It’s unclear where money for crucial tools such as continuous monitoring will come from.
The first class of assessors being trained by a volunteer accreditation body established to implement the Defense Department’s Cybersecurity Maturity Model Certification program should start receiving approval within the coming week, but may not have access to continuous monitoring to conduct initial audits, as the organization struggles to fund its operations.
“We don’t have any external funds to pay for things that we needed, whether it was continuous monitoring, whether it was staff, whether it was insurance, all the normal business things we needed,” said Chris Golden, a member of the board of directors for the accreditation body, or AB. “We’ve been struggling spending a significant amount of our time trying to figure those things out versus figuring out what the ecosystem is going to look like and training people and getting assessments going and those kinds of things.”
Golden spoke along with Robert Metzger, an attorney who co-authored the MITRE report “Deliver Uncompromised” and has been a member of the Defense Science Board, during an event Friday hosted by the cybersecurity ratings company BitSight. BitSight has submitted a response to the accreditation body’s request for proposal for a continuous monitoring solution, vice president of communications and government affairs Jake Olcott told Nextgov.
Deliver Uncompromised was among the first venues where the current method of approving defense contractors’ security practices—taking the companies by their word—was deemed ineffective. In response, CMMC will require any defense contractor in possession of certain sensitive information to be audited by an independent third party.
Metzger has been a vocal critic of what he described as possible commercialization of the accreditation body but said expectations placed on the group by the Defense Department are unfeasible.
“We have to appreciate that the department of Defense has put the AB into a fairly difficult spot,” he said. “This is a very difficult undertaking and they have given no money to the AB to do it. If there is a problem here, some of it may have been misjudgments that can be corrected by the AB, but some of it is because the funding model that the DOD has created strikes me as a lot more optimistic than realistic.”
Metzger said there shouldn’t be a single source solution for continuous monitoring, but he and Golden described such tools as crucial for the success of the program.
Golden said the two main use cases for a continuous monitoring solution would be to continue to monitor companies in the three-year periods between required certifications and to prepare auditors for what they’re going to see ahead of knocking on companies’ front doors.
He said a first class of provisional assessors has now completed their training and will be taking their exams virtually over the weekend. Members of the accreditation body will then start grading the tests, while assessing the effectiveness of the test itself, and should start issuing approvals next week.
On Thursday the accreditation body also announced its approval of 11 licensed publishing partners to develop training curricula for the program.
But it’s unclear whether the certified provisional assessors will have access to continuous monitoring tools as they go into the program’s first audits, which are meant to inform and improve all those to come.
“It depends,” Golden said. “We did manage to raise just a little bit of money so we’re trying to pour that into standing up some infrastructure and standing up some instances in the cloud etc. etc. If we can get that up and running and then tie a continuous monitoring solution to that we will probably execute on that in the near term. If we can’t get there by the time assessments start, then no, it won’t be available for them.”
The accreditation body is also working with the DOD to come up with a window of time between an initial audit and an assessor’s final certification decision when companies could have a chance to fix any lacking controls required under the CMMC standard instead of being stamped a failure.
“We’re all in agreement that there needs to be a window,” Golden said, suggesting it could be between 30 and 90 days.
“We’re just sort of haggling over what the exact timeline is going to be,” Golden added.
He said the decision will be ready by the time the Defense Federal Acquisition Regulation rule is issued. That is expected in November, according to DOD’s CMMC lead Katie Arrington.
Metzger said such flexibility is necessary to ensure important companies aren’t forced out of the defense industrial base because of one control that might not even apply to their technology. He stressed the importance of stability for the success of the larger effort, returning to challenges inherent in the DOD’s funding model.
“[Volunteerism] is not really the way things like this are ordinarily done,” he said. “Of course you want volunteers and of course you want diverse participation from the sector or the industry, but there are times when you need a professional staff that know they are going to be paid and where you will need money to make awards to this or that or the next company to help you design, develop, and improve your systems. All of that is having to be done sort of on the run by the AB never quite sure where its next dollar is going to come from.”