The latest DoD attempt at improving contractor cybersecurity runs into a buzz saw

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Industry has launched a pretty strong objection to the latest version of the cybersecurity maturity model certification program, known as CMMC. The Defense Department has been working and reworking CMMC for several years now. It’s an attempt to make sure contractors have the controls in place to safeguard controlled unclassified information. The coalition for government procurement has raised the latest objections. The Federal Drive with Tom Temin  gets more from coalition member and procurement attorney Rob Metzger.

Interview transcript:

Tom Temin: The CAP process: tell us what that is, the latest proposal, what are the contours of what it is that you’re objecting to here?

        Join us Apr. 25 at 1 p.m. EST for Federal News Network's StateRAMP Exchange where we'll explore how the StateRAMP program provides cyber assurances as state agencies continue their IT modernization journeys. | Register today!

Robert Metzger: The CAP is the CMMC assessment process. It’s a guide. And it’s been the product of the cyber AB which is the organization that oversees the training, and accreditation of people who are supposed to help with CMMC, including the C3PAOs, who are those certified assessors. while the CAP in theory is supposed to tell the assessors and those who are going to be assessed just what the process is going to be for preparation and then conduct the assessment. I tell my clients that they would want to know that process so that they’re not surprised when the assessor comes and asks for things different than they have reason to expect. The problem is that the draft CAP, which was released a little over a month ago Tom, came out as an extremely elaborate kind of a paint by numbers exercise. Too much detail, and too much of a prescriptive approach in my view, and that of many others. What I was hoping to see is flexibility. And I was hoping to see more deference to the expertise of the professional assessors who have to be trained and accredited to do this. And what we got was something that sort of made the burdens the ardor of having to endure and succeed with the CMMC process more difficult. And I thought that was against the grain.

Tom Temin: And I thought that the redo, the review of the program, and it was quite extensive when the Biden administration took over from the Trump administration. Didn’t they say at the time that one of the things they wanted to do was make it easier on small business, which is the bulk of organizations that will be affected by this?

Robert Metzger: That’s right. So I’m co-chair of the cyber committee of the coalition of government procurement, and in that role, I helped draft their comments which were about 10 pages in length and which were submitted to DOD and to the cyber AB. And that was really the first point that we raised in those comments. We went back and looked at what DoD had said, when it announced CMMC and then when it announced this revision to 2.0. And it said that it was going to make this simpler, and it seemed to be attentive then to the challenges that small businesses face. And yet since then, too much has happened that seems to go in the opposite direction. And the CAP seemed to be pouring salt on the wounds, if you will. I like others agree that small and medium-sized businesses as well as prime’s need to do a better job to defend against real threats that would like to steal or compromise sensitive information. But we don’t want to kill the patient with the medicine. And there’s a real danger that CMMC could become so difficult, so expensive, and so uncertain is an outcome that some companies are going to choose to leave the defense industrial base, that’s bad. We may discourage or preclude innovators from coming into the DIB. That’s just as bad, maybe worse. And we also could be encouraging companies to sort of gamble and engage in misconduct. They might figure it’s better to say you’re doing it right and hope you never get assessed, or then try to explain your way out if you do. None of these are good. So we need to make some changes.

Tom Temin: All right, we’re speaking with Rob Metzger. He’s an attorney with Rogers, Joseph O’Donnell and a member of the coalition for government procurement. And you’re proposing in the statement from the coalition to the Defense Department and the cyber AB, You said we have serious reservations regarding the CAP and urge that it be withdrawn, reconsidered and reissued in a fundamentally different form. So you’re not asking for tweaks here, you’re asking for a whole new approach. And basically, in this 10 pages of objections to them, What should it look like, do you feel?

Robert Metzger: Well, first, there was a town hall of the cyber AB and Matt Travis, who runs the organization is a dedicated, hard working servant of the public interest. He said essentially, that the present version of the CAP is not something that must be used. He said that it’s going to be changed and it will not actually become effective or required until we get these new CMMC rules. And that may not be until the summer of next year or maybe later. I would like to move away from this process-intensive, rule-driven approach, I think we need more flexibility. And I think we need to tailor the whole assessment process to the nature of the company being assessed. Some companies would merit or demand a more rigorous approach, others less. Right now, essentially the same process of assessment for each of 110 Cyber controls, and the NIST standard has to be undertaken for any company in the defense industrial base, small, medium, or large. And irrespective of what it does, that’s not realistic. In the real world, there are 10s of 1000s of companies Tom, that will be subject to assessment under CMMC. The business and technical circumstances of every one is different. And so we have to introduce some play in the joints, if you will, not to dilute the value of the assessment, but to give companies higher confidence that they can succeed, and to give more discretion to the assessors to apply their skills in the circumstance of the individual company.

