Countdown to Compliance: Q&A with Stacy Bostjanick and Dave McKeown

On June 24, 2022, senior Department of Defense officials addressed more than 2,400 registrants for PreVeil’s webinar, Countdown to CMMC Compliance. Participants heard the latest updates on the DoD’s CMMC program directly from Stacy Bostjanick (DoD, CMMC Program Head) and Dave McKeown (DoD, CIO and CISO), who also reviewed DoD’s broader efforts to protect the Defense Industrial Base (DIB) from cyberattacks.
If you didn’t get the chance to attend the presentation live, a recording of the webinar is available here.
Interest in the DoD’s CMMC update ran high: more than 100 questions were submitted before the webinar. PreVeil consolidated those submissions into 10 questions that reflected their most prevalent themes. Bostjanick and McKeown’s answers to those questions—edited for length and clarity—are offered here to help inform your organization’s efforts to achieve CMMC certification.

Question: Can you clarify defense contractors’ existing obligations for protecting CUI [Controlled Unclassified Information] under DFARS today—before CMMC goes into effect?

Definition: CUI
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Answer (Bostjanik): If a defense contractor currently has the DFARS 252.204-7012 clause in their contract—which identifies NIST 800-171 as the requirements that must be complied with by any company that handles CUI—then they need an SSP (System Security Plan) showing their compliance with NIST 800-171. If they don’t meet all the requirements, they need a Plan of Actions & Milestones (POA&M) to “burn” those remaining requirements off and get fully compliant.
NIST 800-171 came into being Dec. 31, 2017, so it’s not new. And NIST started working on it in 2013, so it’s been around a long time and companies should be familiar with it.
Also, the first DFARS Interim Rule [effective Nov. 2020] spelled out two clauses: 7019 [DFARS 252.204-7019] requires contractors to register and report their required NIST 800-171 self-assessment scores to the DoD’s SPRS [Supplier Performance Risk System]. And clause 7020 [DFARS 252.204-7020] says that if you have a contract that involves handling CUI and the DCMA [Defense Contract Management Agency] knocks on your door to do an audit, you agree to let them in and do that audit.
As part of a pilot program, the DIBCAC [Defense Industrial Base Cybersecurity Center] conducted approximately 300 random audits by walking companies through a medium-level assessment. They found that very few SPRS scores matched reality—that is, many companies were scoring their compliance with NIST 800-171 higher than they should have been. DIBCAC wants to learn from that and discover if there’s a knowledge gap about the requirements that we need to fill.

Question: About the discrepancies between SPRS scores and DIBCAC audit results: can you please comment on the Department of Justice’s and other initiatives to step up enforcement to ensure that organizations meet DFARS requirements?
Answer (McKeown): The Department of Justice [DoJ] will potentially use the False Claims Act when it finds major discrepancies [between SPRS scores and DoD audit findings]. Discrepancies are not a good scenario—but what’s even worse is if there’s not just fraud but also a major incident with a serious impact to a DoD program. Our goal is to protect our data that’s so vital to our national security, and DoJ is willing to help us out on that with the False Claims Act.

Question: CMMC 2.0 introduced the notion of limited waivers. Some interpret this mechanism as offering flexibility to embark on CMMC 2.0 compliance after they have been awarded a contract that requires certification. Can you offer clarification on this topic?
Answer (Bostjanik): Waiting to achieve CMMC compliance is not a good strategy. There will be only “rare exceptions,” or waivers, to CMMC requirements. Those will be possible only when an industry is so innovative and new that it couldn’t possibly meet CMMC prior to the award of its contract.
Time-limited POA&Ms—and all POA&Ms will be time-limited under CMMC—will need to be closed out within the allotted amount of time after contract award, or the contracting officer can hold your organization accountable by withholding payments, via “show cause” notices [informing the organization that contract default is pending unless the contractor can show why it shouldn’t be], or by starting termination of the contract.
The key point to remember is that these regulations protect not just DoD’s CUI, but also you and your business IP and your money, too, which is being stolen from defense contractors by criminals accessing banking information.

