CMMC Update: Senate Armed Services Committee Asks For Further Study

     The peculiar path toward implementation for the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program took yet another twist earlier this month.

    On July 8, 2024, the Senate Armed Services Committee released its version of the Fiscal Year 2025 National Defense Authorization Act (NDAA 2025).  Along with it, the Committee published its Committee Report in which it expressed grave concerns over DoD’s implementation of CMMC.  According to the Committee, “the lack of clarity on implementation has caused some consternation in industry, particularly from small businesses and subcontractors that are primarily commercial suppliers for larger defense systems.”  The Committee also cited several roadblocks to implementation by universities, including having to set up new systems that seamlessly interoperate with legacy information technology systems, as well as the cost of implementation, which would “eat[] away at the funds available for research itself.”  Indeed, the cost of compliance more generally across the defense industrial base seemed to be a significant sticking point for the Committee:

The committee is concerned that some organizations must invest considerable time and expense into bringing systems up to National Institute of Standards and Technology 800-171 standards, especially small businesses and commercial manufacturers that supply defense companies.

     The Committee concluded its section on CMMC with a recommendation that “[DOD] assess the CMMC 2.0 model to best determine how to refine compliance requirements to prevent a one-size-fits-all approach” and by directing the Comptroller General of the United States to conduct a study to assess DOD’s implementation of CMMC 2.0.  The study is required to include (1) a description of how DOD intends to maximize the ability of CMMC to adapt to changing threat environments within artificial intelligence, operational technology, and Internet of Things domains; (2) plans for standardizing and conforming DOD’s marking processes for controlled unclassified information and the anticipated impact on certification processes; (3) plans for how DOD intends to aid subcontractors, including small and nontraditional businesses, with CMMC compliance; (4) assessment of the level of “red teaming” requirements for an entity to maintain compliance; and (5) any additional information the Comptroller General deems appropriate to include to meet the intent of the study.

     The Committee required the Comptroller General to provide an interim briefing to the Senate and House armed services committees by March 25, 2025, and a final report at a mutually agreeable later date. 

     In light of the Committee’s recommendation to DoD and its demand for further study by the Comptroller General, it is not clear whether DoD will, nevertheless, proceed with implementation of the CMMC program as laid out in DoD’s sprawling Proposed Rule published at the end of last year (read here) that details the program and its requirements.  The deadline for public comment on the Proposed Rule ended on February 26, 2024, but it seems possible that publication of a final rule that goes forward with full implementation of the CMMC program that was set out in the Proposed Rule may be met with some sort of congressional response.

     Government contractors may remember that DoD began rolling out CMMC in May 2019, and that later in the summer, in July 2019, DoD announced that it expected CMMC to be incorporated into solicitations beginning in June 2020, despite the absence of any statutory authority or implementing regulations.  Subsequently, in December 2019, Congress did authorize DoD to implement a framework for CMMC when it passed NDAA 2020.  DoD regulations eventually also began to catch up to DoD's ambitions with a September 2020 Interim Rule that set out an extended timeline for phasing in CMMC through September 2025.  And, as mentioned, last year’s Proposed Rule finally set out the CMMC program and its requirements in detail.

     Government contractors should remain alert to DoD rule publications and should continue to prepare themselves to meet CMMC’s underlying cybersecurity safeguarding and assessment requirements.