When the Defense Department confirmed that Deputy Secretary Kathleen Hicks decided to review the Cybersecurity Maturity Model Certification (CMMC) program, initial reactions were mixed.
Some experts said this is a significant sign that the Biden administration wants to rethink major aspects of CMMC.
Others say it’s a perfunctory review and one any new administration would undertake given the importance of the program. They say these reviews likely are happening across DoD.
Insight by Carahsoft: Learn how the FedRAMP PMO and its partners believe the end result of many of ongoing initiatives is a better, faster and cheaper cloud security program by downloading this exclusive ebook.
A DoD spokeswoman offered little insight into the review and what its goals are.
“In light of increasingly frequent and complex cyber intrusion efforts by adversaries and non-state actors, the department remains deeply committed to the security and integrity of the defense industrial base. As is done in the early stages of many programs, the DoD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process,” said Jessica Maxwell, the DoD spokeswoman in an email. “As this internal assessment is ongoing, we are not able to provide further detail. This assessment will be used to identify potential improvements to the implementation of the program.”
One former CMMC Accreditation Board member downplayed the review saying it likely was just part of the administration changeover.
Another source familiar with CMMC, who requested anonymity because they didn’t get permission to talk to the press, offered an even more restrained opinion.
“There is more support in the department and more impetus to do this than ever before based on what DoD leadership is saying the resources they are willing to commit to it,” the source said. “One of [the] things that CMMC recognizes is that they did things fast, and things will come up that they will have to course correct.”
Stacy Cummings, who is currently performing the duties of the Under Secretary of Defense for Acquisition and Sustainment, issued a memo a few weeks ago outlining two specific review areas, including CMMC implementation.
FedScoop first reported the DoD’s decision to review CMMC.
On top of this review, DoD is in the middle of delivering reports to Congress and working with the Government Accountability Office on CMMC reports and analyses. The 2021 Defense Authorization Act required the DoD chief information officer to assess each department component against the CMMC framework and report findings to congressional defense committees by March 1. Lawmakers want details on how each component “will implement relevant security measure to achieve a desired CMMC [level] or other appropriate capability and performance threshold.”
Congress also asked the Government Accountability Office to independently assess and brief Congress within six months of the CIO report’s issuance.
The NDAA also requires DoD to withhold 60% of its CMMC appropriated funding until its Office of Acquisition and Sustainment (A&S) submits a plan to Congress detailing timelines for pilot activities, the relationship with auditing or accrediting bodies, planned funding and involvement of the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and its plans to train acquisition staff to implement CMMC.
Finally by September, DoD needs to submit a report on whether it makes sense to develop a cybersecurity threat hunting program to work on defense contractor systems. While the provision didn’t specifically called out CMMC, it’s related to the entire supply chain security effort.
The source said DoD is busy developing those reports for Congress and likely Hicks will reviews a lot of the same information.
“This is a holistic review and not just some document drill. I think they will take [a] thoughtful look at the program to make sure everyone is comfortable,” the source said. “The team they have stood up is very knowledgeable, and the CMMC PMO isn’t concerned they will find anything wrong.”
The source said DoD expects to turn the review around quickly and not impact the program’s timeline for CMMC’s initial roll out.
The review also comes as the CMMC-AB named Matt Travis as its new CEO. Travis comes to the board after spending two years as the deputy director of the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security.
“This is an opportunity I was excited about for two reasons. This obviously allows me to continue to continue the cyber evangelization work that I feels strongly about. But more importantly I really wanted this position for two reasons. This is really the first opportunity to stop talking about cybersecurity and actually do something about it. I hope you all appreciate how trailblazing and what a new frontier this is with CMMC and what the department is doing,” Travis said at the town hall. “This is really the long game, and doing a lot of work to together to build the resilience and raising the cybersecurity baseline. The second reason I’m excited because this is where the risk is. When you think about the DIB as one of the 16 critical infrastructures, we know the nation’s adversaries are targeting this sector and we know there are vulnerabilities, this is where the risk is. So it’s incumbent on all of us to raise our game, and this is a collective effort.”
Matt Gilbert is a principal with Baker Tilly’s government contracts advisory practice who leads a team that conducts reviews under National Institute of Standards and Technology special publications 800-53 and 800-171. He said that while he couldn’t offer any insight into the DoD review, there are several areas where DoD need to accelerate its efforts.
“The area in which the DoD should focus is making sure there will be adequate assessors to handle the volume. The DoD might want to consider announcing a gating mechanism. A gating mechanism could restrict assessments to only those contractors that will be awarded one of the pilot contracts with the new DFARS 252.204-7021 clause,” Gilbert said in an email to Federal News Network. “Adding to the challenge, if the certified third-party assessment organizations (C3PAOs) are not timely assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), then significant portions of the provisional assessors will be on the sideline. Since all assessments need to be registered with the CMMC-AB, the DoD could give instructions that only those contractors that have the 7021 clause in a pending award should be allowed to proceed with the assessment.”
At the CMMC-AB town hall on March 30, the board reported 109 total C3PAOs and 100 provision assessors.
The AB continues to review C3PAO applications with 332 still pending.
Ben Tchoubineh, the chairman of the CMMC-AB training committee, said the process for the C3PAO is the most complex one and still requires the level 3 assessment from the Defense Contract Management Agency
“There is only CMMC level 3 assessment that has been completed so far. It will take some time for the C3PAOs to be ready to go,” he said.
Part of the reason is the DCMA’s ability to conduct the level 3 assessments through its DIBCAC program.
The AB doesn’t expect the full training and certification program to be fully ready until the fall.
Two other challenges that the DoD review may address is how to improve the markings of controlled unclassified information (CUI) and to accelerate the release the scoping guidance to address reciprocity.
Gilbert said without the scoping guidance, C3PAOs and contractors s are likely to run into challenges and differences of opinion without authoritative literature to reference.
As for CUI, Gilbert said if contracting officers mistakenly label CUI inaccurately there could lead to some unintended consequences.
“If the requirement is tied to taking possession of CUI, this would allow a prime to issue a laptop to a sub to minimize their CMMC obligations. The sub would be saved from possessing CUI in their systems and therefore would necessitate only a level 1 certification,” he said. “The more flexibility that the DoD can provide the DIB, I think the more likely their estimates of greater than 50% of contractors only requiring level 1 will hold true.”
DoD already is seeing some delays in its CMMC roll out. Several of the initial pilots it outlined are either pulling back because the service or agency’s timelines don’t match with CMMC being ready. DoD has said the goal is not to harm the acquisition process as it stands up the CMMC program.
The source said some of the initial pilots may look at requiring their vendors to be CMMC certified in a specific amount of time after it has awarded the contract.
“Contractors are frustrated because they want a list of pilots, but DoD doesn’t want to put pilots out there because it’s changing day to day,” the source said.
It’s hard to say what impact Hicks’ review will have on many of these issues. But as a first step, reviewing the program and bringing a fresh set of eyes to CMMC can only help to accelerate it, and, as Travis said, actually do something about cybersecurity and stop just talking about it.