MITRE’s Response to the DoD RFI on Cybersecurity Maturity Model Certification

What’s the issue? DoD is proposing to establish requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have, as part of the Cybersecurity Maturity Model Certification (CMMC) program, implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs.

What did we do? The Center for Data-Driven Policy led a cross-MITRE analysis of the draft rules, seeking to uncover data and evidence from our work in the public interest that would help them understand opportunities and develop plans to finalize the rule so that it is evidence-based, actionable, and effective.

What did we find? The CMMC program is in the best long-term interests of the DoD, but the impact of this rule on the Defense Industrial Base, particularly small contractors, needs to be better considered. The DoD also needs to define a process for how requirements will be added or modified over the long term, such that contractors can work toward adopting new controls within reasonable periods of time to facilitate successful implementation and certification.