Navigating the Federal Cyber Rulemaking Landscape: Insights from PSC's CMMC Comments
By Christian Larsen, Senior Associate for Public Policy, PSC

            2024 is shaping up to be a busy and consequential year for the implementation of several key cybersecurity regulations that will impact the federal contracting community. These rules address, inter alia, federal requirements for contractors to protect sensitive 
federal information on contractor systems and to disclose cyber incidents. Moreover, while some rules are specific to defense contractors, many will impact contractors governmentwide. 
            As a result, contractors will likely face challenges with reconciling, implementing, and ensuring compliance with numerous requirements across both defense and civilian contracts—requirements which may be contradictory and / or redundant.

            In the last 18 months, PSC provided comments and recommendations on a slew of proposed and interim rules, including but not limited to:
            • Securities and Exchange Commission’s (SEC) financial disclosure and incident reporting proposed rule;
            • Office of the National Cyber Director’s (ONCD) cyber regulatory harmonization information request; and 
            • Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program proposed rule (hereafter “CMMC Program”).

            For PSC, getting the CMMC Program right is critical, as DoD cybersecurity guidance tends to serve as a template for governmentwide cybersecurity approaches. Industry feedback, as always, will play a crucial role in refining regulations prior to finalization and implementation.

PSC Comments on CMMC
            Published on December 26, 2023, the proposed rule for the CMMC Program would introduce changes to Title 32 of the U.S. Code of Federal Regulations. PSC provided DoD with several overarching comments and recommendations for consideration, including:

Estimated Implementation Timeline and Associated Costs: PSC highlighted that the underlying National Institute of Standards and Technology (NIST) requirements—against which contractors would need to assess their cybersecurity—may change during the CMMC rulemaking period. Such revisions could force changes to Plan of Action and Milestones (POA&Ms) and cause firms to incur additional costs beyond the range estimated under the proposed rule. PSC recommended that DoD recognize that projected POA&M costs are not the same as costs already incurred and that such projected costs extend beyond the proposed 180-day adjudication period and would likely increase as underlying NIST requirements change. 


Contract Incorporation and Implementation: PSC also noted that there could be misalignment or contradictions within ongoing parallel rulemaking efforts. Contractors could face compliance challenges due to unmatched or unexecutable requirements based on the stages of rulemaking for each effort (e.g., NIST 800-171 Rev. 3). PSC recommended that DoD consider issuing a class deviation to allow an additional 9-12 months for alignment of recent National Defense Authorization Act provisions, as well as changing policies, regulations (including NIST standards), assessment methodologies, certification of assessors, and industry adoption of the interrelated efforts. 

Data Security for Operational, Logistics, and Sustainment Efforts: PSC believes that DoD’s consistent, narrow focus on protecting technical data packages for major U.S. systems largely fails to address protection of data generated by operational and/or maintenance operations. For example, data from documents such as invoices and bills of lading from DoD operational support purchases on the global commercial market could be consolidated in such a way as to present a security concern. PSC recommended that the rule provide accommodations for such circumstances. 

Standardized Compliance Framework with Reciprocity: Beyond the CMMC Program, PSC has addressed the lack of a governmentwide standardized compliance framework in a variety of cyber rulemaking activities (e.g., ONCD’s cyber regulatory harmonization information request). Companies who support both defense and civilian missions will incur increased compliance costs over their competitors, especially in the non-defense space. PSC recommended that DoD should address the impact of standards and compliance requirements on companies who support both DoD and non-DoD customers. 

Clarity on CUI Standards and Markings: PSC views the increased use of automatic Controlled Unclassified Information (CUI) markings on DoD communications, including emails, calendar entries, and administrative documents, as problematic. A failure by DoD to accurately, consistently apply CUI designations could result in treating every communication as CUI—even when it is not. PSC recommended that DoD establish primary controls over CUI marking standards by developing and issuing a CUI “Class Guide” in a manner similar to Security Class Guides (SCGs) developed for classified programs. 

The above examples represent a cross-section of PSC’s recent comments and recommendations in this dynamic space. To access PSC’s full comments on DoD’s CMMC Program Proposed Rule, including CMMC resources and an addendum with more specific industry comments, please click here. If you have any questions regarding CMMC specifically, or PSC’s cybersecurity comments generally, please reach out to Christian Larsen, Senior Associate for Public Policy, at Larsen@pscouncil.org.