The CMMC [Cybersecurity Maturity Model Certification] Accreditation Body’s website shows an estimate that there will need to be 10,000 licensed Assessors trained and working full time to conduct assessments, which are supposed to require renewal every three years. The Accreditation Body website also indicates that there are 350,000 firms that will have to be assessed. The cost of this new bureaucratic edifice will be carried by the contractors who desire to do business with the Department. They will have to pay the licensed Assessors to do the assessments, setting up a direct conflict of interest, a new barrier to entry for non-defense firms, and a cost that will ultimately be passed on to the Defense Department.
… The lawyer in me sees all sorts of possibilities for both mischief and disputes to arise. This is not a trivial matter. When an Assessor effectively tells a business that it is not allowed to bid on a government contract it may have been preparing to bid on for months if not years, people are going to get upset, very upset. The list of possible disputes is long – where and how will they be resolved? Who will absorb the litigation risk for the Authorization Board, the Accredited Organizations, or the licensed Assessors? What legal accountability will anyone in this new structure have for its actions – to either the government or to affected parties? No one knows.
That was from a provocative Forbes article by former USD(AT&L) Frank Kendall, “Cybersecurity Maturity Model Certification: An Idea Whose Time Has Not Come And Never May.”
Mark Hijar points out that if just 1,000 out of 350,000 contractors take CMMC AB to court in a year — and if they are unsuccessful but cost a low-ball $100,000 each — then where is the CMMC AB going to get $100 million in legal costs?
A couple other problems.
(1) If a CMMC level 5 firm like Lockheed or Northrop — the highest cyber requirement level — is the prime on a contract, and they want to use digital engineering with their supplier base, does that mean all their subcontractors integrated into the digital design process would also need CMMC level 5? Currently, only a tiny percentage of firms are expected to require CMMC Levels 4 or 5. But it’s not clear what triggers (e.g., sharing digital engineering environment) would force subcontractors onto higher CMMC levels.
(2) A large firm may be able to pay for CMMC and get it quickly reimbursed as an allowable cost under existing contracts. But small firms and new entrants would have to absorb the cost before winning new work — with reimbursement perhaps a dubious proposition. And would the reimbursement come as a separate CLIN on the contract, or result in higher overhead rates? Since it’s a government requirement, nontraditional firms would need to implement detailed cost accounting systems as well to keep the CMMC costs separate and charge it back only to their government contracts — and you can be sure those costs will be challenged.
The fact that CMM Certifications are provided by licensed third parties doesn’t just raise a conflict of interest problem. It also means that a fair amount of the process is written documentation about issues like incident response. This is subjective, and may coalesce into a bunch of check-the-box processes which only has the appearance of security.
The worst outcome of CMMC is that it falls apart due to its structural design. Cybersecurity should be a top priority. I’ve written a couple places about how we can build resilience into our systems (e.g., here, here, and here).
A proposal.
The CMMC AB released an RFP for continuous monitoring. It states the basic activities will be:
- Non-intrusive (not a penetration test) review and analysis of company internet traffic on the public domain.
- Analysis of traffic that is on the public domain only.
I understand why CMMC AB would stick with non-intrusive monitoring. A number of hard questions arise when it comes to intrusion. And detailed testing is to be done by the licensed assessors.
But rather than having 10,000 licensed assessors going around and getting paid by the firms needing to be certified, why not have 10,000 white-hat hackers? Why not build capabilities in cybersecurity itself rather than evaluation and litigation? Why not make the continuous monitoring program the program?
CMMC could alternatively look like deploying white-hat hackers on our own industrial base. There’s a lot of ways to implement it. Perhaps there is a self-funded pool generated by penalties/rewards for incidents. Perhaps the government funds a formal program so as to not penalize industry. In any case, it would build a new capability that could quickly turn on an enemy should it be needed.
In any complex and distributed system, there will be points of failure or weakness. Not process can perfect that. So why not build in incident detection and response into the broader organizational system? Generating incidents and testing the response exposes weaknesses that can be worked out collaboratively.
Frank,
Excellent article and a topic that my company itSM Solutions along with the CMMC Center of Excellence (CMMC:COE) and a global network of industry thought leaders have been working on for a while.
While the CMMC:AB has been focused on standing up a network of assessors we have been standing up a program that will help the DIB get its People, Processes and Technologies ready for CMMC Certification. Our CMMC-Academy program is designed to teach the DIB to “HOW TO” engineer, operationalize and continually improve a cybersecurity risk management program based on NIST 800-171. The program provides them the option to learn how to do it themselves or work with their favorite consultant or MSSP to do it for them.
We have designed the program to enable the DIB to put in place “a system” that enables them (or its favorite consultant or MSSP) to put in place the best practice security controls (NIST, ISO etc.) and management systems that will enable it to manager its cybersecurity risk in real time while providing the CMMC:AB Assessors with real-time access to a Governance dashboard that will enable them to verify CMMC Compliance on a continuous or as-needed basis.
We have priced the system so that it is affordable regardless of how they procure it. We have also created a model that we believe the DIB could be used as a basis to bill that cost (or part of it) of the system back to the DoD as it is designed to deliver outcomes for both the DIB and DOD.
Finally we are working with the CMMC:COE and Capital Technology University to stand up a Education & Training working group and a Body of Knowledge that will enable the both the DIB and DOD to benefit from lessons learned from the various DIB sectors.
The Pillars of our CMMC-Academy program are listed below:
1. Training & Certification with Tier 1 Mentoring
The CMMC-Academy NCSP 800-171 certification training program provides the DIB access to accredited and recognized (APMG International, NCSC/GCHQ, DHS) 800-171/CMMC Practitioner and Specialist certification training programs that teach the DIB how to design, implement, operate and continually improve an 800-171 program capable of being CMMC certified.
2. Automation Platforms with Tier 1 Support
The CMMC-Academy NCSP 800-171 online assessment, program management and audit functions will be performed via the CyberStrong Program Management platform. This approach will enable the DIB to quickly scale adoption by using a standard 800-171/CMMC program management tool to assess, audit and continually manage and improve its cybersecurity program. The tool will automatically deliver the an SSP and POAM that can be used by the CMMC:AB certified auditors for verification of capabilities.
3. CMMC Workforce
The CMMC-Academy NIST 800-171 online staffing program will provide DIB members access to the consulting and implementation resources they may need need to assist in the engineering, operations and internal auditing of its 800-171/CMMC program. Our goal is to staff this program with retired or transitioning veterans along with job changers and exceptional rookies graduating from High Schools and other Higher Education institutions.