The Defense Department wants to implement its much-discussed Cybersecurity Maturity Model Certification program mainly to ensure every single one of its vendors is undertaking minimum levels of commonly-understood cybersecurity practices so it can protect its supply chain. But Defense officials increasingly see CMMC as a way to monitor aspects of that supply chain that aren’t strictly about cybersecurity.
DoD expects tens of thousands of its contractors to earn a CMMC certification over the next five years. But to get one — even at the most rudimentary Level One of CMMC — each company will need an in-person visit from a third-party assessor. Those visits are primarily so that auditors can verify companies have actually implemented the security practices required for their level of certification, since no self-attestations will be allowed.
But there’s another reason DoD also wants a set of human eyes on each CMMC applicant: the department wants to make sure each firm that’s certified is actually a real company with real employees.
“We need to buy down the risk of foreign ownership, and we need to buy down the risk of shell companies that don’t really exist,” Katie Arrington, DoD’s chief information security officer for acquisition said Thursday during an online forum hosted by AFCEA. “So the physical audit will make sure that we’re doing our due diligence to buy down that risk. No matter what product is there, we always have to have a human being — you never want to take the human out of the loop.”
Arrington said the attractiveness of CMMC as a tool for getting a better understanding of the department’s supply chain has come into sharper focus during the COVID-19 pandemic, as shortages have highlighted the nation’s reliance on foreign suppliers.
She said that’s one reason that even in the early stages of CMMC, the department plans to require certifications on some contracts from not just prime contractors, but also their first-tier suppliers. In most cases, those suppliers will need a Level One certification.
“There is a challenge in our supply chain that you may not be aware of. Our adversaries are buying up key suppliers for manufacturers and then cutting off the supply. We need to assure that they’re good companies that are getting into business with you. That’s, again, why CMMC is there,” she said. “We can check foreign ownership, we can check that they have all the right things in place so that you never become vulnerable. That is the worst thing for a manufacturer: You need raw material to produce, you sign a contract to get that and somehow it gets pulled from underneath you, and then you’re not able to develop and produce to your customer. We know there are some that are going to say, ‘Oh, this is a lot.’ But I think in what’s happened with COVID, there’s a new awakening on why they need this.”
The department currently expects the cost of a Level One CMMC certification to be $3,000 per company, and each one would be valid for three years. The more detailed certifications involved in levels two through five would presumably cost more, but in each instance, companies will be allowed to charge those expenses to the government as an “allowable cost.”
And although each certification will require an in-person visit by a third-party accreditor, that’s likely to be the last step in the process, Arrington said.
Companies should expect to start the process by working with a set of online tools and spending about an hour inputting data about the cybersecurity practices they’ve implemented into those systems, but the details of how that process will work — and which tools will be accredited for CMMC use — are still being worked out by the independent CMMC Accreditation Body (AB).
“There’s all kinds of tool vendors that have potential across any of the workflows that we’re involved in, from an individual or from an accredited organization perspective,” said Ty Schieber, the accreditation body’s chairman. “Our operating premise from the get-go is been, ‘Let’s harness and harvest the great thinking that’s already been done.’ We’re working through how we establish a process to allow market forces to drive which tools are adopted and determine best practice. We need to make sure there’s some degree of assessment and rigor so that we can validate that they meet the CMMC requirement, but we don’t intent do get into a qualitative ‘This one’s better than the other one’ assessment, as an AB. We want to provide the user community the ability to make those determinations.”