Tom Temin: And the CMMC invokes these 110 requirements coming from that NIST special publication that people are familiar with. Is the difficulty in companies all having to have the 110 controls in place, or is the difficulty in what it requires of them to prove that it’s in place to a third party assessor and therefore to the Defense Department, or is it the whole chain of events?

Robert Metzger: It’s both. The 110 controls have their origin in a NIST document that was prepared for non-federal organizations around seven years ago. And each of the controls are stated in just a single sentence. But in the intervening years, there’s been a growing body of documentation, including assessment guides from NIST, and then assessment guides from CMMC that amount to many hundreds of pages. And what has happened is that assessors seem to want to prove and demonstrate and have evidence for everything, instead of taking the necessary propositions or looking for sufficient evidence, there’s just too much discussion of requiring a body of evidence for each of 110 controls. And that’s complicated enough for a small business that might have one or two product lines. But if you get to bigger businesses, who might have many cage codes, or 10, a dozen, 100 different product lines and programs, well, you know, being obsessive and prescriptive about the evidence, your current require, is a recipe for assessments that are not only extraordinarily expensive, but also will produce uncertain results at a fair amount of likely contention. One of the things that was said in the coalition document is that DoD and CMMC, and the AB and the assessors ought to focus more on those cyber measures which are most important and which will have the best results rather than, you know, having a paint by numbers approach that demands evidence of everything, because it’s just too hard. And the benefit of let’s call it an over arduous approach is dwarfed by the the costs of that direction.

Tom Temin: And you’re also mentioning to the folks there that you’re calling the CAP premature to quote your statement, the coalition statement, it calls for an assessment process that is legally unsupported until the CMMC 2.0 regulations are in effect. So it’s cart before the horse.

        Read more: Cybersecurity

Robert Metzger: Oh, very much so. And I think the cyber AB recognizes that. Look, for all the talk about CMMC, right now, there are no CMMC process regulations in place. There are some important regulations, adequate security using 171. Doing a self-assessment, submitting your score to SPRS, those are in place and they apply to everyone. But this whole new CMMC regime is not something that’s going to become legally binding until the new regulations are published, and then afterwards until they become effective. But even then, Tom, even when the regulations are in place, maybe a year from now,  they’re not going to affect any individual contractor until they show up in a request for information or request for proposal, a change order or contract. And so to have people following the rigors of this cyber security assessment process, which is written around the CMMC documentation and anticipates the new rule to have all that done, before the rule is in place, it’s putting not just the cart before the horse, they’re in kind of separate fields. That cart that you’re building isn’t in the same place as the horse that you have to ride. And so what we urged is that, you know, between now and the effective date of the regulations, let’s focus on the methods that DoD has already used in the so called DIB CS high assessments that have been conducted more than 300 companies, those have proven to be workable, they are much more, let’s say accommodating of contract or circumstances. Not easy, but not sort of difficult for its own sake. And I think last night, Matt Travis said, in effect that the cyber AB agrees with that proposition.

Tom Temin: Right. That was my question. The cyber AB, and I guess, by extension, the Defense Department then have taken this objection that you’ve sent into account.

Robert Metzger: And the way it was put last night is that the CAP and other CMMC unique documentation could be used as guides to inform assessors in the interval, and that’s fine. As long as they’re not controlling, there is useful insight, even in the CAP, you know, for all of its excess and complication. There’s a lot of useful things in there. And there’s very many useful things in the CMMC specific documentation such as the assessment guide, or the scoping guidance, and there’s nothing wrong with the assessors or the companies being assessed having a look at that and being informed as to what they should do to improve their security and enhance their ability to demonstrate that security. But you don’t want to be governed by something that’s tied to new rules, which are not public and are not effective and are are not presently known to anyone other than the drafters.

Tom Temin: Rob Metzger, is an attorney with Rogers Joseph O’Donnell and a member of the coalition for government procurement.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.