On the heels of the official launch of the Defense Department’s cybersecurity maturity model certification effort, six industry associations are warning that the without more clarity, the initiative could falter.
The Alliance for Digital Innovation, BSA: The Software Alliance, the Cybersecurity Coalition, the Information Technology Industry Council (ITI), the Internet Association and the Computing Technology Industry Association (CompTIA) wrote a letter to Ellen Lord, the undersecretary of Defense for acquisition and sustainment, and Katie Arrington, the chief information security officer in the Office of the Undersecretary for Acquisition and Sustainment, outlining a series of recommendations for how to improve the CMMC program before it truly gets going.
“We are concerned that current plans for implementing CMMC lack sufficient clarity and predictability in key areas, and as a result may unnecessarily generate confusion, delay and associated costs. These challenges could lead to the Defense Industrial Base (DIB) being even less secure, if left unaddressed,” the letter states. “We strongly support efforts to improve DIB cybersecurity and appreciate the department’s openness in meeting with and accepting input from industry about the CMMC during the autumn of 2019. We pledge to continue this partnership, as it is imperative that industry stakeholders and government continue to work together to ensure that the CMMC meets its overall objectives.”
MOU is signed
The letter comes as DoD and the CMMC Accreditation Board signed their memorandum of understanding—according to a post on LinkedIn by Arrington—as of March 25 to officially kick-off the program, including the training for third-party assessors and the release of the necessary documents to help vendors prepare to meet the standards.
The board announced it was trying to make more information available about the MOU, which was the final piece to begin the six-month push to put CMMC standards in procurements. DoD released version 1 of the standards at the end of January, and since then industry has been waiting for the next step.
Pentagon spokesman Lt. Col. Mike Andrews wouldn’t confirm the MOU has been signed, despite Arrington’s post on LinkedIn.
“CMMC remains a priority for the department, and Ms. Katie Arrington continues to work closely with the accreditation body and industry. We don’t have anything to announce today on the MOU. We don’t anticipate any impacts to the CMMC timeline due to COVID-19, but with the social distancing guidelines we are postponing any public events,” Andrews said in an email.
But even with the MOU and more than a year of working with industry, the six associations, which represent many of the largest technology companies, say too many unknowns still remain and time is short if DoD still plans to pilot CMMC with 10 procurements this fall.
Gordon Bitko, the senior vice president of policy for public sector at the Information Technology Industry Council (ITI), one of the industry associations which signed the letter, and the former FBI CIO, said many of their concerns are not new and the Pentagon recognizes many of the missing pieces the letter outlines.
“Some of those things have significant implications for many of the companies in the technology industry who are trying to juggle a lot of balls, including FedRAMP and other requirements,” Bitko said in an interview. “Where we are is DoD understands what we are asking and agrees that they need to come around to answer them. But as we get closer and closer to date, industry is still looking for answers.”
Bitko said many of the concerns can be resolved in the short term. But just as worrisome is if DoD goes too far down the path with CMMC without solving them, the fix can be more painful than getting it right the first time around.
The associations outlined their concerns across four main areas:
Scope, applicability and implementation timeline
Certification and recertification
Streamlining federal cybersecurity requirements
Ensure no new risks are created
Bitko said one of the big areas the associations would like to see DoD address in the short term is around reciprocity with other certifications like FedRAMP or ISO standards.
“While CMMC covers a broader range of products and services, those companies that have FedRAMP and security requirements guide (SRG) authorizations already surpass the vast majority if not all of the CMMC’s control requirements, certainly at CMMC Levels 1-3, since FedRAMP requires continuous monitoring and improvement,” the letter states. “If DoD believes that there are shortcomings in the FedRAMP or SRG requirements, it should work to address those with other federal government stakeholders.”
Bitko added if DoD’s goal is to mitigate and manage supply chain and data leak risks, then the how should be less important than the final outcome.
“It’s important for DoD to recognize all the investment that has gone into the different ways certifications, and that is one of our concerns and challenges,” he said. “It’s understandable as to why DoD doesn’t want to take some of these old models that allowed for deviations. But having a rigid approach is inherently harder to adopt and keep up with given the changing threats in the cyber world.”
Flow down to subcontractors
The associations ask DoD and the Accreditation Board to develop a reference architecture and certification process to ensure FedRAMP services do not have to be reaccredited, and account for anticipated and emerging cybersecurity requirements, such as internet of things and new cryptographic standards, by defining objectives rather than specific standards.
“Rigid conformance to those controls may actually introduce new risks to the controls in place for high security and high availability or operational technology systems and environments (life/safety systems, military weapon systems, SCADA systems, etc.),” the letter states. “We encourage DoD to work with providers of these systems, including cloud service providers and system integrators of large scale mission systems that operate at hyperscale, to develop and apply appropriate methods for verifying and certifying alternate controls and their implementation.”
Other areas of concern include flow down requirements for subcontractors, consistency in contract provisions and the challenges of a complex environment many large companies work within, such as how CMMC applies to a corporate security operations center.
Bitko said the associations and companies have tried to talk to DoD over the last year or so about their concerns, but time is short now.
“I think DoD has been focused on hitting certain timelines so this letter is trying to convey a sense of urgency and recommendations for how to adapt the process as we go forward,” he said. “The problem is they may be relearning lessons of other cyber standards where one size doesn’t fit all. It’s a common message that NIST, the intelligence community and others have learned over the years.”
Bitko said the associations are fully onboard with the goals of CMMC, but want to help DoD fix the challenges they see up front rather than after the initiative rolls out.
“CMMC is moving forward and we want to work with them to make sure it’s effective. We want to make sure it delivers the value to be successful without it being some huge and burdensome process,” he said. “The government as a whole has invested a lot in our member companies to build out secure solutions. We are far from perfect, but it’s a hugely significant investment of time and resources over the years and we want them to leverage that. We don’t want to reinvent the wheel, but apply what these companies have learned to the DoD problem. It would be too bad if we weren’t able to take advantage of that.”