Let’s set the record straight: The Cybersecurity Maturity Model Certification, or CMMC, accreditation body is not part of the Defense Department.
Of all the misconceptions out there about CMMC, Chris Golden, a former member of the CMMC accreditation body and the director of information security for Blue Cross, Blue Shield, said that is the one he hears the most.
So 18 months into the CMMC development and roll out, Golden said industry and agencies still need to grasp why this initiative matters so much.
“We’re losing a lot of intellectual property as a country to our adversaries through gaps in cybersecurity practices and maturity throughout the supply chain. And right now, that’s focused on DoD supply chain, but it will very quickly go out,” Golden said in an interview. “If you look at the Air Force, Navy, Marine Corps F-35 aircraft, and then you look at the Chinese J-31 aircraft, and you wonder why those airplanes look exactly the same? You wonder how that happened. That’s the problem we’re trying to fix.”
Golden said the idea behind CMMC, and supply chain security more broadly, is changing one company’s culture at a time.
“As each company does their assessment, they’re going to get a little bit better. And hopefully, the next time they have their next assessment, they’re going to be a little bit better,” he said. “We’re just going to slowly change the culture, where companies are going to start looking at cyber the way they look at human resources. Most people that start a company are not experts on local, federal and state labor laws. So what do they do? They hire an expert to help set up a HR office to handle all that stuff for them to do everything right to keep them out of jail. Cyber has got to be seen as the same thing. It’s just part of doing business in the modern global enterprise. What we’re trying to do is we’re trying to get the point where people don’t forget about it or whitewash it or whatever the case is, but actually take it seriously as a part of doing business.”
That culture change has to happen with just more than defense industrial base companies. This is why the Department of Homeland Security and the General Services Administration are starting to consider how they can use CMMC.
Whole of government approach is coming
Golden said he believes CMMC will certainly go outside the DoD framework, but when and how remains to be determined.
“They understand that they’re losing data, that they’re losing capability through cyber breaches in their supply chain, just like DoD is, and they need to do something about it,” he said. “I think you’ll see some kind of coordination step between the major entities in government, sort of whole of government approach, but as to when or how or who, I have no insights into that.”
Golden and others will offer more insights into CMMC and how vendors can be prepared on at a Feb. 10 webinar sponsored by the Washington Cyber Roundtable.
Theresa Payton, the CEO of Fortalice Solutions and a former White House chief information officer, said the recent SolarWinds attack has made agencies and businesses more aware of the need to protect the supply chain.
“The reality is 100% cyber compliance is the only option if you want to continue working on DoD contracts,” Payton said in an email to Federal News Network. “The ramp up time could be significant, so start planning and budgeting for remediation now so you can be considered a viable DoD contractor in the not-so-distant future. Otherwise, you may lose out. I predict many government contractors will lose big opportunities because they just aren’t prepared.”
That preparation for CMMC should be happening now and ongoing. This means vendors should review their initial self-assessments required if they are storing or working with controlled unclassified information (CUI) outlined in National Institute of Standards and Technology (NIST) Special Publication 800-171.
‘Cheap, quick and easy, or not’
Golden said if vendors have actually been meeting the requirements under 800-171, then getting to CMMC Level 3 shouldn’t be a big lift.
“If you have been attesting that you are compliant with NIST SP 800-171, and you actually are not, it’s a very large gulf that you are about to jump over,” he said. “We’re going to see those that have been taking it seriously and are generally in compliance with the regulations and clauses in their contract, and those that have not.”
Vendors consistently ask the CMMC-AB about the timing and the cost. Golden said the journey to be CMMC certified can either be “cheap, easy and quick, or not,” so that’s why getting started on the 800-171 requirements as soon as possible is so important.
DoD is getting closer to move into initial operating capability with CMMC—launching anywhere from 7 to 15 pilots in fiscal 2021. The third-party assessment organizations, the individual assessors and the other pieces and parts that will make the CMMC initiative complete are moving forward to help get the program ready.
Golden said he’s paying close attention to the pilots, particularly on how vendors achieve the appropriate levels.
“I think a number of the primes are going to have to be completed first and that to me is a big flag that will tell us whether we’re going in the right direction or not,” he said. “We’ll make up a company called Lockheed Martin, right. If Lockheed Martin can get a couple of they’re enclaves done, probably not the enterprise, it’s probably going be too big for initial stages, but they get through two or three of their programs that they’re betting on and do it successfully, or any of the large primes, then I think that will be a success. We will get to see generally how the process is going to work.”
Golden added these early victories will help DoD and the CMMC-AB improve the certification process, the assessor training and other parts of the initiative to ensure the program is valuable in both the short and long term.