The Defense Department’s Cybersecurity Maturity Model Certification program, CMMC, has barely gotten off the ground. But it must be here to stay because some groups are already looking to reform it. Case in point: the congressionally chartered IT Acquisition Advisory Council has partnered with the CMMC accreditation body to establish a Center of Excellence. Federal Drive with Tom Temin got more from attorney and CMMC expert Robert Metzger.
Tom Temin: What is going on with CMMC? There was kind of a review and a pause a little bit when the Biden administration came in. What are we seeing now?
Insight by ProPricer: During this webinar James Woolsey, the president of the Defense Acquisition University, Frank Kelley, the vice president of the Defense Acquisition University and Michelle Currier, the professor of contract management at the Defense Acquisition University, will discuss the future of DoD contracting, pricing and acquisition. In addition, Michael Weaver, the professor of contract management at ProPricer will provide an industry perspective.
Robert Metzger: There’s a significant review underway a couple of months ago, we knew that there was an initial 30 Day Review. And that’s been followed by a high level review, which I understand involves senior officials across the department, including perhaps some folks from combatant commands, they’re taking a look not only at issues that are relevant to producing a final rule and regulation plus CMMC. But also at some of the, let’s call them structural or architectural issues, there’s been a couple of areas of concern that have surfaced in congressional hearings. And otherwise, there’s a lot of interest in seeing how the program can be made more plausible, or small business. There’s also concerned about the clarity of the regulations and the oversight process. And then there’s an interest in improving the public confidence in the integrity of this accreditation body that is responsible for training and for the approval of assessors.
Tom Temin: Right, so far, there have been just a handful of assessors that have come out to shoot so far.
Robert Metzger: Very true. Well, that raises another point. CMMC has always been ambitious, maybe too ambitious. The original thought was that you would train this large group of assessors and that over a period of say five years, you would go out and assess as many as 300,000 companies against two standards primarily. Level one standard, which concerns federal contract information, and then a level three standard which concerns defense information and controlled, unclassified information. Well, even if we took just the latter group of about 20,000, coming up with enough assessors to get that done is pretty daunting, and it’s going more slowly and had been hoped for. And what this suggests to me, Tom, first is that the program is going to take a slower rollout than had been said by some, that it’s going to stretch out over a longer period of time. And it would not surprise me if DoD were to make some changes that focus the program more on businesses who do work of higher importance, do more sensitivity to the Department of Defense.
Tom Temin: The cybersecurity situation itself seems to be deteriorating just nationally, given the number of attacks and the types of ransomware and all of these things that have been going on. So is there a sense of urgency do you sense on DoD’s part?
Robert Metzger: One of the things we’re learning is that regulations and complex oversight structures tend to be slow in movement and difficult to implement, unfortunately, threats of all much more rapidly. And we continue to suffer from penetrations that not only steal sensitive technical information, but increasingly we are seeing that companies in the defense industrial base and outside have their information systems denied or disrupted by ransomware attackers. In truth, since CMMC started, the threat picture has really only worsened, adversaries have become more diverse in their attacks. There’s also different objectives than we might have seen emphasized before. So you’re right, it’s more important that we protect not just the defense industrial base, but more commercial enterprises. And we’re finding that it’s hard to get it done. As a matter of regulation, assessment and review.
Tom Temin: We’re speaking with Robert Metzger, he’s a partner at the law firm Rogers, Joseph O’Donnell. And in many ways CMMC, not to overdraw the analogy, but it’s a little bit like FISMA. And it could devolve into a compliance and reporting exercise, but yet not necessarily real good cybersecurity on the parts of those companies.
Robert Metzger: While there, there’s always that tension between compliance which everyone feels they must do, and the achievement and sustainment of security. There’ll be a point in time after an assessment when you get a certification when the fact of the certification will attest to your satisfaction of the security requirements at that time. But a prudent company should not be looking only to check the boxes to comply even though that could be difficult because threats evolve and new vulnerabilities are exposed and exploited. A prudent company always has to be looking around the sea, the current environment, and improving its security to respond. That’s just as true for companies as it is for federal agencies and departments.
