The move by the Department of War appears to be a temporary measure to provide ‘breathing room’ for U.S. defense contractors—but the contractors are still ultimately obligated to meet the program’s underlying data security requirements, MSP executives tell CRN.
The move by the U.S. Department of War to pause the next phase of requirements around the Cybersecurity Maturity Model Certification (CMMC) program does not mean the program’s underlying data security obligations are being relaxed for U.S. defense contractors, MSP executives told CRN.
The decision announced Monday appears to be aimed at providing more time for contractors to get up to speed while also finding ways to reduce CMMC-related costs for smaller contractors, the executives said. The Department of War decision suspends third-party CMMC assessment requirements for defense contractors that were scheduled to take effect in November.
[Related: MSPs Need To Keep CMMC Compliance Top Of Mind]
The MSP executives told CRN they are urging defense contractors not to interpret the move as a signal to abandon their cybersecurity preparations for complying with CMMC. The program is designed to verify compliance with stringent data security requirements that are included in defense contracts.
“The knee-jerk reaction from anyone who falls in scope [of the program] is that they think they don’t have to do it anymore—the proverbial ‘CMMC is dead,’” said Reagan Roney, CEO of Sterling, Va.-based Solvere One. “It is not. That’s not what they’re saying.”
Instead, the Department of War announcement suspends the requirements known as CMMC Phase II, which would have begun requiring independent third-party assessments for many defense contractors starting Nov. 10.
In other words, “the date is changing, but there are still requirements that exist,” Roney said. “This is legislation. Legislation is only changed by Congress. The administration can pause [the program], but this is going to happen.”
Rather than stopping their CMMC work, affected contractors should treat the suspension as additional time to implement the required controls, Roney said.
“My hope is that people don’t become complacent and think that they shouldn’t do it anymore—but rather look at that as some breathing room,” he told CRN. “This is breathing room to get things done. This isn’t, ‘Let’s stop because we don’t have to [comply].’”
Notably, the department is not suspending all of the existing CMMC requirements, with Phase I of the program remaining fully in effect. That phase permits the department to require both types of existing CMMC self-assessments, known as Level 1 and Level 2.
That means that contractors can still be held accountable for self-assessment submissions about their security safeguards, MSP executives said.
Overall, the department appears to be acknowledging that the previous assessment timetable was not achievable given the pace that the assessments are being done at, said Marc Menzies, CEO of Ronkonkoma, N.Y.-based Overview Technology Solutions.
“I think they’re being realistic about what’s actually happening,” Menzies said.
Thus, while contractors are getting a reprieve from the Nov. 10 deadline for third-party certification, they still need to implement the fundamental security controls, he said.
Key data security requirements under the DFARS 7012 clause, for instance, are “not going anywhere,” Menzies said. “Our clients and prospects have been given a break. But they need to still do those things.”
Likewise, for Vienna, Va.-based BASE Solutions, the November deadline was beginning to look unworkable for many clients, according to Atul Bhagat, president and CEO of BASE Solutions.
“A lot of our clients were starting to feel that pressure,” Bhagat said.
However, it’s clear that the Department of War is still going to hold contractors liable for meeting data security obligations, he said.
“This is a liability shift—now [contractors] are self-assessing again, but you’re still on the hook,” Bhagat said.
At the same time, the suspension could mean a financial hit for MSPs and assessors that have been basing their strategies around the November deadline, with the potential for reduced pipeline and requests to adjust pricing in the short term, executives said.
The biggest impacts are likely to be for organizations known as C3PAOs, or Certified Third-Party Assessor Organizations, which have made significant investments to be able to perform the independent assessments that are currently suspended, according to the executives.
60-Day Review
The Department of War also announced Monday that a newly established task force will carry out a 60-day review of the program. The announcement emphasized concerns about the high costs of complying with the CMMC program, particularly for smaller contractors.
The review is not all that surprising given the other regulatory and standards changes affecting the handling of data known as CUI (Controlled Unclassified Information), according to John Hill, CEO of San Antonio-based TechSage Solutions.
And it’s also true that the cost concerns cited by the Department of War—especially for smaller defense contractors—are legitimate, Hill said.
“A lot of the smaller contractors simply can’t afford to do it,” he said. “The assessments are costly. The preparation is costly.”
The bottom line, however, is that contractors should not interpret the pause in third-party assessment requirements as a relaxation of cybersecurity obligations, Hill said.
“If you want to continue doing that business, you’ve got to keep pressing on,” he said.







