PSC Comments on Cybersecurity Requirements

Arlington, Va. (Dec. 8, 2020) The Professional Services Council (PSC) raised concerns in its November 30, 2020, letter to the Department of Defense (DoD) on the interim final rule titled Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041). The rule implements two related elements of DoD’s cybersecurity requirements: (1) the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800–171 DoD Assessment Methodology and (2) the Cybersecurity Maturity Model Certification (“CMMC”) Framework. 

“PSC has long supported DoD’s goal of a comprehensive cybersecurity standard based on best practices,” said David Berteau, PSC President and CEO. “This interim final rule is a significant step in supporting this goal. However, there are many challenges in implementing both the NIST SP 800–171 DoD Assessment Methodology and the CMMC Framework.” 

PSC’s comments raise concerns that self-scoring for compliance with NIST SP 800–17 could lead to companies scoring themselves differently even if they have the same capabilities and security practices. Such differences could reduce competition, cause confusion in evaluation and awards, increase risk, and create delays in government procurement. 

In addition, PSC raised concerns about how CMMC governance, training, and accreditation processes can scale and be updated rapidly enough to meet DoD needs and respond to increasing threats. Until the vast majority of contractors and subcontractors have the necessary CMMC certifications, individual DoD programs and contract solicitations may face delays in award, be forced to limit competition only to companies already certified, or accept cyber risks.   

Finally, cybersecurity vulnerabilities affect all government programs. “The country faces pervasive, sophisticated cybersecurity threats, and actions to date have clearly been insufficient.  More is needed to protect our infrastructure, information, and supply chains,” said Berteau. “Cybersecurity should be a priority for all federal government agencies, not just DoD. PSC will continue to support government-wide cybersecurity requirements for contractors and for government systems as well.” 

Click here for a PDF of this release.