The Defense Department has been talking about the Cybersecurity Maturity Model Certification (CMMC) standards for more than three years.
And while the final version 2.0 standards aren’t going to be ready until next summer, the impact of just talking about improving cybersecurity among contractors is real.
Stacy Bostjanick, the chief of implementation and policy and deputy CIO for cybersecurity for the Defense Department, said contractors are definitely more accepting of the need to protect their data. But, she quickly admitted, they may not have fully embraced CMMC.
“The 7012 [Defense acquisition regulations] clause started that in earnest in 2013. We got a ton of pushback and finally got it into a rule in 2017. And then after that, we had a few incidents like SolarWinds, the Colonial pipeline, and now people are like, ‘Oh, yeah, maybe people are coming after me. Oh, maybe it is an issue,’” Bostjanick said at the recent AFCEA NOVA Small Business IT Day.
Dr. Kelly Fletcher, the principal deputy chief information officer for the Defense Department, said the current approach, based on self-attestation, creates a potentially unleveled playing field for contractors who choose to take the right steps to secure their data and those that just say they do.
“We know we have totally divergent compliance. If you’re complying now with what is in your contract, you’re competing against folks that aren’t, and I think CMMC is trying to get after that,” Fletcher said. “I don’t think CMMC is perfect. I think any solution we come up with isn’t going to be perfect. But it is our first attempt to get after that.”
25% of DIB met cyber requirements
While the problem may not be new, the data collected by the Defense Contract Management Agency (DCMA) shows just how troubling it is.
John Ellis, the technical directorate’s software division director at DCMA, said out of 300 assessments the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) did over the last few years, only 25% of the companies were compliant with the 110 requirements in the National Institute of Standards and Technology’s Special Publication 800-171.
“If roughly 25% of companies were fully compliant when we assess them, now, if you extrapolate that across the DIB, that’s why we’re informing some of the decisions. So if what CMMC is going to do for us in the future that we can’t do today is what we do today is largely a post-assessment activity. There are holes in those mechanisms, things are not fully implemented,” Ellis said at the Coalition for Government Procurement spring conference in Falls Church, Virginia. “CMMC is going to let us address some of that stuff that does lead to stronger prevention of ransomware attacks because it’s going to require companies to become far more fully compliant. If 75% of your companies can’t meet the requirements and they’re required to meet all of those before they can be awarded a contract, what does that mean, in terms of who can compete for contracts? It doesn’t bode well.”
Ellis said the DIB’s shortcoming based on their assessments and the need to bring more companies up to par faster is why DCMA is launching the early adopter program for CMMC. This is for defense companies to work with certified third-party assessment organizations (C3PAOs) before the CMMC 2.0 is finalized. Ellis said DCMA auditors would look over the C3PAO’s shoulder and offer feedback and insights, but not an official DIBCAC review.
“We started the planning for the early adopter program a couple of months ago, but we haven’t started the assessments yet. I expect us to start them later this summer,” Ellis said. “The assessments are on site, but also include a lot of coordination ahead of time with the company, the C3PAO and our folks. It’s a 45-60 day process that happens at the company’s site.”
Ellis said the C3PAO and the DCMA auditors will conduct a medium or high confidence assessment, which is more like a document review, where they, with the company, to through the system security plan to ensure that they’ve documented their requirements in a way that that articulates that they understand the requirements.
The early adopter program is part of several ongoing initiatives DoD is pursuing to get a head start on CMMC. Bostjanick said earlier this year that DoD will do a series of tabletop exercises to test out the cyber standards.
Bostjanick said the early adopter program benefits the C3PAOs, DCMA and the DIB because all will get experience with CMMC standards.
“You will be given a DIBCAC high assessment in supplier performance risk system (SPRS), and our intent, which means our hope because lawyers told me we can’t promise anything because rulemaking is that, when CMMC becomes a thing, either as an interim thing next May or a final thing the following May, that companies certifications will still be good for an additional three years,” she said. “One of the things that you’re going to see in CMMC 2.0 is each company has a requirement to do an annual affirmation. Which states ‘Yep, I’m still good. I’m still in compliance. Nothing has changed. Nothing has caused me to go out of compliance. I affirm I still meet the requirements.’”
Ellis said there are about 20,000 companies in SPRS today and if, based on the DCMA review of about 300 companies, approximately 75% are not in compliance with the 110 controls detailed in NIST 800-171 today, there is a lot of work that still needs to be done.
“The data is in SPRS says the opposite. We see an awful lot of scores that are very, very, very high, and we’re a little concerned about that for a couple of reasons,” Ellis said. “One, we’re concerned about companies not really doing the things that they said they were going to do. And two, it gives a false sense of security both to the companies and to the government in the procuring activities that are relying upon that information.”
DoD is facing similar questions about its own systems’ compliance. A recent Government Accountability Office highlighted in late May the Pentagon’s struggles in meeting the same NIST 800-171 standards for internal systems.
Ellis said DCMA started reviewing about 300 contractors’ compliance to the NIST standards in 2019 and the hope is that those companies that were among the first, would be part of the early adopter program.
He said the NIST reviews alone have improved vendor cybersecurity.
“We had one company that was in the negative 200 range and now they are in the mid-two digit range, meaning they have improved remarkable over the last few years,” he said. “It’s really important that folks understand, this is not meant as a threat. We’re looking at it to derive knowledge and insight. We’re going to anonymize the results, unless we were to stumble into something that’s fraudulent and then that’s a whole another can of worms, by the way. But what we will do is share that information of what we learned with the companies that we’ve assessed so that people can see the goodness of the information that’s actually in the system. It should inform both government folks and quite honestly, it should inform the DIB. You don’t ever want to be in a position where you think you’re much better than you are, and then either the DIBCAC shows up or a C3PAO assessment is conducted, and you find that you’ve missed the mark, significantly. That’s not good for you as a company. And it’s certainly not good for us to rely upon somebody that doesn’t have that understanding.”
To prepare for the influx of work coming from CMMC, the DIBCAC is staffing up. DCMA plans to grow its staff in the DIBCAC to about 150 employees from 50 a few years ago.