Auditors, Contractors Hang in the Balance as Defense Overhauls Cybersecurity Certification Program
The Defense Department has not ruled out a return to allowing companies to ‘self-attest’ their security posture.
Hundreds of individuals have paid for their place in line to take an exam that would qualify them to perform cybersecurity assessments of defense contractors that may no longer be necessary after the department reexamines its Cybersecurity Maturity Model Certification program.
Under the current system, defense contractors can simply declare—or “self-attest”—their adherence to cybersecurity controls outlined by the National Institute of Standards and Technology. With an interim rule issued Sep., 2020, CMMC would institute third-party verification of the cybersecurity practices—depending on five levels of risk—given the continued loss of intellectual property to Chinese hackers, officials said.
Leading the initiative was Katie Arrington, chief information security officer for the Defense Department’s Office of Acquisition and Sustainment, currently under suspension as the department investigates allegations connected to the unauthorized disclosure of classified information. Arrington’s boss Ellen Lord, who was then head of the acquisitions office, entered into a no-cost contract with a group called the Cybersecurity Maturity Model Certification Accreditation Body, or CMMC-AB. The CMMC-AB formed after participants at a meeting Arrington held to introduce industry to the program volunteered to help shape and oversee a whole new training and certification ecosystem.
Amid reports of a potential conflict of interest given Arrington’s ties to the now-resigned chairman of the CMMC-AB, Arrington argued that creating the novel accreditation body and training and certifying assessors from scratch is necessary to scale the program to cover an estimated 300,000 defense contractors.
The program seemed to present an opportunity for aspiring cybersecurity professionals to climb the ladder in a burgeoning industry and there was a rush to sign up.
Melanie Kyle Gingrich, vice president for training and development for the CMMC-AB, told Nextgov 670 individuals who hope to become CMMC assessors or otherwise participate in the process have already paid at a discount rate—in the majority of cases almost a thousand dollars—to take the necessary exams. But the training courses preceding the tests aren’t expected to start until October or November, Gingrich said.
The CMMC-AB “will be applying these pre-paid funds at time of testing once an individual has successfully completed their training with a [Licensed Training Professional],” she said. “These individuals will be receiving an email communication in the next month to advise on their next steps.”
Many more may have also paid $1,000 to apply for the CMMC-AB recognized training courses. And there are fees for various other roles in the CMMC ecosystem, such as the “registered practitioner,” who wouldn’t participate in the official assessment process but would be allowed to market themselves and consult as someone who has knowledge of the CMMC.
But many who jumped at the chance to be part of the program are now in a holding pattern, along with defense contractors. On Thursday, a DOD spokesperson said a final rule to implement CMMC, which was expected this month, would only come after the department has fully reviewed and approved the program.
“There is what I call an ‘equities’ issue because there are many hundreds, and perhaps several thousand people who have paid to become part of the AB ecosystem,” Robert Metzger, attorney and shareholder at Rogers Joseph O'Donnell, told Nextgov. “By my observation, many of these people bring skills and have worked hard to become assessors or otherwise contribute. It is important for the Department of Defense to recognize the time, talent, money and other resources that have been committed by individuals and organizations, large and small, to participate in the CMMC initiative. They did so in good faith and the course of action that DOD chooses should respect and make good use of their commitment and capability.”
The DOD’s review should be done toward the end of this year, according to the spokesperson. But speaking at the Intelligence and National Security Summit on Monday, Christine Michienzi, chief technology officer for the deputy assistant secretary of defense for industrial policy, said “nothing is off the table,” including a return to self attestation.
“Everything is currently under review to make sure that that is the best mechanism that we can use, the independent auditors, versus the [Defense Contract Management Agency], versus self attestation at the different levels, and what those levels need to be,” Michienzi said.
After the event, Lord, who was interviewing Michienzi on stage, told Nextgov a return to self-attestation would undermine the program.
“If you do not have independent validation and verification there will be no credibility,” she said.
It could also eliminate or significantly reduce the need for assessors trained and tested within the CMMC ecosystem. Another idea for third-party verification of defense contractors’ information security is for them to use existing certification bodies such as the International Organization for Standardization, or ISO.
“[Groups like ISO] already have the infrastructure,” Lord said. “Frankly that’s a fantastic solution.”
Asked why the DOD didn’t propose that idea in the first place, Lord said she didn’t want to micromanage the process.