Third-party risk

CMMC stakeholders expect less talk, more action to shore up contractor security

An American Flag is seen on the Pentagon from the National 9/11 Pentagon Memorial on September 11, 2021 in Arlington, Virginia. A DoD program for evaluating and verifying contractor cybersecurity faced a rocky journey in 2021. Experts say they will look for the program to move from an idea to an operational reality over the next year as one measure of success. (Photo by Kevin Dietsch/Getty Images)

For defense contractors, 2021 was a year filled with talk about improved cybersecurity, even if there was less “doing” than initially advertised.

Perhaps no initiative exemplified this dynamic more than the Cybersecurity Maturity Model Certification program, part of an ambitious push by the Department of Defense to reset the way it measures cybersecurity compliance from its industrial base. The program was meant to mark a deliberate shift away from allowing vendors to certify their own cyber posture, after hackers sponsored by countries like China and Russia spent the past decade feasting on military trade secrets and sensitive (but unclassified) data pilfered from the systems of U.S. defense contractors.

Instead, it ran into the kinds of logistical problems that are common for many newly established government programs. There weren’t nearly enough qualified assessors to meet the demand that DoD had created, vendors griped about the costs and enhanced cybersecurity controls the program would impose on them and revolted, inundating the military with hundreds of regulatory comments criticizing the overall structure and feasibility. Adding to the chaos, DoD official who originally leading the process had her security clearance suddenly revoked in May and was put on administrative leave for reasons that still aren’t entirely clear.

An early version of the program rolled out last year, which sought to have all 300,000+ members of the defense industrial base scrutinized by third-party assessors, was eventually scrapped in favor of a simpler model unveiled in November. Instead of five levels of cybersecurity maturity, there would only be three, and instead of everyone requiring third-party cybersecurity assessments to be eligible for a federal contract, only those companies that handle controlled unclassified information and other sensitive data would require an independent audit, with the rest allowed to continue self-reporting their compliance.

Experts in cybersecurity and defense contracting tell SC Media that 2022 should be a year of action for CMMC, one where the government moves from talking about how best to measure the cybersecurity compliance of its contractors to actually doing it. But it's still not clear that the contracting community is fully ready to embrace the new standards, while much work remains to be done before the program becomes operational.

A year of transition…or spinning wheels

One question still up in the air is when companies should expect the program to actually go operational – with third-party assessors up and running, businesses being audited and certified and the Department of Defense formally including CMMC requirements in contract language.

Matthew Travis, CEO of the CMMC Accreditation Body, called 2021 a “transitional” year that allowed the incoming Biden administration to review what it inherited, respond to stakeholder feedback and put its own stamp on the process.

“I think it was a transitional year, and I think that had the effect of frustrating some people who are looking for more progress,” Travis told SC Media in an interview. “But when you think about it, with any change of administration, it’s natural for something as new as CMMC that the new team would take a look and probably tweak some things.”

Travis, who served as deputy director for the Cybersecurity and Infrastructure Security Agency at DHS before joining the AB last year, came on just days prior to the program being put paused. The organization, which has a contract in place with the Pentagon to serve as the sole provider of licensing and accreditation for the program’s third-party assessors, training providers and instructors, spent much of 2021 putting staff in place, applying for non-profit status and transitioning from a volunteer-run organization of seven individuals to a professional enterprise.

The body plans to grow its staff further over the next year to help speed up certification of assessors, who can in turn begin auditing contractors. It also plans to hire specialists in security and compliance, as well as a vice president-level position to handle potential conflicts of interest (a frequent topic of discussion in contracting circles).

 While 2021 has taught him not to make bold pronouncements about timelines, Travis expressed optimism that the past 12 months were part of a painful but necessary pivot that will portend a smoother implementation over the next few years.

“It was always meant to be a five-year, phased implementation [for CMMC] so everyone just exhale, take a breath,” said Travis. “With the transition now into 2.0, I think 2022 will certainly be a consequential year, a year where we see assessments starting, where we see hopefully the rulemaking moving quickly.”

A speedy and efficient regulatory process would go a long way towards positioning the military to begin reaping the benefits of the program sooner. However, others reached by SC Media said they anticipate a long slog through the federal bureaucracy, pointing to the Pentagon’s established record of slow, careful deliberation around new regulations as a reference point.

“If you look at past history as an indicator…the rulemaking process at DoD is usually anywhere from 9 months on the short end to, on the long end, 24 months or longer,” said Theresa Payton, former White House CIO under George W. Bush and now CEO of Fortalice Solutions, which helps companies prepare for CMMC audits. “Because they’re accepting public comments for this, it could be on the longer end.”

