Cybersecurity Update: DoD Releases Strategy Summary & CMMC Regulations Are Coming (Soon)

     Earlier this month, on September 12, 2023, the U.S. Department of Defense released the summary of its cybersecurity strategy, titled Summary 2023 Cyber Strategy of the Department of Defense (Strategy Summary).   The Strategy Summary provides unclassified highlights of a May 2023 classified report that describes how DoD intends to operate in cyberspace to protect the American people and advance U.S. defense priorities.

     Setting out DoD’s cyber defense plan concisely in only 15 pages, the Strategy Summary is a relatively easy read that begins with a blunt assessment of the risks posed by the People’s Republic of China, Russia, North Korea, Iran, as well as groups like violent extremist organizations and transnational criminal organizations.  The Strategy Summary then goes on to describe four lines of effort that are part of DoD’s strategy: (1) protecting the U.S. homeland, including critical infrastructure; (2) integrating cyberspace operations in warfighting; (3) combining DoD’s efforts with Allies and partners; and (4) building toward ongoing and enduring advantages in cyberspace. 

     One aspect of DoD’s efforts to protect the U.S. homeland is safeguarding the U.S. defense industrial base (DIB) from malicious cyber attack.  The Strategy Summary highlights a key component of DIB protection - namely, aligning defense government contractor incentives with DoD’s cybersecurity requirements through continued implementation of the Cybersecurity Maturity Model Certification (CMMC) program, which makes certain defense contract awards contingent on certified compliance with cybersecurity standards.

     So DoD's Strategy Summary punctuates its continued commitment to CMMC implementation.  Indeed, that implementation took a big step forward recently in late July, when DoD submitted its draft rule to OMB’s Office of Information and Regulatory Affairs (OIRA) containing it’s proposed CMMC regulations. 

     DoD's submission to OIRA is significant for at least two reasons.  First, it indicates that, after several fits and starts and delays since CMMC was first unveiled in the summer of 2019, DoD has made important decisions about how the CMMC program will be implemented.  Second, it also means that DoD's regulations implementing the CMMC program should be coming out soon, since the next step after OIRA’s review will be publication of DoD’s proposed regulations in the Federal Register as either a proposed rule or as an interim rule.  OIRA has 90 days to review draft regulations, which means that the interim or proposed rule with DoD’s CMMC regulations should be issued by the end of October 2023.

     Earlier this year, in March 2023, we published a GovCon Bulletin™ article discussing some things DoD contractors could do to determine  their compliance with cybersecurity requirements under the NIST SP 800-171 safeguards.  As we reviewed in an earlier GovCon Video Blog™ briefly outlining DoD's transition from CMMC 1.0 to CMMC 2.0, those NIST SP 800-171 safeguards comprise a significant portion of the certification requirements that DoD contractors are expected to comply with if they wish to attain certification above the most basic level.  Government contractors that work under DoD contracts or that anticipate performing under DoD contracts in the future should continue to prepare themselves for the CMMC certification requirements, and the Amadeo Law Firm anticipates putting out additional information shortly on what steps government contractors can be taking in the near term.