improve the cybersecurity baseline requirements for the defense industrial base in order to more efficiently and effectively achieve U.S. national security goals without compromising the country’s technological leadership. The underlying DFARS Case 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements, partially goes into effect today. ITI’s comments offer specific recommendations to strengthen the implementation of the NIST SP 800-171 assessment requirements and the Cybersecurity Maturity Model Certification (CMMC).
“ITI remains committed to partnering with the U.S. Department of Defense to enhance the U.S. national security posture while also maintaining its technological leadership and international competitiveness,” ITI wrote in its comments. “As the Department moves forward with the CMMC, we believe that it is important to get its implementation right by developing and implementing those cybersecurity protocols that are necessary, while simultaneously guarding against actions and regulations that do not add security and result in harm to industry’s ability to innovate and partner with DoD. In this spirit, we appreciate the opportunity to identify areas that could benefit from further elaboration and consideration and provide additional suggestions to ensure the CMMC process is fair, efficient, and effective. Our recommendations will ensure that the U.S. protects national security without compromising its technological leadership, innovation, or international competitiveness.”
In recommendations on the NIST SP 800-171 DoD Assessment Methodology, ITI encouraged DOD to include language in the final rule to:
- Define the appropriate boundaries for the self-assessment;
- Set the parameters of what warrants Medium and High Assessments;
- Provide additional information on the authorized assessment organizations;
- Assign clear responsibilities and accountabilities for assessment of subcontractors;
- Clarify how contracting officers will use the assessment results; and
- Avoid duplications of the NIST SP 800-171 DoD Assessments with the CMMC requirements upon successful implementation.
In recommendations on the CMMC requirements, ITI encouraged DOD to include language in the final rule to:
- Ensure CMMC assessment results are safely stored;
- Allow for flexibility when requiring compliance at time of award;
- Provide more detail on certification requirements for complex business environments;
- Clarify the recertification process and allow for timeline flexibility;
- Provide Department-wide guidance to ensure consistency in CMMC requirements;
- Expand on reciprocity efforts with other cybersecurity standards;
- Allow prime contractor flexibility in flow down requirements;
- Clarify applicability to entities providing Commercially-Available Off-the-Shelf (COTS) Products;
- Better define the role of CMMC Levels 4 and 5 in the DoD cybersecurity ecosystem; and
- Ensure an efficient and accountable Accreditation Body that is free from conflicts of interest and appropriately funded to execute its mission.
ITI has provided industry input on the DOD’s CMMC at key stages in the process throughout 2019 and 2020, including through leadership on a March 2020 multi-association letter.