Hurry up and wait

What some see as a necessary transition period brought on by a change in presidential administrations and other logistical hurdles, others see as the government and industrial base largely spinning its wheels while the threat from nation state and criminal hackers only gets bigger. Jacob Horne, chief security evangelist at Summit 7 Systems and an expert in CMMC compliance issues, told SC Media that the most striking thing about the program in 2021 was that “almost nothing happened.”

The DoD-led review, Horne argues, not only resulted in a new iteration of the program that still imposed essentially the same cybersecurity requirements on contractors, it also left industry in the dark for months while the Pentagon reassessed the scope and fate of the program. While the department never gave any indication it was considering scrapping CMMC, Horne said the communications blackout from the government during the review allowed speculation and rumors of its imminent demise to spread unchallenged in parts of the contractor community.

Even after DoD affirmed the program and structure as part of their new strategic intent for CMMC 2.0 in November, many contractors are still holding off implementation or compliance activities, a mistake that could leave them blindsided and unprepared if the current version remains in place.

“What is very strange is that a lot of the reactions have been ‘oh we’re going to wait and see what is going to come out of the rulemaking,’” said Horne. “Which I find very odd because the reviews are done. The Pentagon is done reviewing the program, the GAO is done reviewing the program…CMMC 2.0 is what came out of those reviews.”

Ensuring the defense industrial base gets that message is key to the program’s chances of staying on track this year, Horne said, because for all of the talk about the roles played by DoD or the accreditation board or assessors, much of this still comes down to whether individual contractors are dedicating the time and resources on the front end to preparing their organizations for such audits.

At its heart, the newest version of the program is essentially verifying that contractors are implementing NIST-created cybersecurity controls for their IT environments, something they’re already legally required to do business with the federal government. The problem up to this point has always been that the Pentagon allowed vendors to prove this with the contracting equivalent of a pinkie promise, one that has been repeatedly shown to be insufficient.

“The open secret that has been dominant since 2016 is that nobody’s implementing these controls,” Horne said. “Once DoD started saying they were going to check the math, that’s when people in the contractor community started freaking out.”

Now, having burned a year spinning their wheels, CMMC is coming and the contractor community can’t afford to spend another waiting or hoping for another shoe to drop.

What does success look like?

So, caveats and complications aside, what does success look like for CMMC in 2022?

For Travis, the answer is fairly simple: moving the program from the theoretical to the operational level and making CMMC a real, tangible program that contractors must work through rather than just talk about will help move the conversation beyond the drama of the past two years.

“I think the big question for a lot of folks who have been observing CMMC from afar is ‘okay, when is it actually going to start?’ We’ve been doing a lot of talking about it going back two years…to me assessments has always been the most important thing to get started, because everything flows from that,” he said. “Then, once companies within the [defense industrial base] see that okay, this is actually happening, they’re going to be engaging more on the coaching and consulting side of the ecosystem.”

Payton said among the companies she’s worked with, the most trenchant questions they ask for the next phase of CMMC is around how the new three-level certification process will work in practice, how willing individual procurement offices will be willing to accept self-assessed compliance and how expansive the government will make its waiver policies that allow vendors to temporarily sidestep the standards for certain “select mission-critical requirements” with senior leadership approval.

After a rocky road this past year, she wants to see better communication from the Pentagon with stakeholders in industry, especially as the rulemaking process proceeds.

“I would love to see in 2022 the Department of Defense, with great public flair, announce that they’re going to be open for comment and really help – in laymen’s terms – the business community understand why their public comments are really necessary to refine CMMC 2.0…and [connect] it to all of the executive orders and different cybersecurity policies that are coming out of the White House,” she said.

She also noted that if and when the CMMC program becomes entrenched, those same standards or something similar are likely to eventually trickle down to many state and local contracting requirements, meaning even companies that don’t do business with the federal government should be paying attention.

Horne defined “success” along two different tracks. The first is what DoD, the accreditation board, third-party assessors and others on the policy side are doing to measure compliance. The metrics here are relatively straightforward: certified third-party assessors in place, assessors auditing businesses and eligible companies on the level 1 and 2 tracks performing voluntary self-assessments.

The second is what contractors do internally with the model they’ve been given and whether they actually do the work to implement the necessary cybersecurity controls. Part of that will be dictated by whether DoD can move the program past the “provisional” stage in the minds of contractors and hammer home the need to get ready.

“Most people are focused on the success of the program – or rooting against the success of the program – without recognizing that the requirements, the controls, the model exists really independent of what you call the CMMC program or who’s running the program or whether you have to pay for an assessment or the government pays for the assessment,” Horne said.

prestitial ad