|PSC Comments on Cybersecurity Requirements
Arlington, Va. (Dec. 8, 2020)
The Professional Services Council (PSC) raised concerns in its November 30, 2020, letter
to the Department of Defense (DoD) on the interim final rule titled Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041). The rule implements two related elements of DoD’s cybersecurity requirements: (1) the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800–171 DoD Assessment Methodology and (2) the Cybersecurity Maturity Model Certification (“CMMC”) Framework.
“PSC has long supported DoD’s goal of a comprehensive cybersecurity standard based on best practices,” said David Berteau, PSC President and CEO. “This interim final rule is a significant step in supporting this goal. However, there are many challenges in implementing both the NIST SP 800–171 DoD Assessment Methodology and the CMMC Framework.”
PSC’s comments raise concerns that self-scoring for compliance with NIST SP 800–17 could lead to companies scoring themselves differently even if they have the same capabilities and security practices. Such differences could reduce competition, cause confusion in evaluation and awards, increase risk, and create delays in government procurement.
In addition, PSC raised concerns about how CMMC governance, training, and accreditation processes can scale and be updated rapidly enough to meet DoD needs and respond to increasing threats. Until the vast majority of contractors and subcontractors have the necessary CMMC certifications, individual DoD programs and contract solicitations may face delays in award, be forced to limit competition only to companies already certified, or accept cyber risks.
Finally, cybersecurity vulnerabilities affect all government programs. “The country faces pervasive, sophisticated cybersecurity threats, and actions to date have clearly been insufficient. More is needed to protect our infrastructure, information, and supply chains,” said Berteau. “Cybersecurity should be a priority for all federal government agencies, not just DoD. PSC will continue to support government-wide cybersecurity requirements for contractors and for government systems as well.”
Click here for a PDF of this release.
Director, Media Relations
PSC is the voice of the government technology and professional services industry. PSC’s more than 400 member companies represent small, medium and large businesses that provide federal agencies with services of all kinds, including information technology, engineering, logistics, facilities management, operations and maintenance, consulting, international development, scientific, social, environmental services, and more. Together, the trade association’s members employ hundreds of thousands of Americans in all 50 states. Follow PSC on Twitter @PSCSpeaks
. To learn more, visit www.pscouncil.org