Feedback on the proposed rule on the Cybersecurity Maturity Model Certification Program

February 26, 2024

Office of the Department of Defense Chief Information Officer

Department of Defense

1000 Defense Pentagon

Washington, DC 20301-1000

Submitted via regulations.gov

RE:         Feedback on the proposed rule on the Cybersecurity Maturity Model Certification (CMMC) Program, docket number DoD–2023–OS–0063

The Operational Technology Cybersecurity Coalition (OTCC) appreciates the opportunity to submit feedback on the proposed rule updating requirements for the Cybersecurity Maturity Model Certification (CMMC) Program. These guidelines seek to ensure that defense contractors and subcontractors have implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs.

Specialized Assets

The proposed CMMC rule clarifies scoping requirements regarding six categories, including Specialized Assets. According to definitions in both the Proposed Rule and supporting documents, Specialized Assets are systems which cannot be fully secured but can process CUI, including Internet of Things (IoT) devices, Industrial IoT (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment. The proposed rule states that specialized assets are subject to the CMMC requirements if they process, store, or transmit CUI.

The guidance also requires that Specialized Assets be fully documented in the inventory of an Organization Seeking Assessment (OSA) and Organization Seeking Certification (OSC), fully document these assets in the System Security Plan (SSP) and detail how they are managed using the OSA/OSC’s risk-based information security policy, procedures, and practices. Finally, the assets must provide a network diagram of the CMMC Assessment Scope (to include these assets) to facilitate scoping discussions during the pre-assessment.

OTCC appreciates that the scoping guidance allows contractors to exclude specialized assets from the scope of the CMMC assessment if they can demonstrate that the assets are adequately protected by other means, such as physical security, encryption, or isolation. However, there remain problems with the definition of CUI that the Proposed Rule does not address.

Application of Controlled Unclassified Information Labels

Because the required level of security for Department of Defense (DoD) contractor Specialized Assets rests largely on whether the asset processes, stores, or transmits CUI, this means that defining CUI is critical. DoD defines it as:

“Government-created or owned UNCLASSIFIED information that allows for, or requires, safeguarding and dissemination controls in accordance with laws, regulations, or Government-wide policies. It is sensitive information that does not meet the criteria for classification but must still be protected.” [1]

The definition of CUI applies to data managed by a number of Federal entities, and DoD helpfully maintains a registry of the various categories and definitions included in the CUI Registry. [2] However, the application of those definitions across government data sets is uneven and has a historical bias toward overclassification. [3] There are a number of reasons for the misapplication of the CUI label including a lack of training or uncertainty by the controlling entity as to the fully sensitive nature of the data. A March 2023 report by the Nonproliferation Policy Education Center even questioned DoD’s embargo of CUI to keep unfavorable missile test information from Congress. According to the report, the incident provoked the Senate Armed Services Committee to “question[] the necessity of the marking entirely.” [4]

OTCC believes that relying on the application of CUI to data as the only qualifying factor for Level 2 or 3 Certification Assessments risks limiting competition among some contractors, particularly small contractors. Further, the mismarking of data sets as CUI risks imposing increased costs on existing contractors. The decision as to whether a CMMC Level 2 Self-Assessment or Certification Assessment will apply to the particular contract will be determined by DoD based on the sensitivity of the CUI involved with that contract, as will Level 3 requirements. Therefore, the OTCC recommends that the CMMC rule include language clarifying the criteria used by DoD in its determination as to whether the sensitivity of CUI merits Level 2 or Level 3 Certification Assessments should also take other considerations into account beyond just the labeling of data as CUI.

Further, an attestation applicable to a government contractor’s entire supply chain is not practical given a global supply chain and further will limit competition and access to innovation. Consequently, DoD should refine the scope of the subcontractor attestation flowdown by clarifying that government contractors are accountable to vet the next lower-tier direct supplier with which it has privity of contract.

Again, the OTCC appreciates the opportunity to provide feedback on the CMMC proposed rule and looks forward to serving as a resource moving forward.

Sincerely,

Andrew Howell

Executive Director, OTCC

[1] https://www.dodcui.mil/

[2] https://www.dodcui.mil/CUI-Registry-New/

[3] https://www.gao.gov/assets/gao-21-294.pdf

[4] https://npolicy.org/wp-content/uploads/2023/03/2303-Full-Classification-Report.pdf