The future of CMMC is here

It has been more than two years since the Defense Department first rolled out the Cybersecurity Maturity Model Certification. The basic premise of CMMC is that all contractors and subcontractors in DoD’s supply chain, with the exception of commercial off-the-shelf product providers, would have to obtain a third-party certification of their cybersecurity proficiency before performing an awarded contract.

From the time of the rollout, a lot of significant work has been accomplished by DoD and its industry partners: a detailed cybersecurity hygiene model was rolled out, the accreditation body (AB) was established, training was created and, seven contracts were identified as the first DoD contracts that would require CMMC. Further, numerous providers have undergone the time and expense to become a registered provider or certified assessor in the AB ecosystem. Contractors have also spent significant funds to review their systems against the CMMC model to prepare for certification.

The establishment of CMMC was for good reason: Cybersecurity threats are increasing and growing more sophisticated and DoD has compelling evidence that contractor compliance with existing cybersecurity self-certifications is deficient. The specter of CMMC as a future requirement in all DoD contracts, coupled with near-term requirements for Supplier Performance Risk System (SPRS) score reporting, has gotten the attention of many Defense industrial base (DIB) members. They are taking a hard look at their cybersecurity posture, and are finding, in large numbers, that they are deficient. This means that they were not sufficiently motivated by the pre-CMMC regulations.

Because of CMMC, these companies are taking action and are undertaking security remediation projects, IT transformation projects and cloud migrations. They are implementing security technology and services to address holes in their cybersecurity defenses. These companies were spurred into action by CMMC, and the security improvements they are undertaking are addressing longstanding risks that were otherwise being ignored.

In April, Federal News Network reported that DoD was undertaking a review of the CMMC program.  A review is welcome because as much as DoD has accomplished, there is still room for improvement:

  • The cost of obtaining a CMMC certification can be especially burdensome for small businesses. DoD should explore opportunities for grants to help small businesses pay for the certification assessment and perhaps other CMMC-related costs. This would help preserve the DIB. Small business contractors who encounter CMMC before their competitors by virtue of a new contract opportunity would be at a competitive disadvantage because they would have to account for the cost of a CMMC certification in their general and administrative (G&A) or overhead cost pools where their competitors will not. Further, in the interim final rule, DoD stated that it expected that a business’ cost to support and obtain a Level 3 certification is $51,095.60. This does not account for the cost to come into compliance with the model and outside vendors (such as cybersecurity consultants and attorneys) or the time leadership will take in ensuring an assessment goes smoothly.
  • DoD should clarify how other certification requirements, such as the Federal Risk and Authorization Management Program (FedRAMP), would build into CMMC, so contractors do not have to prove out aspects of a system twice. Similarly, DoD should explore a re-use protocol so common shared services that can demonstrate compliance with CMMC do not need to be re-assessed for every contractor that consumes those services. Inheritance, re-use and reciprocity are key elements of allowing CMMC to scale to the entire DIB in a reasonable time at reasonable cost. For example, FedRAMP provides clear guidance on inheritance from previously authorized cloud providers as well as re-use between agencies which could be used as a model for similar concepts within the CMMC framework.
  • DoD should provide certainty about how CMMC levels will be assigned to contracts and create a mechanism whereby contractors can appeal when there is a disagreement over the assigned level. Short of that, contractors will file pre-award protests which will halt the award of contracts. Further, there should be an efficient process to resolve disagreements over whether an assessment was properly conducted.
  • Although there are good reasons for the “no open Plan of Actions & Milestones (POAM)” stance adopted in the CMMC standard, contractors that make significant progress toward compliance should be incentivized rather than penalized for not achieving perfection. DoD should adopt a risk-based approach whereby less-than-perfect compliance may be acceptable in cases where the contractor can demonstrate that they have made reasonable trade-offs between security, cost and compliance. There are many instances where strict compliance is not an effective use of taxpayer dollars. For example, contractors that have already deployed demonstrably strong encryption might incur a very large cost to re-build their systems with NIST FIPS 140-2 validated encryption and yet only see a very slight, if any, reduction in risk. Those dollars might be better directed if CMMC offered a path for evaluating (and accepting) the risk-cost trade-off.

Even so, the DoD’s internal review has lasted more than four months and many contractors are waiting on the sidelines to commit to the CMMC program until the review is complete to ensure that are not needlessly investing in an ecosystem. To be clear, while contractors we speak with have prioritized instituting robust cybersecurity controls, there are a number of different paths to accomplish robust cybersecurity hygiene. Many contractors will not buy into the CMMC path until they can be confident that DoD will continue to support that path.

What we have seen validates the basic premise behind the necessity of CMMC: Implementation of current Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements, such as DFARS 252.204-7012, which requires compliance with NIST Special Publication 800-171 (among other things), has been largely incomplete and inconsistent. After meeting with hundreds of companies about CMMC, Ed did not find a single company outside the ranks of the “majors” that was “good to go” in terms of cyber before CMMC. Perhaps DoD would be able to release some aggregate statistics on early SPRS score reporting to back this up. And of those who have submitted 110 scores, it’s likely few would have achieved that same perfect score if spot checked prior to CMMC being announced.

There is great interest in CMMC outside the DoD. Other agencies have expressed interest. The recent executive order on cybersecurity emphasizes common cyber standards across agencies.  Insurance companies are vetting cybersecurity posture to support underwriting decisions and will likely welcome a recognized standard for cyber hygiene.

All of this leads to the inevitable conclusion that CMMC is here to stay and once some simple changes are made, the time for implementation is now.

Eric S. Crusius is a partner with Holland & Knight government contracts group. Among other things, he regularly counsels contractors regarding cybersecurity compliance issues and helps clients work through breach notification requirements.

Ed Bassett is the chief information security officer at NeoSystems, a cybersecurity managed services provider. He has been building and delivering managed security services for 20+ years and consults on cybersecurity operations strategy to government and commercial organizations.

Comments

Sign up for breaking news alerts