The department, which has largely depended on security self-assessments by its suppliers in the past, has been criticized for some time by its Inspector General for weak supervision of its suppliers. In a report released in December 2023, Inspector General Robert P. Storch noted his agency issued five reports from 2018 to 2023 that consistently found DoD contract officials failed to establish processes to verify that contractors complied with selected federal cybersecurity requirements for CUI as required by the National Institute of Standards and Technology (NIST).
No relief from pressure to comply
With the new rule, the CMMC program implements an annual affirmation requirement that is a key element for monitoring and enforcing accountability of a company’s cybersecurity status. It also introduces Plans of Action and Milestones (POA&Ms). POA&Ms will be granted for specific requirements as outlined in the rule to allow a business to obtain conditional certification for 180 days while working to meet the NIST standards.
Despite the introduction of POA&Ms, contractors are concerned about their ability to comply with the new rule’s requirements within the desired time constraints. “If anyone in the industry was hoping that the pressure would be relieved, I don’t think it was,” said Robert Metzger, cybersecurity practice chair at the law firm of Rogers Joseph O’Donnell.
