Defense Base Prepares for New CMMC Rules (Updated)
One year after the Pentagon announced its newest cybersecurity guidelines, industry is still figuring out how it will comply with new rules and operate in a new environment.
Cybersecurity Maturity Model Certification 2.0 recently entered the Defense Department’s rulemaking process — the final step before it becomes an official requirement. Despite questions about industry’s cybersecurity capabilities and the challenging documentation process, defense companies could be required to comply with CMMC for new contracts as soon as May 2023.
CMMC is intended to protect “controlled unclassified information,” or CUI — information that falls outside the classified level but could still cause major damage to the Pentagon if accessed by hackers. In recent years, infamous incidents such as the SolarWinds attack in 2019 have raised awareness about the seriousness of network intrusions.
“If you’re in the market of providing support to the Department of Defense, the market conditions have changed because the department is essentially saying, ‘If you want to do business with us, we need to be able to trust that you are valuing our data as much as we do, and therefore protecting it to the standard that we need to protect it,’” said Matt Travis, CEO of the CMMC assessor accreditation organization The Cyber AB.
Companies doing business with the Defense Department that involve sensitive, unclassified information are legally required to implement controls and cybersecurity measures to protect the material. CMMC will require that companies prove their data security practices through an assessment process.
When the Pentagon rolled out CMMC 2.0 November 2021, it reduced the certification levels from five to three and allowed some companies to self-assess rather than have an authorized assessor document their compliance.
The three levels are based on how sensitive the controlled information that the defense company deals with is, one being the least sensitive and three being the most, according to the Defense Department. If a business deals with less sensitive information, it is more likely it would be able to do a self-assessment instead of needing a third party to do it.
Despite the changes, one of the biggest problems with CMMC 2.0 is that defense companies still aren’t clear on the rules and implementation of the standards that they will have to meet if they want a government contract.
Of the commenters that weighed in during a public comment period for NIST 800-171 — the National Institute for Standards and Technology’s cybersecurity standard that is the backbone of CMMC — 23 percent were defense companies.
Some said that they still had questions about how the different controls would impact their cybersecurity practices, including SoundWay Consulting, a company authorized to perform cyber assessments as part of CMMC 2.0.
“Arguably, the single greatest challenge for NIST is the fact the U.S. government does not want to tell industry how to do things, yet industry desperately wants to be instructed ‘exactly how to achieve the goals and objectives’ of each prescribed control,” said Carter Schoenberg, SoundWay’s chief cybersecurity officer, in a letter published as part of the public comment process.
NIST expects to publish a new draft of the standard in late spring 2023, according to an analysis of the public comments published in November.
To help dispel some of the misunderstandings that surround the cybersecurity practices, the organization that is authorized to certify companies that provide CMMC assessments, The Cyber AB, hosts monthly virtual town halls to answer community questions, said Travis.
For example, a common question is how the CMMC will treat cloud services. There is still ambiguity in the language of 800-171 about the topic, but the Pentagon has been open to suggestions and proposals even if the timeline is stretching out, he said.
“I know that they certainly test my patience and others’ patience who want to get on with it, but we want to get on with it with clear guidance, clear roles and an ecosystem that’s ready to go,” he said.
While the rules’ language is being finalized, the infrastructure that supports the CMMC needs more experts before the thousands of defense contractors that qualify can be assessed, said Travis.
So far, a few hundred people have passed through the first level of training, but there is still a professional level and an assessor curriculum and exam that they have to go through in order to be able to assess cybersecurity practices.
“We continue to try to encourage more folks to get into CMMC either as an assessor candidate or as the implementer or other ways, because once rulemaking is over and this kicks off, we’re going to continue to want to scale this to the level it needs to be,” Travis said.
The Cybersecurity Assessor and Instructor Certification Organization — the counterpart to Cyber AB that split off into its own unrelated organization this year — unveiled the professional level exam at the end of October. The final assessor level authorization won’t be ready until next year, although there are a few hundred assessors who have been temporarily credentialed, Travis said.
With the current number of personnel, about 1,500 assessments could be done a year, estimated Vincent Scott, founder and president of consulting firm Defense Cybersecurity Group.
