Auditors, Contractors Hang in the Balance as Defense Overhauls Cybersecurity Certification Program

Austin Nooe/istockphoto

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
Mariam Baksh By Mariam Baksh,
Senior Correspondent

By Mariam Baksh

|

The Defense Department has not ruled out a return to allowing companies to ‘self-attest’ their security posture.

Hundreds of individuals have paid for their place in line to take an exam that would qualify them to perform cybersecurity assessments of defense contractors that may no longer be necessary after the department reexamines its Cybersecurity Maturity Model Certification program.

Under the current system, defense contractors can simply declare—or “self-attest”—their adherence to cybersecurity controls outlined by the National Institute of Standards and Technology. With an interim rule issued Sep., 2020, CMMC would institute third-party verification of the cybersecurity practices—depending on five levels of risk—given the continued loss of intellectual property to Chinese hackers, officials said.

Leading the initiative was Katie Arrington, chief information security officer for the Defense Department’s Office of Acquisition and Sustainment, currently under suspension as the department investigates allegations connected to the unauthorized disclosure of classified information. Arrington’s boss Ellen Lord, who was then head of the acquisitions office, entered into a no-cost contract with a group called the Cybersecurity Maturity Model Certification Accreditation Body, or CMMC-AB. The CMMC-AB formed after participants at a meeting Arrington held to introduce industry to the program volunteered to help shape and oversee a whole new training and certification ecosystem.  

Amid reports of a potential conflict of interest given Arrington’s ties to the now-resigned chairman of the CMMC-AB, Arrington argued that creating the novel accreditation body and training and certifying assessors from scratch is necessary to scale the program to cover an estimated 300,000 defense contractors. 

The program seemed to present an opportunity for aspiring cybersecurity professionals to climb the ladder in a burgeoning industry and there was a rush to sign up.

Melanie Kyle Gingrich, vice president for training and development for the CMMC-AB, told Nextgov 670 individuals who hope to become CMMC assessors or otherwise participate in the process have already paid at a discount rate—in the majority of cases almost a thousand dollars—to take the necessary exams. But the training courses preceding the tests aren’t expected to start until October or November, Gingrich said. 

The CMMC-AB “will be applying these pre-paid funds at time of testing once an individual has successfully completed their training with a [Licensed Training Professional],” she said. “These individuals will be receiving an email communication in the next month to advise on their next steps.”

Many more may have also paid $1,000 to apply for the CMMC-AB recognized training courses. And there are fees for various other roles in the CMMC ecosystem, such as the “registered practitioner,” who wouldn’t participate in the official assessment process but would be allowed to market themselves and consult as someone who has knowledge of the CMMC.

But many who jumped at the chance to be part of the program are now in a holding pattern, along with defense contractors. On Thursday, a DOD spokesperson said a final rule to implement CMMC, which was expected this month, would only come after the department has fully reviewed and approved the program.  

“There is what I call an ‘equities’ issue because there are many hundreds, and perhaps several thousand people who have paid to become part of the AB ecosystem,” Robert Metzger, attorney and shareholder at Rogers Joseph O'Donnell, told Nextgov. “By my observation, many of these people bring skills and have worked hard to become assessors or otherwise contribute. It is important for the Department of Defense to recognize the time, talent, money and other resources that have been committed by individuals and organizations, large and small, to participate in the CMMC initiative. They did so in good faith and the course of action that DOD chooses should respect and make good use of their commitment and capability.” 

The DOD’s review should be done toward the end of this year, according to the spokesperson. But speaking at the Intelligence and National Security Summit on Monday, Christine Michienzi, chief technology officer for the deputy assistant secretary of defense for industrial policy, said “nothing is off the table,” including a return to self attestation.

“Everything is currently under review to make sure that that is the best mechanism that we can use, the independent auditors, versus the [Defense Contract Management Agency], versus self attestation at the different levels, and what those levels need to be,” Michienzi said.

After the event, Lord, who was interviewing Michienzi on stage, told Nextgov a return to self-attestation would undermine the program.

“If you do not have independent validation and verification there will be no credibility,” she said. 

It could also eliminate or significantly reduce the need for assessors trained and tested within the CMMC ecosystem. Another idea for third-party verification of defense contractors’ information security is for them to use existing certification bodies such as the International Organization for Standardization, or ISO.

“[Groups like ISO] already have the infrastructure,” Lord said. “Frankly that’s a fantastic solution.”

Asked why the DOD didn’t propose that idea in the first place, Lord said she didn’t want to micromanage the process.

NEXT STORY: Watchdog: CISA Needs to Update Plans to Protect Critical Infrastructure

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.