Assessment guides for auditors will be just one key to ensuring the program doesn’t become a meaningless checklist.
The coming Cybersecurity Maturity Model Certification should be a major boon for verifying practices the defense industrial base self-attests to doing, but if program designers don’t take time to spell out specific requirements, things could all fall apart, cautions the leader of a firm that certifies many of the department’s own security personnel.
“I 100% think that CMMC is the right approach in that it is a step toward holding companies accountable and forcing behavior change,” Simone Petrella, CEO of workforce training and development company CyberVista told Nextgov. “The devil will be in the details of execution on that.”
The Defense Department is expected to release the final CMMC model laying out necessary security controls—collected from across a range of international bodies such as the National Institute of Standards and Technology—along five levels this week or next.
The plan is to have independent auditors overseen by a nonprofit accreditation body use the model in conjunction with assessment guides to certify whether contracting hopefuls have achieved the level of security determined appropriate to sufficiently protect data involved in the work to be done.
Petrella says it will be really important for those assessment guides to flesh out what proof is needed in order to demonstrate conformation with a certain level of maturity.
In evaluating whether a company has controls, she said she’s been in the position where an auditor may ask, “OK, for control communication system boundaries, do we have domain name service filtering services?”
The official can say “yes, I do, they’re here,” she said, but whether the auditor follows up with questions about proper configuration and creating the appropriate white lists and black lists is crucial.
“If you're an assessor and you don't know those distinctions, then [the audit] is useless,” Petrella said.
Stakeholders observing the development of CMMC note a related giant obstacle implementers will face: the industry's infamous workforce issue.
The department has recognized an inherent conflict of interest involved in entities serving as CMMC third-party assessment organizations also providing products or services to potential contractors. Companies can audit or they can sell their services, but the department won't let them do both.
Petrella agrees a lot of the people who are skilled in supplying cybersecurity as a service and help organizations put the necessary controls in place, are the ones who might be best suited to do CMMC assessments.
“It's hard to imagine that there will be a universe of people left,” Petrella said, pointing to a current 350,000-person cybersecurity workforce gap in the U.S.