Tom Temin: So perhaps a more simple approach to this would be what the government itself would call outcomes based, for example, say you can do whatever you want, but if you exfiltrate our data or your data is taken in a cyber attack, there’s $100,000 fine, and the contract is cancelled. I’m just making that one up. But that’s a more direct approach than this apparatus, which is CMMC.
Robert Metzger: Well, what we found is that asking companies to implement security measures and relying upon their self attestation. That didn’t work. That’s why we came to the CMMC apparatus, as you call it. I did a program yesterday in a cloud security forum, where I stressed just the same point that you did with a little difference. I said, we’re not 100% sure of how the CMMC program is going to evolve. And if we really don’t have a way to know when assessors will be ready to come to our facility or organization, let’s focus right now on the outcomes. And the way I described it, Tom, was to say that company should be able to look at the information that it creates and possesses, which is most important, it should know which customers receive its products or its data, where the loss of confidentiality, but a loss of access to that data would have a greatest impact of that customer. And for companies who supply to the Department of Defense, many, not all, many should be able to know what parts of their data or which parts of their information services, if compromised, would do the greatest harm to the Department of Defense and its missions. What I said yesterday, and I’ll say it again here, is that if you know what’s most important and is most impactful to your customer, then you can take measures to isolate and protect that information, and to tighten the screws on and you know, create a better fence around that data. So if you have reduced the risk of any adverse outcome, and you have mitigated the significance or consequences of an adverse outcome, if that occurs, then I think you’ve done a good job. I think that’s a good start.
Tom Temin: And getting back to the CMMC program, specifically in the Pentagon, the lady that was in charge of it has left and we don’t know exactly what her circumstances are, Katie Arrington. So is the program paused? Are there new assessors being approved by the accreditation body? What is going on mechanically with this whole thing?
Robert Metzger: Well, the accreditation body is continuing to develop its training and assessment and accreditation program, they are making progress. They’ve got new leadership in the person of Matt Travis who came from DHS, he’s a very capable person, and they’re looking to increase their staffing. It’s a big task, I credit them for making steady progress, maybe not as fast as some would wish, but it’s still progress. DoD is doing this serious review of CMMC, and it’s got, let’s say, two problems. One is how to finalize the interim rule that became effective in November. Then the other is what bigger changes outside the rule itself are appropriate to make the program more effective, more practical, affordable. And that’s a lot to cover. And one of the complications is that certain positions of senior leadership in DoD, as you know, are not filled. We don’t have an Undersecretary of Defense for Acquisition and Sustainment. We don’t have an Assistant Secretary of Defense for Acquisition. And so this leadership void means that it’s difficult to figure out who should decide or can decide if there are plans to make some significant changes in the program.
Tom Temin: And to make an analogy, the Veterans Affairs Department put on pause for review its electronic health records program, that review was completed, and now they are proceeding under some different circumstances, but they’re proceeding with the basic program. Is your sense that after this pause and review of CMMC, that the Pentagon will in fact, resume the program?
Robert Metzger: A crucial question. Because the Pentagon has said a little over the last several months, because Ms. Arrington has been put on leave, the impetus behind the program has been reduced. And so there are some companies and analysts who are thinking that CMMC will go away. And there are some companies who are saying I don’t want to do anything because I’m not sure it’s going to happen. Or I don’t know how it’s going to happen or when it will happen to me. But my answer is that the reasons that led to CMMC, the threat, the successful breach, the theft of information, the injury to our national defense, all of those things, as you suggested earlier Tom, they are only worse today than a few years ago when this started. So my expectation is that CMMC will remain and that it will be pursued with vigilance by the Department of Defense. And I even think that some variation of CMMC is likely to extend to the civilian agencies. It will be different in many respects than what we are seeing today. It may be more flexible. It may not attempt to cover every company that conceivably could have any information that might be significant. It may be better targeted or more selective, but it’s important for the nation and certainly for the Department of Defense to better secure the industrial base, and I think that CMMC will proceed.