About 80,000 companies handle CUI and would fall into the third-party assessment category, Pentagon officials have estimated.
Travis said the CMMC ecosystem will need a bigger pool of cybersecurity professionals to choose from to work at the scale needed by the industrial base.
If there is a slow move to grow the pool of certified assessors, “you’re not going to see hundreds of contracts immediately get CMMC,” Travis said. The language will not be retroactively put into contracts, only placed into contracts for new procurements or recompetes.
“It’s not as if they’re going to just flip the light switch, and then everyone has active CMMC requirements,” he said.
Systems and platforms will be prioritized based on importance until the capacity to assess contracts exists, he said.
Additionally, defense industry executives need to invest more into their cybersecurity enterprises if they want to bolster the personnel needed to comply with CMMC, said Scott. Currently, it’s common for IT teams at defense companies to be underfunded and overworked.
“If you don’t see the security aspect as part of your business problem, you’re really behind the power curve,” he said.
Beyond the workforce, defense contractors still have concerns about the burden that implementing the cybersecurity practices could put on them, Scott added.
“CMMC 2.0. did help lower the burden, but not as much as the DoD thinks it did,” Scott said.
The new CMMC requirements eliminated additional requirements that were outside of NIST 800-171. But the standalone still contains 110 rules for controlled unclassified information. The real number of rules is much higher because each control is broken down into one or more assessment objectives, Scott pointed out.
While the amount of controls is challenging, companies are required to document their full compliance with all of them — an unreasonable expectation, Scott added.
“I liken this to four years of college. You have a final exam at the end, and if you miss one question, you fail and get nothing,” he explained.
For example, Scott is the chief security officer for Solutions Through Innovative Technologies, which does research with the Air Force Research Laboratory.
Performing a vulnerability scan for the first time a few years ago revealed thousands of risks, and it took almost a year to reach a “steady state.”
“Internally, we’ve been doing this for two years, and I’m still fighting to drain the swamp,” he said.
It’s not fair to hold businesses to a standard that the government won’t be required to meet, he added. Companies can have safe cyber practices while managing risk, just like the government does, he said.
The Government Accountability Office issued a report in May titled, “Protecting Controlled Unclassified Information Systems.” It found that between 70 and 79 percent of Defense Department systems were compliant with the 110 controls required by CMMC. While the Defense Department will not be required to comply with the CMMC framework, the report analyzed the comparable cybersecurity framework that the department is aiming to be compliant with, which has more than 200 controls.
“Our analysis of DoD-reported data determined that DoD components have taken actions to implement selected cybersecurity requirements for CUI systems, but none were fully compliant,” the report stated.
But the controls for the government cybersecurity framework are optional, and Scott noted companies are held to a more rigorous standard with CMMC.
“Moving from ‘pretty good’ to ‘we need to be 100 percent on the individual controls,’ that is what makes this way harder,” he said.
Because of the stringent requirements, companies who conduct a small portion of their business with the federal government may no longer find the effort worth the cost, Travis noted. This could undermine Defense Department objectives as officials have said they want to encourage more innovation from the commercial industry because they often move faster than the Pentagon bureaucracy.
Despite concerns, Cyber AB is still working to encourage defense contractors that can do so to perform self-assessments, Travis said.
“We just tried to stress [that] it’s never too early to invest in cybersecurity, whether or not it’s a requirement in your contract, because … I do think that NIST 800-171 will eventually become the unifying standard for all [government] contracts,” he said.
Other countries have approached Cyber AB to discuss how they can bring standardized cybersecurity practices to their defense industry, he added. He declined to say which nations but said he met with representatives from two countries in October alone to discuss what implementing CMMC in their own governments might look like.
He noted that the CMMC was not originally going to be implemented until 2026, and the Pentagon and assessment organizations are playing the long game.
“This is not a quick fix,” he said. “There’s a responsible and [intelligent] way to implement CMMC after rulemaking that won’t cause the ecosystem to crumble under its own weight.”
A previous version of this article referred to Matt Travis, as president of the Cyber AB. It has been updated to reflect that his title is CEO. We regret this error.