CMMC 2.0: A Well-Intentioned Misstep in Cybersecurity

By Pete Sfoglia

iStock illustration

The Defense Department rollout of the Cybersecurity Maturity Model Certification, or CMMC, 2.0 was met with much fanfare and anticipation.

Designed to simplify the certification process and ensure that contractors meet a basic cybersecurity standard, it was intended to improve upon CMMC 1.0. However, despite these intentions, the new version has many issues that can potentially undermine its objectives and efficacy.

A significant area of contention is the potential cost of certification, which might disproportionately affect small- to medium-sized enterprises.

To meet the standards required by CMMC 2.0’s underlying NIST SP 800-171/172 Cybersecurity Framework, organizations may have to invest significantly in upgrading their systems, training their staff and maintaining their certification.

In addition, implementing the necessary cybersecurity measures could be prohibitive, especially for companies with limited resources.

The financial strain extends beyond merely achieving certification. Businesses also face the cost of maintaining compliance in an environment where cyber threats continually evolve. This could require further investment in technology, staffing and training.

In addition, the prohibitive cost of certification could lead to smaller organizations being squeezed out of the defense supply chain, which may, in turn, affect competition and innovation.

The CMMC 2.0 framework also calls for periodic third-party assessments for higher-level certifications. However, the cost of these audits is another financial hurdle companies must clear. While the move toward more self-assessments at lower levels may help mitigate this burden for some, the financial implications could be significant for those requiring higher-level certifications.

Furthermore, there is a lack of clarity around the total cost of compliance. Without clear guidance on the cost of assessments, or the necessary investment required to meet the CMMC 2.0 standards, businesses are left uncertain.

The Defense Department needs to consider providing more support to small and medium enterprises, such as offering grants or subsidies for CMMC 2.0 compliance or creating more streamlined and affordable pathways to certification. This will ensure a diverse and vibrant defense supply chain that balances robust cybersecurity with economic feasibility.

The complexity of CMMC 2.0 also places a significant burden on small and medium-sized enterprises. Though touted as a “simplified” process, CMMC 2.0 remains an intricate web of regulations, technical language and standards that can be difficult for them to navigate without significant cybersecurity expertise or the funds to hire consultants. This is problematic, as it places an undue burden on these companies that are integral to the defense supply chain and stifles the diversity of contractors, potentially narrowing the range of innovative solutions available to the military.

Meanwhile, the most glaring issue with the self-assessment model is the potential for inconsistency and lack of objectivity. The rigor of the assessments could significantly vary depending on a contractor’s understanding of the standards, their willingness to self-correct and their perception of the stringency of the evaluation process. The capacity for each contractor to self-assess objectively is a dicey proposition, with the risk of overestimation or underreporting of their cybersecurity maturity being a significant concern.

Self-assessment could lead to a “check-the-box” mentality, emphasizing compliance more than security. This might encourage a static approach to cybersecurity where contractors meet the minimum standards but fail to proactively seek continuous improvement and innovation in their cybersecurity protocols.

Thus, cyber threats’ dynamic and evolving nature may not be effectively countered under a self-assessment model.

Then there are the overconfident contractors who mistakenly believe that their systems are secure, only to find that they have overlooked or misunderstood critical aspects of the standards. These inadvertent gaps in cybersecurity can serve as entry points for malicious actors, undermining the intended security fortification of the CMMC.

The certification model in CMMC 2.0 assumes an unrealistic level of cybersecurity sophistication across all contractors. With the shift towards self-certification for lower levels, CMMC 2.0 heavily relies on the assumption that all contractors have the same understanding and application of NIST SP 800-171/172 Cybersecurity Framework, which, while comprehensive, requires in-depth knowledge or complex cybersecurity concepts like encryption, networking protocols and malware.

As a result, most contractors will hire a cybersecurity professional or engage with a cybersecurity consulting firm that can guide them through the process, adding additional cost to an already costly set of requirements.

