Pentagon’s new Cybersecurity Maturity Model Certification is out. Now what?
February 20, 2020 12:06 pm
7 min read
Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
In what was lightning speed in Pentagon terms, the new Cybersecurity Maturity Model Certification is out. So now what? My next guest has been following this project closely from the beginning. Here with an update, law firm Rogers Joseph O’Donnell PC partner Bob Metzger joined Federal Drive with Tom Temin.
Tom Temin: Let’s start with the last time you were here. And it was only a couple of months ago. We were talking about version .6 and .7. What do you know? They came out with 1.0.
Bob Metzger: Well, it is kind of amazing, Tom. They said that by the end of January they would come out with the official release of the Cybersecurity Maturity Model Certification with the practices and processes that are supposed to be met by the entire defense industrial base. And they did.
Tom Temin: Is it a rough job, or do they have a lot of development to do? Is it fully baked?
Bob Metzger: They have accomplished an incredible amount, but there is still a very long way to go between producing this volume that describes the processes and practices and then actually kind of putting it on the ground and having it applied to contractors and real RFPs and having assessors who are trained and accredited and having those assessments done. If you look at the schedule Tom, you’ll see that there’s a fairly long stack of concurrent activities that are expected to occur this year. Well, for the whole system to work, more or less, all of those activities have to get done. And if there’s a delay or disruption to any of several activities, the whole thing could kind of slide to the right. It has been ambitious, and they’ve done more than many expected, but it remains ambitious, and we have a ways to go before we really see if this works.
Tom Temin: What do you think are the biggest gaps for between what they’ve produced now and what they need to do to make this program really complete?
Bob Metzger: Well, I’d say there are three things. The first is the assessor. The whole theory of CMMC is that companies are going to be assessed and they’re going to be given a certificate as to what level of cybersecurity they’ve demonstrated and had validated through assessment. Well right now we don’t know how assessors will be picked. We don’t know who they are. We don’t know whether we have enough. We don’t have an assessment guide for them or for the companies. We don’t have a body to accredit them quite ready. So that’s number one. You gotta have the assessors for an assessment system to work. The second big issue is how well can this be accommodated by the smaller and midsize businesses in the defense industrial base. A few of us should be worried about the big companies like Lockheed Martin or Raytheon. And most of the middle sized companies who depend on DoD are already working hard to have security that’s probably better than CMMC expects. But the purpose here is not just to protect those who already defend themselves well — it’s to protect the whole of the industrial base, including innovators at the small and medium sized level. And there remain a fair amount of questions as to whether this is affordable and whether there’s enough flexibility in the way that CMMC works, that it will be practicable, not just in theory, but on that ground. Then the last thing is rulemaking. It was announced just a few months ago that the CMMC is going to require a new regulation, and that there’s going to be notice and comment rulemaking. Which means the public’s gonna have a chance to express its opinions on this. There could be a lot of opinions, and not all of them are going to be favorable. And that rule making process could prove to be the very much longer pull in the tent than some might expect.
Tom Temin: Getting back to the small business question. If any contractor or subcontractor or, for that matter, sub to a sub is holding government or military data, can their controls be reasonably expected to be somewhat easier or less comprehensive than those of a big prime contractor?
Bob Metzger: Well, that’s a great question. That really is the heart of probably the most difficult challenge ahead for CMMC. From a security standpoint, it’s widely accepted that our adversaries are interested in more than the big companies. They know where our innovators are located, they target those whose defenses are weaker. So we really can’t give a free pass to small companies. On the other hand, as you get to smaller companies, the return on investment from good security goes down. And at a certain point, if it’s more costly to you than your business can afford, you’re not gonna do it. And so you’re faced with a choice potentially of leaving the defense industry, even if you have great stuff that DoD or the primes would want. And I don’t think that problem is solved here. Part of the issue, frankly, is the sort of let’s call it a one size fits all approach. The way CMMC works today is that if you were expected to meet level three, that’s the basic level for people to DoD work. You’re expected to meet it let’s say that there are 120 individual practices. If you get 118 of those right at the time of assessment, you failed and you don’t get that certificate. There’s nothing in the system right now that allows a contracting officer or a prime to decide, well I think you’ve done well enough for now. I’m gonna let you work to close those gaps. I suspect that will have to change.
Tom Temin: Yes, because of the 120 say controls, not all have equal value in terms of protection.
Bob Metzger: Absolutely right. And yet there’s really never been a study of the relative cost to value of each of those controls. So when NIST (National Institute of Standards and Technology) put out these standards quite a few years ago now, there were originally 110 practices or controlled unclassified information, and the theory was that a prudent business would be doing these already and they wouldn’t prove too costly. Honestly, that hasn’t proven to be true. They are costly. And many prudent businesses, especially the smaller and medium sized ones, have done only a few of them. Or maybe a half of them. Well, you know, we don’t really know of those 110 controls, which are most critical? Which are most important to protect against adverse impact from an adversary breach? And we may have to study that because we may have to decide that we want these 85 and we’ve got to
have them, and we’re willing to let the other 25 get done later. That’s not in the system
Tom Temin: In the meantime, before these things, even if they do get into the system, they’re not there now in the whole assessment process. What should businesses do then? They’ve got this 1.0. There’s no assessment system. What do I do?
Bob Metzger: So it’s really important that when Undersecretary for Acquisition Ellen Lord and Mrs. Katie Arrington, Kevin Fahey when they did their press conference on January 31st, they were especially intent to communicate that the rollout would be gradual. There’s gonna be about 10 pilot programs this year, Tom. There’s only gonna be a few contracts that see this requirement in an RFI this summer. There may be only 20 or so that will have it in an RFP late this fall. That’s not really very many when you’re talking about tens or even several 100,000 contractors will be affected, so we have some time. But to get your question directly, companies should not wait. It’s pretty clear from this binder of the CMMC practices and processes that companies need to be moving in the direction of getting those things done. They’ve got a little more time than many may fear. But it would not be prudent to wait around until somebody calls you and says, you’re going to get assessed. You’ve got to get started on it now and that’s valuable, I think.