(This story has been corrected to reflect that a company told GAO it invested 3,600 hours of staff time to prepare for a DIBCAC assessment, not 36,000 hours as previously reported)
The Government Accountability Office found numerous problems with the Pentagon’s first instantiation of the Cybersecurity Maturity Model Certification program, pointing to challenges ahead as the Defense Department overhauls its plan to ensure contractors have adequate cybersecurity.
This GAO report was largely completed before the Pentagon announced major changes to the CMMC program last month.
The report presents three major recommendations: DoD needs to improve how it communicates with the defense industrial base; it needs to evaluate a plan to evaluate the effectiveness of any CMMC pilot efforts; and the department needs “outcome-oriented performance measures” to grade overall effectiveness of the CMMC program.
Bill Russell, one of GAO’s lead authors on the report, said DoD is making progress on the first count as it starts to implement “CMMC 2.0.”
“Our initial look at 2.0 shows that there has been a lot more communication about what issues are going to be tackled through rulemaking and other efforts to get at some of the concerns that industry raised,” Russell said.
Bob Metzger, who heads the Washington office of law firm Rogers Joseph O’Donnell, said the report contains “important principles and observations,” even if it comes after the Pentagon announced changes to the program.
The GAO report points to many questions DoD will need to address as it embarks on a potentially lengthy rulemaking process. Metzger called on DoD to clarify when it would be issuing an interim rule so companies could start planning. Officials have only said the rulemaking will take somewhere between nine and 24 months.
“There are so many questions that are in play now that CMMC 2.0 has been announced,” Metzger said. “So many questions that will contribute to whatever it is that DoD puts out as its proposed in a rule. DoD ought to be talking about the issues and listening to stakeholders now before it puts out an interim rule.”
GAO’s review included discussions with defense contractors and trade groups. The report listed common areas of concerns, including with DoD’s decision not to allow companies to defer some CMMC requirements into Plans of Actions and Milestones under CMMC 1.0.
GAO’s report, citing data from DoD’s in-house Defense Industrial Base Cybersecurity Assessment Center, shows the majority of contractors are not meeting current requirements to follow National Institute of Standards and Technology cybersecurity standards.
Of the 110 companies the center assessed between fiscal years 2019 and 2020, 16% “satisfactorily demonstrated” they were meeting the requirements, according to the report. As of October 2021, the number had increased to just 22%.
Under CMMC 2.0, Pentagon officials say they will allow Plans of Action and Milestones in limited circumstances.
“I think that’s just one to watch,” Russell said. “What are the exact details going to be if DoD decides to use the POA&M process?”
Companies also told GAO they were concerned about the lack of details on reciprocity, referring to whether DoD would allow a separate certification, like FedRAMP, to meet the requirements of CMMC.
Metzger said the reciprocity issue is especially important for service providers, like cloud and cybersecurity companies, who must already achieve security certifications to work with DoD.
“It’s essential to rationalize the assessment mechanisms and to make them workable, affordable and prompt,” he said.
GAO also reported on concerns companies had with both compliance costs and the impact on small businesses. Those issues largely drove the Pentagon’s internal review that led to CMMC 2.0.
While the Pentagon had estimated a CMMC Level Three certification would take up about 420 labor hours, a company told GAO they invested 3,600 hours of staff time to prepare for a comparable DIBCAC assessment.
CMMC 2.0 addresses cost concerns by reducing the amount of companies that will be required to obtain third-party certifications. Companies that handle less sensitive information will only need to submit a self-assessment.
But DoD estimates about 40,000 contractors will still need to obtain a third-party certification.
Companies also expressed concerns about consistency between different third-party assessment organizations, as they worried two different assessors could look at the same evidence and come to a different conclusion, according to GAO.
And industry expressed concerns about the CMMC Accreditation Body’s role in the appeals process. The CMMC-AB is a nonprofit organization led by industry officials. It’s on contract with DoD to train and accredit third-party assessment organizations.
Under CMMC 2.0, officials have pledged that DoD will take a greater role in the administration of the program. But Metzger said the department still needs to clarify the roles and responsibilities between the government and the CMMC-AB.
“In my view, the accreditation body should prepare and train the assessors, help in their assignment, oversee the completion of their projects,” he said. “But the assessors should submit their reports and if there are discrepancies, disagreements, doubts or disputes, to me, that’s a federal function, not to be accomplished by a third party, and that should be done by DoD.”
Pentagon considers incentives to get companies to CMMC 2.0 early