CMMC 2.0 also falls short of providing a robust dispute resolution mechanism. Disputes are inevitable, given cybersecurity protocols’ complex and highly specific nature. Contractors need an accessible, efficient and fair system to address disagreements. The absence of such a mechanism can lead to prolonged investigations or potentially severe sanctions, both of which can disrupt the business operations of contractors and inadvertently impact defense operations.

The proposed scoring system for CMMC 2.0 is another cause for concern. While the intent to have a consistent and universal measure is understandable, the execution appears flawed. The plan, as it stands, is prone to subjectivity and inconsistency. It may also inadvertently discourage companies from pursuing higher levels of security if they can meet contract requirements at lower levels, potentially creating a culture of compliance rather than proper security.

While the intent behind the CMMC 2.0 is commendable, its execution leaves much room for improvement. ND

Pete Sfoglia, Ph.D., has 26 years of cybersecurity, business process re-engineering and governance and risk and compliance management experience, 20 of those years as a partner at EY, Accenture and Wipro.

Topics: Cyber, Cybersecurity

Comments (7)

Re: CMMC 2.0: A Well-Intentioned Misstep in Cybersecurity

While some may see CMMC as "a well-intentioned misstep," let us not forget that CMMC is the result of a majority of DIB contractors failing to accurately, credibly, and/or properly self attesting to the NIST 800-171 security requirements since 2016. These requirements did not just fall off a truck yesterday, last week, last month or last year. The requirements have been around since 2016 (32 CFR and DFARS 7012 and became a final rule in December 2017 (DFARS 7012). And the majority of contractors (small, medium and large) did nothing. They just waved hands over their contracts and attested they were compliant. In July 2019, an IG audit found that self-attestation (self-inspection) was not working and DoD was not enforcing its own rules. So, here we are today. The CMMC 2.0 does place any new compliance or security requirements on one. When CMMC 2.0 is implemented, DIB contractors seeking a Level 2 or 3 (Level 3 not ready yet) certification due a clause in an awarded DoD contract will need a 3rd independent (C3PAO) assessor to determine if they are compliant with NIST 800-171 (the rule since December 2017) because we cannot be trusted to self-attest. Yes, it will have cost. Yes, it will require resources. However, if we had been gradually investing into this since 2017 and doing it right...we might not be here today.

Al Wilson at 5:38 PM
Re: CMMC 2.0: A Well-Intentioned Misstep in Cybersecurity

Cybersecurity and Physical security are two of the many important policies and processes that a business must have. A DIB company, especially small businesses, can literally go bankrupt trying to maintain the required certifications, processes, enterprise systems, and software needed to weave through all of the Department of Defense and Code of Federal Regulations (CFRs) rules. CMMC is just another one of those tasks placed on industry. Certification is not a process that keeps data safe, it is a combination of training, education, and government contract team oversight that gets the job done. The other key factor that must occur is the prosecution of cyber criminals. It is treason and an act of war, in my opinion, to attack our infrastructure, steel our data, and destroy our systems for any reason. It is time our three letter agencies go after all cybercriminal thugs and seek prosecution to the fullest extent of the law (change the law to get tougher). DIB companies have the responsibility to maintain good heathy cybersecurity and physical security, but it should not be burdened with costly processes that, like most certifications, do not fix anything. My opinion and my opinion only...

