The first piece in the puzzle to try to add more rigor to the Defense Department’s supply chain dropped Monday with the launch of the Cybersecurity Maturity Model Certification accreditation board.
The board, led by Ty Schieber, who also is the senior director of executive education at the University of Virginia’s Darden School of Business, will be on a sprint over the next year to get the third-party assessment organizations trained.
But DoD is expected on Friday to drop the bigger piece to this CMMC puzzle with the release of version 1 of the standard.
Katie Arrington, the special assistant to the assistant secretary of Defense for acquisition for cyber across the acquisition and sustainment branch, said the requirements in this initial standard shouldn’t come as a surprise to anyone as DoD has been collaborating with industry and others for most of the past year.
“We have done something that they said couldn’t be done. We have worked tirelessly but I can’t thank industry enough for being a collaborative partner,” Arrington said at an event sponsored by Holland & Knight in Vienna, Virginia. “CMMC is not going to happen overnight. Let’s just think about the history. The National Institute of Standards and Technology special publication 800-171 came to life in 2014 when President [Barack] Obama signed the executive order and put it into contracts. Do you know how long it took us to actually get it into contracts? We had until 2017. We gave ourselves to 2018. We just started auditing in 2019. I appreciate the concern about how this will impact. But we understood going in that we couldn’t do this automatically.”
Arrington said DoD expects CMMC to take five years to fully roll out, and not really get going until 2021. She said DoD expects the third-party assessors to certify about 1,500 vendors in 2021, 7,500 more in 2022 and 25,000 more by 2023.
“I doubt it will take five years because companies want to do this,” she said. “We also are telling you security is an allowable cost now. We are working through the Office of Management and Budget to ensure we have cost realism built into our estimations for our programs and acquisitions moving forward.”
Training classes to start this spring
But over the next nine months, the accreditation body and DoD have a lot of work to do.
“We are a 501c3 and being a non-profit is important to us. Just as important to as the fact that we are not here to extract money from the supply chain is our independence. We can do things DoD cannot do as a privately incorporated 501c3,” said Mark Berman, a board member and CEO and co-founder of FutureFeed, a company that helps vendors comply with security mandates. “We will learn from you and we will be at all times on the side of building this right and building this for the security of our nation. We take that very seriously.”
The first training of third-party assessors is scheduled to start this spring. Arrington called that first class a pathfinder to ensure the process is working.
Why DoD’s decision to make cybersecurity an ‘allowable cost’ matters
“We have to find out what we don’t know about how we’ve created the curriculum, how they are going to interpret the curriculum and how do you test appropriately,” she said. “We have, by no means, answered every problem. But we are definitely making the move forward.”
Arrington said DoD also is working with the Procurement Technical Assistance Centers (PTACs) around the country to help small businesses prepare for CMMC.
While DoD doesn’t have control of the accreditation board, it does have a seat on the council. Arrington said, however, that the data between the third-party assessment organizations and the board is private and not for DoD to view. She also said DoD and the board will sign a memorandum of understanding laying out specific rules of the road, including reciprocity for existing certifications like ISO-2700.
Changes to DoD acquisition regs
Another area DoD is pushing forward in is changing its acquisition regulations.
Arrington said in the coming weeks or so the Pentagon will release an update to the Defense Federal Acquisition Regulations (DFARs) to incorporate CMMC into section 252.204.7012, Defense Industrial Base compliance information. She said DoD would release the changes this spring for comments with a goal of getting them finalized by September.
Section 7012 of the DFARs is for vendors handling controlled unclassified information for DoD.
“Most contracts will default to the CMMC level 1,” she said. “But if you are touching controlled unclassified information, and you have a 7012 clause in your contract, then you will need to be CMMC level 3.”
As for the CMMC standards themselves, Arrington said level 1 is considered basic hygiene standard and requires vendors to meet the cybersecurity requirements in FAR Part 52.
Level 2 is considered a bridge to get to level 3 where the CMMC requirements really kick in, with a focus on financial planning, staffing and looking at cybersecurity as a service.
Under level 3, vendors will have to meet NIST SP 800-171 revision 1 with 110 controls and an additional 20 controls.
Create critical thinking
“We asked industry what would make this more secure? Industry led and said these are the things that would be most impactful to really create good cyber hygiene,” Arrington said. “Level 4 will be sections, not the totality, and requirements out of NIST SP 800-171 B version, which hasn’t been released yet. We couldn’t wait so we took levels 4 and 5 and broke out the bravo series and put them in. It’s very expensive and very exquisite capabilities and not everyone should have them.”
Along with the training of third-party assessment organizations, DoD also is training program managers and acquisition workers on the CMMC standards.
Arrington said security is not a one-size fits all effort and different contractors will need different levels of certification.
“[CMMC] is a building. It is meant to create critical thinking about cybersecurity. That’s all it’s supposed to do,” she said. “If it becomes a checklist we’ve failed, and if we don’t revisit this at least every year, we are missing the mark. If we don’t go back to this model to inject what the threat looks like today so that you can get protected, we have missed the mark. The threat will ever change. Electronic warfare is not static.”