CMMC Official Backs Light-touch Option for Continuous Monitoring of Defense Contractors’ Cybersecurity


The Pentagon’s certification program is looking for a way to keep tabs on companies during the three-year intervals between independent audits.

The accreditation body responsible for certifying companies’ adherence to the Defense Department’s coming Cybersecurity Maturity Model Certification program is deliberating over a partner to continuously monitor contractors’ cybersecurity posture, and sympathizes with industry leaders who are hoping a light-touch approach will win.

Under the CMMC, Defense contractors will have to renew their certifications every three years. 

“That’s a snapshot in time, there’s a whole bunch of things that can happen in that three year period,” said Chris Golden. “Companies can go from 100% on-[premises] to 100% cloud, there could be a complete changeover in leadership, they could move operating we have to have some mechanism to give us an idea of what is going on inside the firewall without putting an agent on their networks because, frankly, most companies would not allow that.” 

Golden is a member of the board for the CMMC Accreditation Body. He spoke Wednesday during a webinar hosted by the security ratings company SecurityScorecard, which seems to fit Golden’s description for a desired continuous monitoring solution. 

Steve Shirley, the executive director of the National Defense Information Sharing and Analysis Center and vice chair of the Defense Industrial Base Sector Coordinating Council; Jennifer Gillespie, a senior associate for information services governance with Booz Allen Hamilton; and Robert Knake, a senior fellow for cyber policy at the Council on Foreign Relations and a former director of cybersecurity policy on President Obama’s National Security Council, also participated in the event.

With a rule change to Defense acquisition regulations expected in the fall, contractors handling information with a certain level of sensitivity will have to undergo an independent audit to ensure their cybersecurity is up to snuff. 

The speakers all agreed that the current system, where companies “self-attest” to meeting data security standards set by the National Institute of Standards and Technologies, has been unreliable, with companies broadly misrepresenting their defenses.    

Gillespie said the CMMC is a “desperately needed evolution of the [Defense Federal Acquisition Regulations]” and that she is excited by the prospect of it being adopted by civilian agencies across the government. In that vein, the General Services Administration has already reserved the right to implement the CMMC in finalizing a major IT contracting vehicle.  

SecurityScorecard General Counsel Sachin Bansal demurred when Nextgov asked whether the company was a contender to provide continuous monitoring for the CMMC, but Golden and industry leaders praised the company’s approach.

“One of the things my member companies find attractive about SecurityScorecard is that there’s a way to assert that there is a monitoring capability,” Shirley said, “and it’s a reasonable touch on their networks, and their interests and is short of some very intrusive schema that other entities have proposed.”

Knake said, ultimately, a tool that is able to collect data from within a company’s network and report it back out to stakeholders would be the most beneficial, but that the service provided by SecurityScorecard, which uses publicly available data such as how often and quickly a company patches reported vulnerabilities, is an important intermediate step toward a new way of assessing security compliance.

“I think we probably won’t see a sensor moving inside the network, I think we probably will see some form of data collector moving inside the network and bringing data out that can tell you where you are and can tell DOD where you are, or other regulators or other third parties,” he said. “I think what we see right now is the use of external tools, like SecurityScorecard, pointing the way to that, showing how much value you get when you can do this on a continuous basis, so it sort of logically has led many people to say yes, I want that, and then I also want that for what’s happening inside the network.”

Most of the components of CMMC, or programs such as the Federal Risk and Authorization Management Program, can be measured on a continuous, automated basis, Knake said, predicting the future will see more demand for internal network scrutiny.

“I think that’s probably where we’re headed,” he said. “In the crawl, walk, run stages, we’re now getting up to walking and what I’m talking about there would be running. So I think we’re probably a few years away from that but I think it’s gonna come.”     

For now, Golden said the CMMC accreditation body is more interested in “some kind of monitoring tool that grabs the data that’s out in the ether, out in the public domain that gives us some insight into what’s going companies evolve.”