The Defense Department’s main effort to protect its supply chain from cyber threats charged ahead through the pandemic but not without controversy.
In 2020, an ambitious Defense Department effort to account for its suppliers’ cybersecurity had many in the community kicking and screaming in tow, but represents a new collective policy thrust that won’t be dismissed.
The program, led by Katie Arrington, the chief information security officer for Defense acquisitions, is based on the idea that the government should incorporate security standards into its contract administration. Arrington’s presentations on the program often include an estimate of how much is lost each year through cyber disruptions—$600 billion, according to research cited in the DOD’s answers to frequently asked questions about the program—and highlight intellectual property theft by China.
Before the idea of CMMC, companies within the defense industrial base simply pledged their adherence to cybersecurity practices outlined by the National Institute of Standards and Technology. A 2015 rule required Defense contractors to report cyber incidents and to provide “adequate security” using NIST Special Publication 800-171 to protect covered information. But it wasn’t until summer 2019 that the Defense Department started checking whether companies were implementing the standard.
Following a pilot in June 2019, the Defense Contract Management Agency officially stood up the Defense Industrial Base Cybersecurity Assessment Center and now does spot checks on companies. John Ellis, DCMA’s software division director, told consultant Leslie Weinstein the selection of companies for these is informed by DOD priorities and threats observed in the cyber realm.
However, more than a year in, the DIBCAC has completed about 100 audits, just scratching the surface of the roughly 300,000 contractors serving the department. The sheer number of companies that work with the department is why Arrington said a whole new ecosystem of independent auditors is necessary to implement CMMC. She said she also considered turning to an existing official entity such as MITRE, a federally funded research and development corporation, for help with the audits, but that would have been prohibitively expensive.
The Drama of the Nongovernment Auditors
To scale up auditing, the department issued an interim rule Sept. 30 sanctioning a nonprofit group, the CMMC Accreditation Body, or CMMC-AB, to “accredit and oversee multiple third-party assessment organizations (C3PAOs) which in turn, will conduct on-site assessments of DoD contractors throughout the multi-tier supply chain.”
The group raised eyebrows from the start. Instead of a formal process, the CMMC-AB was populated by volunteers from a meeting DOD held with industry stakeholders about the program. It also turned out Ty Schieber, the initial chairman of the board, had worked with Arrington for years in military and government sales and that he financially supported her 2018 run for a seat in Congress. Arrington refutes any impropriety associated with the Scheiber connection and has heaped praise on all members of the CMMC-AB for their unpaid dedication to the cause.
Still, the volunteers seemed to struggle with funding. They took out lines of credit to establish operations, and Schieber and another board member were replaced suddenly, after a controversial sponsorship proposal that Arrington said the department could not condone.
The CMMC-AB takes fees from individuals and entities applying to participate in the ecosystem in various capacities, including as auditors and consultants. It is now searching for a CEO as a newly formed 501.C(3), according to a post on its website, but concerns remain that have prominent members of the DIB reaching for the arms of government.
Private-sector entities don’t usually cry out for the government to be more involved in monitoring their business practices, but 2020 has been anything but typical, and when it comes to the CMMC, that’s exactly what some of the largest tech companies are doing.
“While BSA understands that the Department of Defense seeks to create private sector-based certification infrastructure in order to enable it to meet the requirement for certifications across such a large group of vendors, the current approach creates a number of challenges undermining the integrity of the process, including potential for conflicts of interest, profiteering, and outsourcing of an inherently governmental function,” BSA | The Software Alliance wrote in response to the interim rule.
The Information Technology Industry Council expressed similar concerns and had outstanding questions about the adjudication process in the event audit outcomes are protested.
“The establishment of an independent Accreditation Board composed of representatives from the Defense Industrial Base holds the potential to put industry representatives in a position to oversee the evaluation of their competitors, a troubling potential conflict,” read the comments from BSA, which has a number of members in common with ITI. “One approach would be for the Department to re-establish the Accreditation Board as a government body, and to put in place guide rails to prevent excessive certification pricing or other abuses. In any event, the current approach must be revisited.”
Learning about the CMMC has generally been a challenge due to irregular official communications about how the program is unfolding.
“Unfortunately a lot of the best information would require essentially skimming LinkedIn on a daily basis and hoping you got the right people,” Robert Metzger, shareholder at government contracts practice group Rogers Joseph O’Donnell, said during a CMMC briefing for the National Security Space Association. “It’s frustrating because knowledge is needed by a lot of people for reasons that affect their business and their finances and their opportunity and it’s hard to get. The distribution of that information is more episodic and accidental than systematic and trustworthy.”
More Riding on Self-Assessment than Before?
The CMMC originally inspired hope, in addition to fear in the contracting community. Some, like ITI, advocated retaining a system of vendor declaration as the basis for certifications. Others, from the National Defense Industry Association, told Nextgov they would welcome more accountability and looked forward to a leveling of the playing field that would reward companies that invested more in cybersecurity. But the program rollout is scheduled to happen over a period of five years, and in the meantime, the new rule doubles down on the self-assessment system currently being used.
DOD can now write into contracts a requirement that companies submit a self-determined score based on NIST-outlined practices, along with a system security plan and a date for when they expect to have fully executed it to the Supplier Performance Risk System.
Suppliers didn’t previously have to register their self-assessments and now the contracting community, including the industry group Professional Services Council, is concerned about how those submissions will be used.
“PSC’s comments raise concerns that self-scoring for compliance with [NIST SP 800–171] could lead to companies scoring themselves differently even if they have the same capabilities and security practices,” reads a press release on a Nov. 30 letter the group sent to the DOD. “Such differences could reduce competition, cause confusion in evaluation and awards, increase risk, and create delays in government procurement.”
There are also concerns about the security of information that is shared toward compliance with the new interim rule, a final version of which is expected in February. A Government Accountability Office report drawing attention to cybersecurity failings at the DOD didn’t help alleviate those at all. GAO implored the Pentagon to practice what it was preaching.
Faced with this and numerous other challenges, including training acquisitions staff to identify the kind of information that should spur certain CMMC security requirements, how to determine reciprocity for adherence to programs like the Federal Risk and Authorization Management Program, and establishing intergovernmental agreements to account for foreign suppliers, Arrington has said this is a learning process for all involved, including the department.
But she stresses that CMMC is the start of an inevitable cultural shift, not just at the DOD, but across the government.
During a recent webinar with Information Systems Security Association International, she noted the direction of the congressionally mandated public-private Cyberspace Solarium Commission, which points to other goals such as requiring contractors to hold cybersecurity insurance. The contracting community isn’t thrilled about that either.
“Threat intelligence should be shared,” she added during the webinar, which covered implications of the widespread breaches caused by a supply chain compromise. “‘Threat’ is not a bad word. Share it with your supply chain because if it happened to you, the likelihood that it’s going to happen to them is certain.” ITI’s comments on the CMMC indicated a reluctance among some to share information—something the government has been trying to get industry to do for about as long as cybersecurity policy has existed—due to cost and security concerns.
Although the CMMC isn’t set to roll out to all defense contractors for another five years, it may already be gaining momentum in other parts of the government, according to Arrington.
“In January, you’re going to see, it’s their story to tell, but you’ll hear at least two federal agencies that are going to formally acknowledge and say that they’re adopting the CMMC,” she said. “I think that this is definitely going to go outside DOD. I know it is.”