CMMC 2.0: A Well-Intentioned Misstep in Cybersecurity

By Pete Sfoglia

iStock illustration

The Defense Department rollout of the Cybersecurity Maturity Model Certification, or CMMC, 2.0 was met with much fanfare and anticipation.

Designed to simplify the certification process and ensure that contractors meet a basic cybersecurity standard, it was intended to improve upon CMMC 1.0. However, despite these intentions, the new version has many issues that can potentially undermine its objectives and efficacy.

A significant area of contention is the potential cost of certification, which might disproportionately affect small- to medium-sized enterprises.

To meet the standards required by CMMC 2.0’s underlying NIST SP 800-171/172 Cybersecurity Framework, organizations may have to invest significantly in upgrading their systems, training their staff and maintaining their certification.

In addition, implementing the necessary cybersecurity measures could be prohibitive, especially for companies with limited resources.

The financial strain extends beyond merely achieving certification. Businesses also face the cost of maintaining compliance in an environment where cyber threats continually evolve. This could require further investment in technology, staffing and training.

In addition, the prohibitive cost of certification could lead to smaller organizations being squeezed out of the defense supply chain, which may, in turn, affect competition and innovation.

The CMMC 2.0 framework also calls for periodic third-party assessments for higher-level certifications. However, the cost of these audits is another financial hurdle companies must clear. While the move toward more self-assessments at lower levels may help mitigate this burden for some, the financial implications could be significant for those requiring higher-level certifications.

Furthermore, there is a lack of clarity around the total cost of compliance. Without clear guidance on the cost of assessments, or the necessary investment required to meet the CMMC 2.0 standards, businesses are left uncertain.

The Defense Department needs to consider providing more support to small and medium enterprises, such as offering grants or subsidies for CMMC 2.0 compliance or creating more streamlined and affordable pathways to certification. This will ensure a diverse and vibrant defense supply chain that balances robust cybersecurity with economic feasibility.

The complexity of CMMC 2.0 also places a significant burden on small and medium-sized enterprises. Though touted as a “simplified” process, CMMC 2.0 remains an intricate web of regulations, technical language and standards that can be difficult for them to navigate without significant cybersecurity expertise or the funds to hire consultants. This is problematic, as it places an undue burden on these companies that are integral to the defense supply chain and stifles the diversity of contractors, potentially narrowing the range of innovative solutions available to the military.

Meanwhile, the most glaring issue with the self-assessment model is the potential for inconsistency and lack of objectivity. The rigor of the assessments could significantly vary depending on a contractor’s understanding of the standards, their willingness to self-correct and their perception of the stringency of the evaluation process. The capacity for each contractor to self-assess objectively is a dicey proposition, with the risk of overestimation or underreporting of their cybersecurity maturity being a significant concern.

Self-assessment could lead to a “check-the-box” mentality, emphasizing compliance more than security. This might encourage a static approach to cybersecurity where contractors meet the minimum standards but fail to proactively seek continuous improvement and innovation in their cybersecurity protocols.

Thus, cyber threats’ dynamic and evolving nature may not be effectively countered under a self-assessment model.

Then there are the overconfident contractors who mistakenly believe that their systems are secure, only to find that they have overlooked or misunderstood critical aspects of the standards. These inadvertent gaps in cybersecurity can serve as entry points for malicious actors, undermining the intended security fortification of the CMMC.

The certification model in CMMC 2.0 assumes an unrealistic level of cybersecurity sophistication across all contractors. With the shift towards self-certification for lower levels, CMMC 2.0 heavily relies on the assumption that all contractors have the same understanding and application of NIST SP 800-171/172 Cybersecurity Framework, which, while comprehensive, requires in-depth knowledge or complex cybersecurity concepts like encryption, networking protocols and malware.

As a result, most contractors will hire a cybersecurity professional or engage with a cybersecurity consulting firm that can guide them through the process, adding additional cost to an already costly set of requirements.

CMMC 2.0 also falls short of providing a robust dispute resolution mechanism. Disputes are inevitable, given cybersecurity protocols’ complex and highly specific nature. Contractors need an accessible, efficient and fair system to address disagreements. The absence of such a mechanism can lead to prolonged investigations or potentially severe sanctions, both of which can disrupt the business operations of contractors and inadvertently impact defense operations.

The proposed scoring system for CMMC 2.0 is another cause for concern. While the intent to have a consistent and universal measure is understandable, the execution appears flawed. The plan, as it stands, is prone to subjectivity and inconsistency. It may also inadvertently discourage companies from pursuing higher levels of security if they can meet contract requirements at lower levels, potentially creating a culture of compliance rather than proper security.

While the intent behind the CMMC 2.0 is commendable, its execution leaves much room for improvement. ND

Pete Sfoglia, Ph.D., has 26 years of cybersecurity, business process re-engineering and governance and risk and compliance management experience, 20 of those years as a partner at EY, Accenture and Wipro.

