Working out arrangements with foreign partners is 'next hurdle’ for CMMC implementation

(Getty Images)

The Pentagon hopes to begin implementing its Cybersecurity Maturity Model Certification (CMMC) program requirements in contracts next year. However, the department still needs to work out how it’s going to bring foreign vendors into the fold, according to DOD’s point person for the effort.

CMMC is a high-priority effort to prod defense contractors to better protect their networks and controlled unclassified information (CUI) from adversaries. The new CMMC requirements are currently going through the federal rulemaking process, which is required before they can be implemented. Pentagon officials are hoping to have an interim rule issued in March 2023, and then DOD would begin implementing the program in some contracts in May.

There are hundreds of thousands of suppliers in the Pentagon’s defense industrial base, including many overseas vendors.

“This international side will probably have to have an additional rulemaking capability. We did not include the international part in the initial rule because we needed to expedite it and get it through and have it established first. And so that will be our next hurdle after we get this rule rolling is to pivot towards the international side,” said Stacy Bostjanick, chief of defense industrial base cybersecurity and deputy chief information officer for cybersecurity at the DOD.

Bostjanick is the department’s point person for implementing the CMMC program across the defense industrial base.

NIST SP 800-171 cybersecurity standards — which will form the backbone of CMMC requirements — already apply to foreign vendors, she noted during a CMMC webinar hosted by PreVeil on Wednesday.

“But for the implementation of CMMC, we have to work to establish agreements between our partners and the U.S. as to how we’re going to implement that in their spaces,” she said.

Under the Cybersecurity Maturity Model Certification paradigm, third-party assessors known as C3PAOs will conduct audits to make sure contractors are complying. However, some foreign partners don’t like the idea of having Americans perform that role and they’re looking for alternative arrangements, Bostjanick suggested.

“We’ve had a couple of countries to date that have balked at the prospect of a U.S. person coming and doing an assessment on their soil. And so we’re working closely with the different partners to come up with a paradigm where either they have [their own] assessors and are putting assessors in place, [or] some countries are interested. Some countries are interested in sending their assessors to the U.S. to be trained or adopting the training in their country to be able to train assessors. We’ve had some countries that have wanted to have their government officials be the assessors and want to have them come and get trained to do it,” she said.

“Each country is taking a little bit different tack in approaching this. And so we’re working very closely with each and every one of them to be able to put together an agreement or an MOU as to how this will go forward in the future,” she added.