CMMC reciprocity in sight for 2021


The Defense Department is still figuring out how to save contractors money with its unified cybersecurity standard by authorizing reciprocity for mutliple government certification programs, but an answer could come by the end of the 2021 fiscal year.

One of the key pledges DOD needs to fulfill for its Cybersecurity Maturity Model Certification program is building on work contractors have already done to meet security requirements for programs like the Federal Risk and Authorization Management Program (FedRAMP).

Stacy Bostjanick, CMMC's director at the Defense Department's Office of the Undersecretary of Defense for Acquisition and Sustainment, said a team is working with the General Services Administration and DOD to align the requirements, methodologies, and levels of the two programs.

"FedRAMP allows for [plans of action and milestones] and CMMC does not," Bostjanick said Feb. 10 during an AFCEA NOVA event on IT and the intelligence community. "You've either got it or you don't."

Additionally, DOD has completed its reciprocity assessment for the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) that was stood up in 2019 and performed provisional audits, Bostjanick said, and a guidance memo is awaiting signature. FedRAMP guidance should follow suit by the end of the fiscal year.

The call for reciprocity has been a key sticking point for saving contractors money to comply with the new standard that is expected to be included in all Defense Department contracts by 2025.

Bostjanick said when it comes to allowable cost, what contractors can bill the government for reimbursement, "up to [CMMC] level 3 will be included in your indirect rates. So, you don't get a direct charge to do it, but you do get to recoup the cost over time; you have to spread it across all of your business."

CMMC Levels 4 and 5, the most expensive and technically challenging levels, would most likely be a direct charge to the contract, she said.

The call for increased defense industrial base security has heightened in the wake of the widespread, ongoing supply chain campaign that leveraged weaknesses in multiple technology vendors, including SolarWinds.

Bostjanick said that while CMMC, if fully implemented, wouldn't necessarily have prevented the attack, it would've allowed companies to be more aware.

"Everything that we've put in place is not going to 100% protect you against advanced persistent threats. It most probably, up to Level 3, would not have protected you against SolarWinds; it may have given you some indication that it was there," she said.

But the goal, she said, is for CMMC to become irrelevant as elevated cybersecurity practices become the norm.

"CMMC, really, my hope and prayer is that one day we don't even need it anymore because companies all become so aware and they have a culture of security and they start thinking in advance of these threats," Bostjanick said.

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

Stay Connected