The Pentagon announced in November a new “strategic direction” for its Cyber Maturity Model Certification, calling it CMMC 2.0 and essentially admitting the first iteration was overly complex and costly. The new version better aligns to existing federal standards and requirements but falls well short of being the “bold change” President Biden called for in his much-touted May cybersecurity executive order.
Prior to the creation of CMMC, federal acquisition regulations required all defense contractors that interacted with controlled unclassified information (CUI) to implement the basic cyber hygiene safeguards listed in the National Institute of Standards and Technology guidelines, NIST Special Publication (SP) 800-171. Companies would then conduct self-assessments of their compliance. Predictably, not all companies assessed themselves equally or honestly, or addressed the issues they self-identified.
In November 2020, after nearly two years of development, the Defense Department introduced the original CMMC. Its most significant change was a new requirement that a third-party conduct the assessment for all organizations seeking contracts, including universities applying for grants. The Association of American Universities and others associations warned the “potentially burdensome and harmful requirements” of CMMC would “have a chilling effect” on fundamental research. CMMC had no flexibility and required all organizations, regardless of size, to meet all requirements. Thus, CMMC’s mandates on companies to pay third-party assessors and to implement potentially unnecessary security controls created significant expenses for small and medium-sized businesses. Meanwhile, in the race to roll out CMMC, DoD apparently disregarded industry concerns about the lack of clarity regarding its implementation.
DoD launched a CMMC review in March in part to “reinforce trust and confidence in the maturing CMMC assessment ecosystem,” Jesse Salazar, deputy assistant secretary of defense for industrial policy explained. After two years of scandals focusing more on profit and power than advancing the cybersecurity posture of the defense industrial base, this is a welcome goal.
To fix the ecosystem, CMMC 2.0 reduces the security certification tiers from five to three and removes the third-party assessment requirement for level one and part of level two, allowing contractors to return to self-attestation. For the other part of level two (advanced), CMMC 2.0 requires a third-party assessment, meaning the new industry of CMMC assessors still have jobs, just a smaller market. Level three certification requires government assessors, which are already in short supply and high demand.
In addition to giving industry the flexibility it will need to meet requirements and establish an effective foundation of cybersecurity, CMMC 2.0 removes extra requirements that went beyond those included in NIST SP 800-171. David McKeown, DoD’s deputy chief information officer, explained in a town hall on November 9 that the Pentagon will “not invent a whole bunch of extra controls on our own. If additional controls are needed, we are going to work with NIST to get those added in.” Hopefully, the new leadership and direction will also leverage industry expertise and recommendations to improve CMMC 2.0’s efficacy.
To establish baseline cyber hygiene practices that protect all CUI and not just that relevant to the Defense Department, the Biden administration should consider government-wide implementation of CMMC rather than the development by each department and agency of its own separate model. At the same time, the administration should be honest about the limitations of CMMC to solve the cybersecurity crisis that the government and private sector face.
DoD has touted CMMC as a solution to supply chain risk management. It is not. The cybersecurity safeguards in NIST SP 800-171 are basic cyber hygiene practices. Separate NIST guidelines, NIST SP 800-161, identify supply chain controls, and CMMC makes no reference to them.
Days after the Pentagon’s CMMC 2.0 announcement, CNN reported that hackers breached companies across the defense industrial base by exploiting vulnerabilities that bypassed the authentication process. Which controls in NIST SP 800-171 would have stopped this? None. How would CMMC 1.0 or CMMC 2.0 have protected organizations from a SolarWinds-type attack? They would not have. SolarWinds provided a commercial, off-the-shelf product not subject to CMMC.
President Biden’s May executive order states, “Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments to defend the vital institutions that underpin the American way of life.”
Unfortunately, CMMC 2.0 is just such an incremental improvement.
If the Biden administration wants to make bold changes, its priority must be securing the supply chain, not just policing companies’ basic cyber hygiene practices. In a recent conversation, John Weiler of the IT Acquisition Advisory Council, a founding member of the AB, said that to make CMMC 2.0 effective, the Pentagon needs a “very robust supply chain risk management public and private partnership to rapidly assess the technologies and architectures that government and industry rely upon.”
One way to achieve this would be to require software vendors to provide a software bill of materials (SBOM), a list of nested software components designed to enable supply chain transparency. The government should also create a single, central capability that continuously monitors SBOMs. Analyzing SBOMs can reveal otherwise hidden dependencies of components built by foreign nationals of adversarial countries and other leading indicators of risk. With this knowledge, the government and industry partners can take appropriate risk mitigations.
CMMC 2.0 may fix some of the flaws of its predecessor, but the hard work to strengthen cybersecurity still lies ahead.
Dr. Georgianna Shea is the chief technologist of the Transformative Cyber Innovation Lab and Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies (FDD) and previously served as a subject matter expert and consultant to the Office of the Secretary of Defense on cyber resiliency. FDD is a Washington, DC-based, nonpartisan