Topics: Cyber, Cybersecurity

Comments (4)

Re: CMMC 2.0: A Well-Intentioned Misstep in Cybersecurity

While some may see CMMC as "a well-intentioned misstep," let us not forget that CMMC is the result of a majority of DIB contractors failing to accurately, credibly, and/or properly self attesting to the NIST 800-171 security requirements since 2016. These requirements did not just fall off a truck yesterday, last week, last month or last year. The requirements have been around since 2016 (32 CFR and DFARS 7012 and became a final rule in December 2017 (DFARS 7012). And the majority of contractors (small, medium and large) did nothing. They just waved hands over their contracts and attested they were compliant. In July 2019, an IG audit found that self-attestation (self-inspection) was not working and DoD was not enforcing its own rules. So, here we are today. The CMMC 2.0 does place any new compliance or security requirements on one. When CMMC 2.0 is implemented, DIB contractors seeking a Level 2 or 3 (Level 3 not ready yet) certification due a clause in an awarded DoD contract will need a 3rd independent (C3PAO) assessor to determine if they are compliant with NIST 800-171 (the rule since December 2017) because we cannot be trusted to self-attest. Yes, it will have cost. Yes, it will require resources. However, if we had been gradually investing into this since 2017 and doing it right...we might not be here today.

Al Wilson at 5:38 PM
Re: CMMC 2.0: A Well-Intentioned Misstep in Cybersecurity

Cybersecurity and Physical security are two of the many important policies and processes that a business must have. A DIB company, especially small businesses, can literally go bankrupt trying to maintain the required certifications, processes, enterprise systems, and software needed to weave through all of the Department of Defense and Code of Federal Regulations (CFRs) rules. CMMC is just another one of those tasks placed on industry. Certification is not a process that keeps data safe, it is a combination of training, education, and government contract team oversight that gets the job done. The other key factor that must occur is the prosecution of cyber criminals. It is treason and an act of war, in my opinion, to attack our infrastructure, steel our data, and destroy our systems for any reason. It is time our three letter agencies go after all cybercriminal thugs and seek prosecution to the fullest extent of the law (change the law to get tougher). DIB companies have the responsibility to maintain good heathy cybersecurity and physical security, but it should not be burdened with costly processes that, like most certifications, do not fix anything. My opinion and my opinion only...

Chuck Petty at 3:52 PM
Re: CMMC 2.0: A Well-Intentioned Misstep in Cybersecurity

CMMC is being propelled by certifiers with direct financial interests in its survival. We need to go back to Zero, and realize that in the end, it is all about following the DoD, not IT Information (IS) side of existing standards, policies, laws and regulations. the cost study repeatedly asked for is exactly where? A quick and cheap means of protecting our data, the prime concern from Cyber Threats including the Insider Threat is using Blockchain code already in place. If one reads the existing Congressional language or the DAF SSECG v5.0, one would discover that the DoD is liable to pay for a contractor trying to implement CMMC in part or in while (as it is unspecified as such for now). Regardless of one's enterprise or communication modes or staff, existing DoD directives, instructions and DFARS/FARS cover what we need for System Security Plans, Cybersecurity Strategy, and a slew of other service peculiar Cybersecurity authoritative references for IS and NSS alike. The failure to put these existing mandates into contracts, to monitor them, and enforce them with penalties or contract defaults rests of the DoD and USG. The failure of contractors not follow a civil IS standard such as those from NIST (e.g., SP800-53, -160, -170, ...) is one of business development common sense these days. If the price of doing business with the DoD is complying with these existing NIST standards (they are not requirements) as they already do within their contractual related line items and CDRLs/DIDs, then let's make CMMC by any other name an ISO certification Quality Assurance item. Then the burden is not paying repeatedly for the same things by the DoD during proposal Technical Review to include the organization's ISO Quality Plan (something the Government pay for in other ways, but already exists for ISO certified contractors). In my opinion, no standard without measurable specifications secures anything to include NIST SP800-53 RMF Controls for IS and the CNSSI 1253 Technical Controls for NSS. It is time to do something measurable, cost effective and quickly implemented and protect the data with a self-monitoring/logging Blockchain implementation as a DoD standard communications mode. Certification of people and organizations has only resulted in a business for certifying bodies with no real gains as seen in practice to date save for COTS Operating Systems and software applications.

Joseph Yuna at 3:35 PM
Re: CMMC 2.0: A Well-Intentioned Misstep in Cybersecurity

Without substantial financial backing, level 2 entities are set up for failure, trying to adhere to complex standards that starkly deviate from their core compentcies. I’ve worked with many level 2 SMBs. These folks manufacture highly customized widgets for level 1 primes, and do it well. To their peril, they wouldn't know an IP packet if they tripped over one; and why should they? If the DoD wants to turn these family businesses into digital fortresses, it leaves itself no choice but to pony up.

Pete Sfoglia at 2:21 AM
Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.