Question: There are many questions about CMMC timing and when an organization should start on compliance. Some companies are taking the approach that it’s prudent to wait until the program details are finalized before commencing implementation of their compliance program. Would you agree with that assessment?
Answer (McKeown): No, it’s not prudent to wait. NIST 800-171 has been in effect for a long time and it’s better to be able to accurately report where your company is in terms of compliance with it. Full adoption of NIST 800-171 should have begun long ago.
DoD is working on allowing early [third party] CMMC assessments and honoring them when CMMC is implemented.

Question: CMMC 2.0 applies to federally funded higher education research institutions. Will it apply to the whole university or only to those departments handling CUI?
Answer (McKeown): CMMC requirements will follow the data—just the smaller units within institutions that handle CUI will need to be assessed and certified for CMMC compliance.

Question: How does CMMC apply to Managed Service Providers? Are MSPs going to need to certify if they support DOD contractors?
Answer (Bostjanik): My team is working on this now. We expect that MSPs that support defense contractors will need to comply with a hybrid of FedRAMP and CMMC requirements. We’re working to make sure that CRMs [Customer Responsibility Matrix] accurately show which security controls the MSP supports and what it does not. We’ve seen some problems with CRMs. It’s very important to get that documentation right.

Question: When can CMMC 2.0 assessments begin? How do you see them scaling throughout the DIB?
Answer (Bostanjik): CMMC 2.0 assessments have already begun for C3PAOs. The CAP [CMMC Assessment Process, which C3PAOs will use to conduct assessments of contractors] is in its final edit stage and we expect to release it within the next couple weeks. At that point, C3PAO assessments can start

Question: What is the DoD’s expectation for assessing compliance with DFARS 7012, particularly (c)-(g), as part of a CMMC assessment? To be clear, defense contractors handling CUI will need to comply with both NIST 800-171 and DFARS 7012 (c)-(g) requirements for incident reporting.
Answer (Bostanjik): Today, DoD has no expectation of sunsetting the 7012 clause and so it will continue to appear in contracts after CMMC is implemented. But CMMC assessors will not be looking at whether an organization is appropriately reporting incidents. That will be handled by DC3 [DoD’s Cybercrime Center]. However, if there is an incident, there will be a forensic lookback to learn whether the assessors missed it, do they need more training, did the company become negligent after the audit, etc.

Question: Many defense contractors believe they have already met many of the NIST 800-171 requirements based on their compliance with previous standards such as ISO or FedRAMP. Can you offer guidance on reciprocity with ISO or FedRAMP?
Answer (McKeown): DoD endorses reciprocity. Mappings [across the regulations] exist and it would be very easy to run a cross-check and give credit [for compliance]. DoD probably needs to do more on this.
Beyond reciprocity, we would also like to conduct a FedRAMP-like assessment of cloud services and create a DoD list of providers that meet all of NIST 800-171’s 110 controls to DIBCAC’s satisfaction. And then DIB contractors that use one of those companies would get credit for meeting those requirements.

Question: Several registrants for this webinar are from outside of the U.S. What is the DoD’s plan for applying the CMMC standard to non-U.S. entities?
Answer (Bostanjik): CMMC has a flow down requirement [holding defense contractors responsible for their supply chain, including non-U.S. entities]. So CMMC will apply to international contractors.
DoD is working to strengthen this [international supply chain] in collaboration with its Five Eye partners [Australia, Canada, New Zealand, the United Kingdom, along with the United States] and other allies to get this done.

Question: Please share with us your final message to the DIB. What should our webinar participants be doing now?
Answer (McKeown): Get on track now with complying with NIST 800-171. Reach out to us, or hire a third party if you need help. Remember that the shift from CMMC 1.0 to 2.0 happened because because the DoD heard from you. We’re still looking for good feedback and information on how to make CMMC better. So, please tell us your pain points so we can work as additional modifications as needed.

(Bostjanik): Companies need to understand that we’re being [cyber] attacked moment by moment, that they need to be aware of what the threats are, to get on top of them, and protect not only DoD data but their own.
DoD isn’t ramping up CMMC and other cybersecurity initiatives to be onerous. This is about national security and protecting our warfighters.

To learn more about PreVeil and how your company can get started with CMMC compliance:

Read PreVeil’s briefs: