DOD Officials, Cybersecurity Accreditation Partners Struggle with the China Question

The Defense Department and the accreditation body charged with implementing its Cybersecurity Maturity Model Certification aren’t clear on a plan to deal with contractors that have a significant portion of their supply chains based in China, according to a DOD official. 

The department launched the CMMC to ensure the contractors it buys goods and services from adhere to specific cybersecurity requirements that must be verified by an independent third-party auditor. As officials develop the program, they’re tackling the hot-button issue of suppliers’ country of origin. 

On Wednesday, the Government Accountability Office released its annual review of DOD’s acquisitions practices, noting “inconsistent implementation of leading software practices and cybersecurity measures among [major defense acquisition program]s.”

“DOD acquisition programs are more software-driven than ever before,” the comptroller general wrote in an introductory letter in the report to Congress. “Timely development and delivery of software capability is now often paramount to a program’s success. Nonetheless, we found that software development continues to be a stumbling block in many programs, as DOD often departs from the proven practices on which commercial industry relies. These challenges also occur in an environment where DOD faces global cybersecurity threats to its weapon and IT systems, but has made only limited progress to date in identifying and eliminating its vulnerabilities.” 

The Defense Department acknowledged these shortcomings in a letter appending the report. CMMC is supposed to be part of a cultural shift to address the inclusion of cybersecurity at every step in the process, Katie Arrington, chief information security officer for the defense acquisitions office has said, noting policy updates the department has made to its acquisitions framework.  

As all eyes are on the program, some stakeholders have expressed concern about what it will mean for industries that have become reliant for technology and services from China, which the U.S. increasingly views as an adversarial nation. 

During a webcast Nextgov hosted Thursday on securing government supply chains in a global ecosystem, Stacy Bostjanick, director of cybersecurity policy for the Defense Intelligence Agency, said this is still very much an open question. 

“Our anticipation is that if there is an overseas entity that needs to hold [controlled unclassified information], that we would definitely have a team that would be able to go over and evaluate their network,” she said, noting that depending on the country there might even be in-country teams.

Bostjanick said the CMMC accreditation body is currently working through a process of establishing bilateral agreements to facilitate the program in allied countries, but that when it comes to China, there are complications to consider. She cited laws compelling Chinese companies to share information with their government. 

“We have not endeavored to start having a relationship with China and the CMMC,” she said. “That’s going to have to be something that’s going to have to be looked at and evaluated very carefully. Because of the laws in those countries, it’s going to be very difficult to navigate those waters when it comes to allowing Chinese companies to have control of controlled unclassified information. So no, we haven’t figured our way through that quite yet.”  

In the meantime, the accreditation body is moving right along with other aspects of the program. 

The group has issued two new requests for information toward acquiring organizations that would help manage the licensing of training partners and conduct examinations for prospective assessors. Responses to both RFIs are due June 10.   

Accreditation Body board member Mark Berman told Nextgov the group is looking forward to opening a portal for those interested in becoming CMMC auditors to register “early next week.” 

During a recent recording the accreditation body published, Jeff Dalton, chairman of the credentialing committee, said the group is now shifting work to defining the assessment methodology.

But while the officials from the DOD and the CMMC accreditation have stressed a need to remove conflicts of interest by barring providers of cybersecurity products and services from acting as official assessors, Dalton said there’s still uncertainty over where those lines will be drawn. 

It’s still not clear yet whether CMMC third-party accreditation organizations will be able to do “readiness assessments” or consulting with “gap analyses,” for example, he said. “There’s a lot of gray area there that we’re going to have to wade into.”

RELATED PODCAST