Members of the House Small Business Committee heard complaints of poor communication and coordination from the department on implementation of a controversial third-party auditing process.
Rep. Jim Langevin, D-R.I., is highlighting a vacancy in the Defense Department’s policy-making structure as an impediment to the success of the Cybersecurity Maturity Model Certification program.
“It’s critical that the Biden administration get a Principal Cyber Advisor in position as soon as possible,” Langevin said Thursday in a statement to Nextgov. “Last year’s [National Defense Authorization Act] designated the PCA as the ‘coordinating authority for cybersecurity issues relating to the defense industrial base.’ We need a PCA to help oversee implementation of CMMC and to ensure that relevant threat information is being shared with the defense sector as quickly as possible. Recent cyber incidents, from SolarWinds to Colonial Pipeline, have shown that we are still far too vulnerable.”
CMMC is the department’s approach to instituting a system of mandatory third party reviews for its contractors and ending the practice of simply taking companies at their word on the cybersecurity controls they have in place. It is how DOD hopes to reduce the loss of what it assesses to be hundreds of billions of dollars worth of intellectual property to cyber adversaries each year.
The program, which is rolling out now through 2026 when all DOD contractors will be required to be CMMC compliant, has been mired in controversy connected to an outside group. The CMMC Accreditation Body, or CMMC AB, is working with DOD to manage the program, which is currently under an internal review. The review is focused on policy considerations for “managing costs of cybersecurity for small businesses, clarifying cybersecurity regulatory policy and reenforcing trust and confidence in the CMMC assessment ecosystem,” according to Jesse Salazar, deputy assistant secretary of defense for industrial policy.
Small business representatives testifying before the House Small Business Committee’s panel on oversight, investigations and regulations Thursday described a disjointed and unreliable system of communication about program details.
“The main place that we've been receiving information tends to be LinkedIn,” said Michael Dunbar, president of lubricant supplier Ryzhka International speaking on behalf of HUBZone Connect Contractors National Council, a nonprofit trade association aimed at underrepresented groups such as veterans and women. “We get very little from DOD directly. There's no consistent message coming out from DOD, on where to get things. Even if you go to the CMMC AB Frequently Asked Questions page, sometimes they say ‘oh that's a DOD responsibility.’ And that's been a lot of the kickback, is pointing fingers between the CMMC AB and DOD saying, ‘Well they're responsible for X, they're responsible for Y.’”
The secretary of Defense is responsible for designating an official from the Office of the Secretary of Defense for Policy to the Principal Cyber Advisor position to coordinate cybersecurity for the defense industrial base, as Langevin, chair of the House Armed Services cybersecurity subcommittee, noted.
While that position is vacant, former Deputy Principal Cyber Advisor William Chase has testified to the Senate Armed Services Committee that coordinating defense industrial base cybersecurity is “a familiar role to the Office of the Principal Cyber Advisor.” He also said oversight of CMMC specifically is Salazar’s job.
Salazar is the boss of Katie Arrington, the chief information security officer for the office of the under secretary of defense for acquisition and sustainment who is responsible for CMMC and may be more familiar to stakeholders.
The DOD did not provide a comment by deadline on the absence of a principal cyber advisor or the concerns expressed by the small business leaders.