Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Sometime early next year, Defense contractors — hundreds of thousands of them — will have to possess a minimum level of cybersecurity skills and controls.
One thing contractors won’t be able to say is that they’ll be surprised by anything in the Cybersecurity Maturity Model Certification program. Sometimes the model for new rules and requirements is to develop it behind closed doors, then drop a finished draft onto the affected parties to comment on. The proposal can be so far off the mark that it takes years of back and forth before the agency gets it right, or at least acceptable to contractors.
In this case, the Defense Department, specifically the Office of the Undersecretary for Acquisition and Sustainment, is thinking out loud. It’s been releasing a series of models with fractional numbers, like pre-release software, leading to Version 1.0, due in February.
Last week the program office came out with Draft CMMC Model v0.7. That version arrived only a couple of weeks after Version 0.6.
Attorney and cybersecurity policy expert Bob Metzger of Rogers, Jones, O’Donnell, agreed with my characterization of DoD “parading” its step-by-step thinking in public so contractors can keep up in anticipation of Version 1.0.
“This is a highly public undertaking,” Metzger said in our interview. Besides the regular releases revealing its developmental thinking, the CMMC program has conducted a “listening tour,” using the various contractor associations.
And a fast-moving one. DoD’s Ellen Lord announced the CMMC program only in July. Metzger calls the pace of development “unusual, if not extraordinary.”
“Fast-moving” and “transparent” are not words you hear in connection with the Defense Department often enough. And yet CMMC is a particularly important program. Contractors hold terabytes of Defense information. Tons of it are known, including to the government itself, to be lost by exfiltration to foreign entities each year, first among them China. Foreign adversaries rob the U.S. blind of intellectual property. DoD can’t fix the problem without forcing better cybersecurity down through its supply chain. In so doing it’s not only following a statutory mandate and the wider Defense procurement regulation cheerily named DFARS 252.204-7012. In reality it’s working to staunch a lifeblood flow of national security data right into enemy hands.
Reaching even the basic level of certification, Level 1, will require a heavy lift by contractors. They’ll have to demonstrate they’ve got the needed technical controls in place, and also that they follow best practices in keeping their networks and data secure.
One piece of the CMMC program isn’t fully baked. That’s the system of private sector, third party assessors who will certify individual contractors for having met a particular degree of cybersecurity maturity. In some ways, it will resemble the FedRAMP program for certifying the cyber safety of cloud services providers.
FedRAMP has taken several years to mature, and even now it has gaps, and many agencies go ahead with cloud services while ignoring FedRAMP.
That may be one reason for industry to worry about what’s going on with the accreditation end of CMMC. Metzger said, “There’s been a lot of confusion if not outright anxiety within industry as to the status and operation of the accreditation body.”
He and others say ‘never mind the accreditation apparatus.’ Better to concentrate on keeping up with CMMC itself as the program office works towards Version 1.0. I say, even if the accreditation body never gets going, wouldn’t you want to have cyber best practices anyway?
Here’s an idea. Yesterday President Donald Trump signed an executive order giving federal employees the day before Christmas off. Defense contractors ought to declare Dec. 24 as reading day. The relevant employees, and that includes the CEOs, should spend the day boning up on the 190 pages of CMMC Version 0.7.
Anyone with a modicum of cybersecurity background will see a document full of references to familiar standards and publication, like Federal Information Processing Standard 200 and National Institute of Standards and Technology Special Publication 800-171’s control families. Rather than breaking exotic technical ground, CMMC gives a clear incentive for doing what NIST has been urging for years. Do your basic cyber blocking and tackling, and put in business processes to make sure it becomes a continuous, integral effort.
My point is not that it will be easy, but rather that what DoD promulgates isn’t new science or any sort of exotica but rather basic cyber hygiene.
The incentive: You’ll still be able to do business with the Defense Department.
I think DoD’s A&S shop deserves a bit of holiday credit for how it’s conducting the CMMC program. How refreshing to see a program trying hard to be fast, efficient and open.