Robert Metzger, head of the Washington D.C. office at law firm Rogers Joseph O’Donnell, shared his insights on a new Department of Defense guidance for determining certification levels and administering waiver authority under the Cybersecurity Maturity Model Certification program.
In a LinkedIn post published in mid-February, Metzger said the DOD guidance serves as an “early alert” to program managers and requiring activities regarding what they need to do when Part 48 CMMC contractual rules take effect.
For the cybersecurity thought leader, the document indicates that non-Federal Acquisition Regulation-based legal agreements are subject to “appropriate CMMC level” requirements.
“I agree. Innovators are especially vulnerable; their valuable work, for DoD, must be protected,” he added.
CMMC Level 2
For CMMC Level 2, self-assessment is allowed for categories of controlled unclassified information, or CUI, that are “outside” of the National Archives and Records Administration’s CUI Registry Defense Organizational Index Grouping.
According to Metzger, CMMC Level 2 certification assessment is required for DOD Critical Infrastructure Security Information, Controlled Technical Information, Naval Nuclear Propulsion Information and other CUI under NARA’s Defense Organizational Index Grouping.
Waiver Requests
Metzger also shared his views on CMMC waiver requests, which must be coordinated through the component chief information officer prior to approval by the Component Acquisition Executive or Service Acquisition Executive.
The DOD memo also stated that such waivers may be requested and cleared for an “individual procurement or a class of procurements.”
“Waivers do not affect the underlying security requirements but impact only whether assessment requirements must be included in solicitation documents. Having this flexibility, IMO, is indispensable if DoD is to avoid excess rigidity causing CMMC to injure capabilities and missions of requiring activities and warfighters,” the national security specialist stated.
Metzger concluded that the new DOD guidance “reduces risks of dysfunctional outcomes without making waivers too easy for anyone to seek and get.”