Chuck Petty at 3:52 PM
Re: CMMC 2.0: A Well-Intentioned Misstep in Cybersecurity

The missteps alluded to are from lousy program office requirements and oversight within the existing AAF DIDs and CDRLs and numerous meetings and inspections. 51 years of designing, maintaining, operating and assessing DoD systems in and out of uniform says this CMMC is not needed as it is currently more processes we do not need, and ignores the current DoD AAF authoritative sources and contractual language we have had in place. NIST standards are not the answer, RMF that is as proven too many times in the last. INFOSEC, and physical and facility security are already delineated without reverting to some committee of non-practioners of the AAF process in NIST. We need to go back to "zero", protect the data without intruding on proprietary systems (if one does into understand how that one can do, then CMMC should not be in your area of responsibility), and writing requirements in contracts as we once did prior to Gulf War I and during the Cold War. The costs of using COTS, and putting mission critical functions and data on normal business systems without even considering the ERP and MRP systems used to generate the data that CMMC is to protect is indicative we have the wrong people in the DoD and not listening to the NDIA working Group who to date have provided common sense recommendations that this draft proposal ruling seems to have blown off. Note that in current FARS, if a program is faltering in implementing CMMC< the costs become the DoD's ... but no one reads the 127 Security and Cybersecurity documents and keeps making up new guidance and acronyms and processes as time marches on. Pete is right on target ... you get what you ask and pay for, and the costs of CMMC are simply outrageous when simpler solutions are already at hand. As far as certified people are concerned, the GAO as proven just like RMF that has protected and improved nothing. Back to the basics of time-proven System Engineering whether for NSS or IS, it is all the same to these 51 years long career defense professional.

Joe Yuna at 6:20 PM
Re: CMMC 2.0: A Well-Intentioned Misstep in Cybersecurity

A quick review of the currently required documents and artifacts CMMC will affect says we need to put our collectives Cybersecurity and AAF heads together, and ensure we streamline CMMC compliance and the currently regulatory, statutory and service/system required acquisition documentation is identified, and all revised to reflect this massive change in how wer manage INFOSEC, Physical Security and the AAF Cybersecurity directives, instructions, memorandums, and guidebooks/handbooks currently in existence. Whatever we do for the defense contractors affects the Defense side of this Cybersecurity equation. Ass in these costs, required resources and timelines for all of their implementation, and to reduce the number of existing shelf-ware being asked for and often not formally delineated within the services already, I propose we consolidate the CMMC effort and requirements within the DoD and military services, and revise the current PPIP/PPP and SSP to reflect all of these changes before stepping out with this expensive initiative. When I looked at a supply chain with vendors and suppliers and manufacturers for a few simple Critical Components, the supply chain extended into major US organizations such a Ford that are doing business with our adversaries, hence using the same components as we do in our National Security Systems (NSS) and IT Information Systems (IS). How do we handle or penalize the source of risks such as Ford introduces through its supply chain into ours? Aside from NARA and the costs of CUI and its own discombobulated implementation between defense programs, as to what is CUI, and the variances of CTI and its CTE, CMMC will impact more than just the defense contractors, large to small. Do we truly have the Big Picture for CMMC as we did not have before jumping into the NARA CUI compliance bandwagon? I defer to far smarter DoD and NIDA SMEs than myself for their views and thoughts on how to make CMMC cost effective and its impacts to existing DoD authoritative sources coincidental rather than accidental.

Joseph D Yuna at 11:56 AM
Re: CMMC 2.0: A Well-Intentioned Misstep in Cybersecurity

