Updates to the Cybersecurity Maturity Model Certification (CMMC) 2.0 program appear as an action item on this month's U.S. General Services Administration (GSA) semiannual Unified Agenda. This next CMMC iteration, streamlining requirements to only three levels of cybersecurity that align with the well-known and widely accepted National Institute of Standards and Technology (NIST) cybersecurity standards, is set to go through the public comment process as soon as the relevant rule(s) are published to the Federal Register. Once the rulemaking effort is complete, CMMC 2.0 will become a Department of Defense (DoD) contract requirement, as evidenced in solicitations that will refer to related NIST Special Publication 800-171 or 172 Federal Acquisition Regulations (FAR) and Defense Federal Acquisition Regulations Supplement (DFARS) clauses, including the newly promulgated DFARS 252.204-7024. It is also expected that solicitations will specify the requisite level of CMMC 2.0 compliance. As part of the contract requirements there will be an emphasis on the reporting effort—either to the Supplier Performance Risk System (SPRS) for self-attestations or by third parties (3PAO or government assessors)—and factoring in SPRS scores to develop supplier risk assessment.
The rulemaking process has commenced on other related fronts, too. On April 27, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released a Request for Comment on a draft attestation form the government will request of software providers providing software developed or with major updates occurring after September 14, 2022. The comment period is in effect for 60 days, concluding on June 26, 2023.
This Secure Development Attestation Common Form (the “Common Form”) follows the Office of Management and Budget (OMB)’s September 14, 2022 memorandum interpreting Executive Order 14028 “Improving the Nation’s Cybersecurity.” In this memorandum, the OMB requires federal agencies to use NIST-compliant software vendors that can provide proof of compliance via self-attestation or third party certification. More specifically, software vendors must attest that they comply with (1) the NIST Secure Software Development Framework (NIST Special Publication 800-218) and (2) the NIST Software Supply Chain Security Guidance (collectively, “NIST Guidance”). If software providers do not meet the NIST Guidance, they cannot make the attestation and need to secure a waiver and rely on Plan of Action and Milestones (POAMs) to close the compliance gaps.
Advancing the cybersecurity environment remains at the forefront of the government’s priorities as seen thus far. Meanwhile, the technology community must continue to stay nimble and balance its own priorities against the ever-changing compliance targets. With more developments coming down the pipeline, it is important to track the moving pieces, particularly if you are a DoD contractor handling Controlled Unclassified Information (CUI) and provide or partner with custom developed commercial software and cloud service providers. If all of these things apply to you or partners in your supply chain, then you should be tracking updates from the OMB, CISA, and DoD to include CMMC and FedRAMP programs which are not going away with the advent of new cybersecurity requirements like the Common Form.
It may seem like the government is piling on and complicating the cybersecurity landscape, but, fortunately, many of these requirements overlap, and technology providers should continue to capitalize on any emerging economies of scale. To start, software providers should review the draft Secure Software Development Attestation Common Form and Instructions to understand what they need to attest to.
In the spirit of capturing economies of scale, here are some additional steps software providers can take to efficiently execute the newly proposed Common Form:
- If you protect CUI using some of the same practices you use to develop software (e.g., using environment enclaves, multi-factor authentication, defensive cybersecurity practices), leverage your CMMC 2.0 self-assessment reported in SPRS or as conducted by a third party to answer the Common Form questions;
- If you have to comply with FedRAMP, and you already have a 3PAO assessment, be ready to provide the 3PAO assessment as part of the Common Form attestation;
- Ready your materials for substantiating the self-attestation if you do not have a 3PAO assessment from FedRAMP compliance efforts (i.e., a Software Bill of Materials (SBOM), evidence of participation in a Vulnerability Disclosure Program, or any other artifacts an agency deems necessary); and
- Prepare or leverage your CMMC 2.0 and FedRAMP Plan of Action and Milestones (POAMs) in the event you cannot meet the minimum Common Form cybersecurity requirements.
The Morris, Manning & Martin, LLP Government Contracts team continues to closely track cybersecurity updates including developments to CMMC 2.0 and the Common Form, and is available to advise clients as the compliance regime continues to shift and develop.
