It is not about compliance, or is it?
By Carter Schoenberg, CISSP & CMMC Registered Practitioner Vice President – Cybersecurity SoundWay Consulting, Inc.
As of the date of this publication, new requirements for U.S. Defense Contractors are in play. The days of taking an approach addressing cybersecurity requirements in the form of, “it doesn’t apply to me” are officially over. In case you missed it, there are four letters that should have you standing up and taking notice (CMMC). To start with, what exactly is CMMC? The Cybersecurity Maturity Model Certification (aka CMMC) is a new and comprehensive framework that will dictate future awards made by the U.S. Department of Defense. This framework is managed by a non-government entity known as the CMMC Accreditation Body (AB) and fully supported by the highest levels of the U.S Department of Defense (DOD) Leadership.
Starting back in 2017, requirements to meet 110 security controls described in the National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations” were included in formal solicitations under the Defense Federal Acquisition Regulation (DFAR). Unfortunately, procurement officials generally highlighted this requirement with a single sentence in solicitations and relied upon self-attestation. Since that time, the F35 Strike Fighter technical designs, Naval defensive electronics on sea vessels, and arguably the largest release of malware created for offensive operations by the National Security Agency have all been compromised due to poor cyber hygiene by U.S. Government Contractors (GovCons).
Regardless if we like it or not, the U.S. Government is justified in taking the position “enough is enough” and now forcing all, let me say that again,…” ALL” GovCons seeking work with the DOD to demonstrate adequate cyber hygiene. These efforts are spearheaded by Ms. Katie Arrington. As described by Ms. Arrington, the Government is taking a crawl, walk, run approach towards the formal implementation of CMMC. CMMC has five levels of maturity starting with Maturity Level 1 equating to being able to demonstrate 17 practices (security safeguards) are implemented. Starting around June 2021, it is estimated 15 contracts will be issued impacting 1500 GovCons and this will ramp up to all engagements no later than FY2026. This is all contingent upon formal adoption within the DFAR.
To make matters even more interesting is that the interim DFAR ruling explicitly states as of December 1, 2020, a large number of GovCons have to immediately report their current status towards conforming with NIST SP:800-171 to the Government. If the level of accuracy for self-attestations seen previously is any indicator, there is a likelihood that GovCons may be inclined to fudge the results because who at the Defense Department is really going to police the results, right? WRONG! Misrepresenting the results has two significant consequences. One adverse consequence is defined by industry stakeholders and one is being overlooked. The first is what is known as the False Claims Act. This is actually a criminal investigation under the direction of the Justice Department and targets individuals (CEOs, Boards of Directors). The second is under the Federal Trade Commission (FTC) as a TITLE 15 violation for unfair and deceptive business practice and can result in heavy financial sanctions.
The Government is socializing their goal is not to make a compliance mandate but rather to foster the adoption of actual cybersecurity best practices in a way that enhances the GovCon. Regardless if you are Maturity Level 1 or even Level 5, two forms of objective evidence will be required for proof of adoption of the practices and processes defined within CMMC. Sounds a lot like a compliance initiative. Instead of using the term “audit” the term “assessment” is the CMMC nomenclature.
If you have been through a FISMA, CMMI, ISO, PCI, or another audit where objective evidence is required for proof of meeting the standard, this exercise is academically no different. There is one caveat to that. Once Maturity Level 3 is applicable (GovCon receives or creates CUI), then simply having safeguarding controls and appropriate policies & procedures is not enough. It is incumbent on the GovCon to demonstrate they are all “managed”. What does that mean though? Think of it as “operationalizing” these best practices into your core business daily operations. From here, you advance to Maturity Level 4, requiring everything from Levels 1-3 plus being able to demonstrate everything is “Reviewed” at least annually. Then at Maturity Level 5, you must be able to demonstrate your organization is optimizing the aforementioned practices and processes.
If you are already ISO 27001 certified, congratulations – it is no longer enough. If you are CMMI Level 3 Certified, congratulations – it too is no longer enough. What about FedRAMP? That too is no longer enough.
To date, the DOD is stating that having your formal certification is not required to bid, just required at the time of the award. The Government and the CMMC-AB estimate you should allow yourself a 6-month window to prepare for Maturity Level 3 and higher. Having performed almost 40 of these types of assessments for the Government and Industry, GovCons would be wise to project an 8 to the 10-month runway. These presumptions are also problematic because the average award timeline is approximately 120 calendar days. Even if the 6-month preparation estimate is correct, that still leaves a delta of two months. This essentially means a failure to have certification prior to submitting your proposal for Maturity Level 3 and higher will likely result in somebody else receiving the award.
For GovCons that are micro-size entities with home-based offices, you should consider the strong likelihood that your home will actually be inspected even at Maturity Level 1. For more details on what assessors will look for, please click here.
It is important to note that if you are a GovCon you should:
- Take immediate steps towards CMMC preparation at Maturity Level 1 with an understanding you may likely be required for Level 3 rating within a year or so.
- Carefully review the specifications of the requirements in CMMC.
- Do not take the position of believing you are in good shape because your IT guy told you so.
- Do not take the position this framework will go away with the new administration.
- Do seek out Registered Provider Organizations that have licensed Registered Practitioners authorized by the CMMC Accreditation Body.
- Understand this framework is a work in progress and will continue to evolve as the cyber threat landscape evolves.
One last noteworthy point is that there are a number of industry stakeholders continuously trying to find fault with the CMMC-AB and Ms. Arrington. Taking this approach is like waving at the train when it has already left the station. ALL ABOARD!
About the Author
Carter Schoenberg is the Vice President of Cybersecurity at SoundWay Consulting. Carter has over 20 years’ experience supporting Government and Industry stakeholders and is a subject matter expert on the Cybersecurity Maturity Model Certification (CMMC), cyber investment strategies, reducing organizational exposure to harm by cyber liabilities. His work products have been used by DHS, DOD, NIST, and the ISAC communities.
Carter can be reached online at email@example.com and through www.soundwayconsulting.com or the CMMC Marketplace