Industry Hopes CMMC Review Leads to Tweaks

By Yasmin Tadjdeh

Illustration: Getty

One of the Pentagon’s most high-profile programs is its Cybersecurity Maturity Model Certification effort. CMMC will eventually require all 300,000-plus companies working in the defense industrial base to meet certain levels of cybersecurity to protect against threats from adversaries and continue working with the Defense Department.

However, with a new administration installed at the Pentagon, the department recently announced that it had initiated an “internal assessment” of the program.

Katie Arrington, chief information security officer in the office of the undersecretary of defense for acquisition and sustainment, recently likened the assessment to a standard acquisition category, or ACAT, 1 review of major defense acquisition programs. The review will ensure “we’re doing the implementation correctly internally,” she said in April during a webinar hosted by Deltek. “That’s actually been phenomenal [at] ... helping us looking across the departments so we’re not duplicating effort or anything like that.”

In a statement to National Defense in early May, a Pentagon spokesperson offered no details on the timeline of when the review will be completed or what changes may be made.

With new leadership in place in the White House, it is a good time for the Pentagon to take a close look at the CMMC program, said Andrew Hunter, director of the Center for Strategic and International Studies’ Defense-Industrial Initiatives Group.

“It is a natural opportunity with the change of administration to kind of step back and say, ‘We’ve been trying to accomplish this goal for some time. Are we on track?’” Hunter said. “‘Is it still the goal that we’re most interested in achieving? Have things happened in the world that might change what we’re trying to achieve or how we might try to achieve it?’”

In April, Apptega — a software solutions company focusing on cybersecurity and compliance — in partnership with Secure­Strux — a provider of services for compliance, vulnerability management, cybersecurity strategies and engineering solutions — published their “CMMC Preparation Study for 2021.” In the report, 81 percent of defense industry participants in the survey said CMMC is an important initiative needed to protect sensitive information. However, nearly one-third said the program will create unnecessary burdens and costs.

“These two findings combined seem to indicate broad scale agreement on the need to do more to protect sensitive information within the [defense industrial base], but CMMC may be too rigid in its requirement for contractors to achieve 100 percent compliance to be certified,” Scot McLeod, vice president at Apptega, said in an email. “Many in the industry see this requirement as impractical and cost prohibitive, especially for smaller contractors. Many are also concerned that this will stifle innovation within the DIB.”

In a recent white paper, “The CMMC: A Paradigm Shift Required for Success,” by Chris Golden, Mitch Tanenbaum and Ray Hutchins, the authors said the current CMMC program, as being implemented now, is on track for failure.

“There is little evidence that the current approach will succeed — and meanwhile our adversaries are hard at work hollowing out the intellectual property that is the foundation of our nation’s security,” they said.

Tanenbaum and Hutchins are the founders of Turnkey Cybersecurity and Privacy Solutions, which is working with companies to become compliant with CMMC. Golden is a founding member of the CMMC Accreditation Body Board of Directors.

The Pentagon has not provided the resources or funding required for the defense industrial base to achieve CMMC compliance, they said.

With the publishing of the white paper, “we’re shooting up a flare here,” Hutchins said. “We need a lot more support. We need some changes made or this thing is not going to happen.”

Golden noted that he hoped to see changes come out of the internal assessment, including some authorities being moved out of the A&S office into an organization such as the National Institute of Standards and Technology or the Defense Information Systems Agency, which have more cybersecurity experience.

Additionally, funding for the effort is needed, he said.

“When I was on the board of the CMMC-AB we finally got some funding through our own means,” Golden said. “As I was coming off the board, I was actually buying basically infrastructure in the cloud for us to be able to host various reports and do business” processes.

Meanwhile, the Pentagon is taking a phased approach to its CMMC rollout and is on track to release 15 contracts with requirements included in them this year, Arrington said. Seven of those have already been released.

However, the Defense Department is waiting for the new undersecretary of defense for acquisition and sustainment to be installed before releasing the others, she noted.

In April, the White House announced its intention to nominate Michael Brown, the current director of the Defense Innovation Unit, to lead the A&S office.

Wes Hallman, the National Defense Industrial Association’s senior vice president of strategy and policy, praised the choice and said Brown would bring a wealth of knowledge to the CMMC program. NDIA has been working closely with the Defense Department since the beginning of the effort, offering recommendations and feedback from industry.

“One of the great things about … [Brown] is that he was the CEO of Symantec, which is a cybersecurity company, before he decided to serve his country running DIU,” he said. “We’re getting somebody who is uniquely aware of and an expert on cybersecurity. So, my guess is that … this is something he’s been tracking and something that he’s going to put some emphasis on when he comes in.”

Topics: Cybersecurity, Defense Contracting, Cyber

Comments (0)

Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.