CMMC is being propelled by certifiers with direct financial interests in its survival. We need to go back to Zero, and realize that in the end, it is all about following the DoD, not IT Information (IS) side of existing standards, policies, laws and regulations. the cost study repeatedly asked for is exactly where? A quick and cheap means of protecting our data, the prime concern from Cyber Threats including the Insider Threat is using Blockchain code already in place. If one reads the existing Congressional language or the DAF SSECG v5.0, one would discover that the DoD is liable to pay for a contractor trying to implement CMMC in part or in while (as it is unspecified as such for now). Regardless of one's enterprise or communication modes or staff, existing DoD directives, instructions and DFARS/FARS cover what we need for System Security Plans, Cybersecurity Strategy, and a slew of other service peculiar Cybersecurity authoritative references for IS and NSS alike. The failure to put these existing mandates into contracts, to monitor them, and enforce them with penalties or contract defaults rests of the DoD and USG. The failure of contractors not follow a civil IS standard such as those from NIST (e.g., SP800-53, -160, -170, ...) is one of business development common sense these days. If the price of doing business with the DoD is complying with these existing NIST standards (they are not requirements) as they already do within their contractual related line items and CDRLs/DIDs, then let's make CMMC by any other name an ISO certification Quality Assurance item. Then the burden is not paying repeatedly for the same things by the DoD during proposal Technical Review to include the organization's ISO Quality Plan (something the Government pay for in other ways, but already exists for ISO certified contractors). In my opinion, no standard without measurable specifications secures anything to include NIST SP800-53 RMF Controls for IS and the CNSSI 1253 Technical Controls for NSS. It is time to do something measurable, cost effective and quickly implemented and protect the data with a self-monitoring/logging Blockchain implementation as a DoD standard communications mode. Certification of people and organizations has only resulted in a business for certifying bodies with no real gains as seen in practice to date save for COTS Operating Systems and software applications.

Joseph Yuna at 3:35 PM
Re: CMMC 2.0: A Well-Intentioned Misstep in Cybersecurity

Dr. Pete Sfoglia is right on target. The COst-to-benefit ratio of CMMC is eactly what? The benefits of even Microsoft andCISSP certifications has been exactly what? He contractual use of any of these IS (IT Information Systems) standards w/o real measurable specifications other than another series of checklists has been what? For National Security Systems (NSS) that are Cyber ysical Systems (CPS), the use of these IS Standards has been exactly what? We cannot even have access to major defense contractors databases for parts let alone oversight or legal precedence to mandate let alone control other than USG and DoD systems. Protecting the data and using the existing INFOSEC and Physical Security and Personals Security clearance processes and rules would be a great start to thwart threats we can see and know have happened in the past and are experiencing now. MY proposed solution is for the DoD to host the IS we use for Defense Business Systems that support our IS and NSS development and indirect labor processes and reports and data warehousing. LEt the DoD control and secure the data warehouses and applications we use currently through DoD communication pipes. That not only guarantees Cybersecurity with reduced costs to programs overall within the DoD, but allows small- to mid-sized companies to use without implementation whatever levels and means of Cybersecurity we feel we need now and in the future. Also, the question of data rights for failing weapon systems we cannot even support from the field 24 hours a day must stop. We managed similar systems by paper in the past, but no longer due to some misconceptions of that the USG and DoD cannot handle Cybersecurity or reduce costs for the required licensed software and services? And standards are just that. Without specifications they are useless for engineering, test and sustainment purposes. We have been led down the Yellow Brick Road by Cybersecurity SMEs heavily invested in RMF and when we now pull back the curtain, we see a failing old approach posing as the all-seeing and solution to all of our Cybersecurity needs. Our current state of Cybersecurity and esp. Cyber Engineering posture as reported too many times by the GAO says it is time for breaking free of the current paradigms and find another cost and performance effect means of providing Cybersecurity for DoD contractors and their sub-contractors and esp. throughout the DoD supply chain and fast. Anyone who works outside of a certification or standards body knows the knowledge levels of our backbone mom-and-pop owned businesses knows their expertise and means of learning what we now expect them to know let alone implement. Instead of spreading these costs and mandates across all, let the DoD and USG (even bigger problem) host the secure systems and services to realize what we are struggling to do now.

Joseph Yuna at 1:21 PM
Re: CMMC 2.0: A Well-Intentioned Misstep in Cybersecurity

Without substantial financial backing, level 2 entities are set up for failure, trying to adhere to complex standards that starkly deviate from their core compentcies. I’ve worked with many level 2 SMBs. These folks manufacture highly customized widgets for level 1 primes, and do it well. To their peril, they wouldn't know an IP packet if they tripped over one; and why should they? If the DoD wants to turn these family businesses into digital fortresses, it leaves itself no choice but to pony up.

Pete Sfoglia at 2:21 AM
Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.