CMMC 2.0: A Well-Intentioned Misstep in Cybersecurity
The Defense Department rollout of the Cybersecurity Maturity Model Certification, or CMMC, 2.0 was met with much fanfare and anticipation.
Designed to simplify the certification process and ensure that contractors meet a basic cybersecurity standard, it was intended to improve upon CMMC 1.0. However, despite these intentions, the new version has many issues that can potentially undermine its objectives and efficacy.
A significant area of contention is the potential cost of certification, which might disproportionately affect small- to medium-sized enterprises.
To meet the standards required by CMMC 2.0’s underlying NIST SP 800-171/172 Cybersecurity Framework, organizations may have to invest significantly in upgrading their systems, training their staff and maintaining their certification.
In addition, implementing the necessary cybersecurity measures could be prohibitive, especially for companies with limited resources.
The financial strain extends beyond merely achieving certification. Businesses also face the cost of maintaining compliance in an environment where cyber threats continually evolve. This could require further investment in technology, staffing and training.
In addition, the prohibitive cost of certification could lead to smaller organizations being squeezed out of the defense supply chain, which may, in turn, affect competition and innovation.
The CMMC 2.0 framework also calls for periodic third-party assessments for higher-level certifications. However, the cost of these audits is another financial hurdle companies must clear. While the move toward more self-assessments at lower levels may help mitigate this burden for some, the financial implications could be significant for those requiring higher-level certifications.
Furthermore, there is a lack of clarity around the total cost of compliance. Without clear guidance on the cost of assessments, or the necessary investment required to meet the CMMC 2.0 standards, businesses are left uncertain.
The Defense Department needs to consider providing more support to small and medium enterprises, such as offering grants or subsidies for CMMC 2.0 compliance or creating more streamlined and affordable pathways to certification. This will ensure a diverse and vibrant defense supply chain that balances robust cybersecurity with economic feasibility.
The complexity of CMMC 2.0 also places a significant burden on small and medium-sized enterprises. Though touted as a “simplified” process, CMMC 2.0 remains an intricate web of regulations, technical language and standards that can be difficult for them to navigate without significant cybersecurity expertise or the funds to hire consultants. This is problematic, as it places an undue burden on these companies that are integral to the defense supply chain and stifles the diversity of contractors, potentially narrowing the range of innovative solutions available to the military.
Meanwhile, the most glaring issue with the self-assessment model is the potential for inconsistency and lack of objectivity. The rigor of the assessments could significantly vary depending on a contractor’s understanding of the standards, their willingness to self-correct and their perception of the stringency of the evaluation process. The capacity for each contractor to self-assess objectively is a dicey proposition, with the risk of overestimation or underreporting of their cybersecurity maturity being a significant concern.
Self-assessment could lead to a “check-the-box” mentality, emphasizing compliance more than security. This might encourage a static approach to cybersecurity where contractors meet the minimum standards but fail to proactively seek continuous improvement and innovation in their cybersecurity protocols.
Thus, cyber threats’ dynamic and evolving nature may not be effectively countered under a self-assessment model.
Then there are the overconfident contractors who mistakenly believe that their systems are secure, only to find that they have overlooked or misunderstood critical aspects of the standards. These inadvertent gaps in cybersecurity can serve as entry points for malicious actors, undermining the intended security fortification of the CMMC.
The certification model in CMMC 2.0 assumes an unrealistic level of cybersecurity sophistication across all contractors. With the shift towards self-certification for lower levels, CMMC 2.0 heavily relies on the assumption that all contractors have the same understanding and application of NIST SP 800-171/172 Cybersecurity Framework, which, while comprehensive, requires in-depth knowledge or complex cybersecurity concepts like encryption, networking protocols and malware.
As a result, most contractors will hire a cybersecurity professional or engage with a cybersecurity consulting firm that can guide them through the process, adding additional cost to an already costly set of requirements.
CMMC 2.0 also falls short of providing a robust dispute resolution mechanism. Disputes are inevitable, given cybersecurity protocols’ complex and highly specific nature. Contractors need an accessible, efficient and fair system to address disagreements. The absence of such a mechanism can lead to prolonged investigations or potentially severe sanctions, both of which can disrupt the business operations of contractors and inadvertently impact defense operations.
The proposed scoring system for CMMC 2.0 is another cause for concern. While the intent to have a consistent and universal measure is understandable, the execution appears flawed. The plan, as it stands, is prone to subjectivity and inconsistency. It may also inadvertently discourage companies from pursuing higher levels of security if they can meet contract requirements at lower levels, potentially creating a culture of compliance rather than proper security.
While the intent behind the CMMC 2.0 is commendable, its execution leaves much room for improvement. ND
Pete Sfoglia, Ph.D., has 26 years of cybersecurity, business process re-engineering and governance and risk and compliance management experience, 20 of those years as a partner at EY, Accenture and Wipro.