The Professional Services Council Supports the Need and Raises Concerns in Comments on Proposed DoD

FOR IMMEDIATE RELEASE

Tomeka B. Scales, Ph.D.
Director, Media Engagement & Communications
703.875.8974
media@pscouncil.org

The Professional Services Council Supports the Need and Raises Concerns in Comments on Proposed DoD Cybersecurity Contract Regulation

Arlington, Va. (October 17, 2024) -- The Professional Services Council (PSC) raised key concerns in comments submitted Tuesday to the U.S. Department of Defense (DoD) regarding the CMMC 2.0 proposed rule on "Assessing Contractor Implementation of Cybersecurity Requirements" (DFARS Case 2019-D041). Published in the Federal Register on August 15, 2024, the rule aims to incorporate new cybersecurity requirements into DoD contracts, beginning at some point in 2025. When finalized, this assessment-related regulation would support implementation of a separate final rule, also issued Tuesday, that sets standards for CMMC 2.0, DoD’s Cybersecurity Maturity Model Certification program.

“Cyber threats continue to escalate in both sophistication and frequency, and PSC recognizes the need for enhanced cybersecurity practices for government contractors as well as for the broader national and global economy,” said David J. Berteau, PSC president and CEO. “PSC’s feedback includes additional comments and recommendations for a comprehensive, executable CMMC 2.0 program that meets the cybersecurity needs of DoD while ensuring contractors can fulfill their roles effectively and affordably.”

Key Concerns Highlighted in PSC's Comments:

1. Implementation Clarity: PSC seeks clearer guidelines on how contracting officers will determine CMMC requirements for hundreds of thousands of DoD contracts each year.
2. Operational Data Security: PSC urges DoD to expand the focus of CMMC to safeguard operational as well as technical data, particularly for deployed forces.
3. Capacity of Assessment Organizations: PSC questions whether the existing structure can certify enough contractors to meet DoD’s three-year phased implementation schedule.
4. Limiting CMMC Level 3 Requirements: PSC asks how DoD will limit requirements for Level 3 certifications only to contracts for which that is absolutely necessary.

“PSC acknowledges the dedicated effort that DoD has put into CMMC 2.0, including this proposed rule and the final rule on CFR Part 32,” Berteau added. “However, numerous CMMC implementation challenges remain, and we welcome the opportunity to collaborate further with the Department, both within and outside of the rulemaking process. For example, how can compliance be more affordable for small companies? How can contract requirements ‘flex’ to address unanticipated changes in the cybersecurity threat environment during contract execution (including for subcontractors for which advance certification was not anticipated but which may become urgently needed)? How can the federal government most effectively adopt cybersecurity standards across federal contracts, not just those at DoD? PSC looks forward to working with DoD and the administration on addressing these and other pressing cyber issues.”

For more information, please refer to the complete submission at pscouncil.org/CMMC_101524.

Click here for a PDF of this release.

###

About PSC
PSC is the leading trade association and voice of the government contracting industry, with more than 400 small, medium, and large member companies supporting federal agency missions and functions.
Learn more at www.pscouncil.org.