January 2023 CMMC Town Hall Meeting

Today, I'm going to have a slightly different focus and talk about compliance instead of cybersecurity. Specifically, I'll discuss my thoughts from attending a virtual Cybersecurity maturity Model certification town hall meeting that was held just a few days ago. For those unfamiliar with that term, it's a certification model designed to force Department of Defense contractors and subcontractors to implement a much higher level of cybersecurity for their businesses. And they currently have to help prevent the Department of Defense from getting hacked and information vital to our national security from being leaked to foreign governments that really don't have our best interest at heart. So let's get started. This month. Cmc Town Hall was a master class in rulemaking process that the Department of Defense has to navigate to get regulations passed. Bob Metzger, an expert on federal rules developed to help improve cybersecurity for the defense industrial base, has been a vocal leader in the CMC ecosystem and spoke for about 35 minutes on the complex variables in play for CMC rulemaking process. He laid out two main points with great detail. First, Bob's opinion is that the DOD did not scrap the CMMC program with last fall's unified agenda but rather endorsed third-party assessments and spoke against the world of self-assessments. The message here is that the Department of Defense definitely believes in third-party assessments. In my opinion, the question should be when not if. Third-party assessments on controlled, unclassified information handling systems will be required. Next, Bob's analysis should be a wake-up call of gigantic proportions for May 2023. Rulemaking Completion. My understanding is that with 90% of the final clauses already published if you read DD for 7012 1920, this clearly indicates what should be happening right now. My thoughts are that there's been a lot of confusion lately about whether the CMC assessments are coming or not. A lot of this is coming from the defense industrial base which knows the catch-22 of imposing assessment preparation costs. Realistically, now that the current contracts supposedly already had this accounted for, I understand this concern, and it really isn't fair here in 2023, but we have to remember how the industry got to this point. Contract costs are an important factor, who wins the award, and when everyone can slide by on something as important as cybersecurity. It's no surprise that this cost went unaccounted for. Now, I'm not a legal scholar like Bob Metzger is, but generally speaking, my main takeaway is that the federal rule makers are putting forth heavy efforts to navigate the complex endeavor of CMC assessments because they believe it matters. They really could have ended all of it at so many points, yet they haven't. Remember, this is not about contracting and contractors. This is about the accomplishment of the mission.