Defense contractors remain top targets for hackers who are trying to access sensitive data. As the March 2020 report of the U.S. Cyberspace Solarium Commission states, adversary cyber threats to the U.S. cause the loss of national security information and intellectual property and create the risk that U.S. military systems could be rendered ineffective or their intended uses distorted.
In response, since 2019, the Department of Defense (DOD) has engaged with a range of stakeholders to develop and refine a set of cybersecurity practices and processes for contractors to use to help assure security of the data. For relevant contracts, this Cybersecurity Maturity Model Certification (CMMC) requires that defense contractors implement these practices and processes on their information systems and networks.
But the Government Accountability Office (GAO) has found that these plans to certify contractors have been subject to delay, and DOD hasn’t communicated key details, such as reciprocity between its certification and others.
DOD estimates that the defense industrial base (DIB) consists of over 200,000 companies, making certification no mean feat. In fiscal year 2020, DOD obligated more than $420 billion on contracts for goods and services, from computers and guided missiles to system analysis and maintenance.
DOD began CMMC implementation with an interim rule that took effect in November 2020, but the rollout of the five-year pilot phase has been delayed. For example, DOD planned to pilot the CMMC requirement on up to 15 acquisitions in fiscal year 2021 but has not yet included the requirement in any acquisitions, in part due to delays in certifying assessors.
Industry—in particular, small businesses—has expressed a range of concerns about CMMC implementation, such as costs and assessment consistency. GAO found that DOD engaged with industry in refining early versions of CMMC, but it has not provided sufficient details and timely communication on implementation.
DOD has identified plans to assess aspects of its CMMC pilot, including high-level objectives and data collection activities, but these plans do not fully reflect GAO’s leading practices for effective pilot design. For example, DOD has not defined when and how it will analyze its data to measure performance. Further, GAO found that DOD has not developed outcome-oriented measures, such as reduced risk to sensitive information, to gauge the effectiveness of CMMC. Without such measures, GAO believes the department will be hindered in evaluating the extent to which CMMC is increasing the cybersecurity of the defense industrial base.
In its December 8 report, GAO notes that no acquisitions included CMMC as a contract requirement in fiscal year 2021. CMMC program officials told GAO that DOD has not yet released a list of the specific acquisitions that will be included in the CMMC pilot for fiscal year 2022 and beyond. The officials said that the Under Secretary will issue a memorandum near the beginning of each fiscal year that defines the target pilot acquisitions for that year. This approach, according to program officials, is intended to help ensure that supporting elements of CMMC, such as certified assessment organizations and trained assessors, are in place to support the acquisitions that will include CMMC as a requirement at contract award.
Representatives from DIB companies told GAO of their concerns that DOD had not yet defined reciprocity between CMMC and other types of cybersecurity certifications. One commenter said that without clear reciprocity between CMMC and other types of cybersecurity assessments, a company may need to comply with multiple, overlapping standards to maintain eligibility to compete for DOD contracts. During GAO’s discussion group with small defense contractors, participants said that it is critical for CMMC to include reciprocity with other federal requirements, such as FedRAMP, that companies have already implemented. These representatives said that without reciprocity, the duplicative compliance costs will be a burden for DIB companies, particularly small businesses.
Small businesses also said they have been unable to get answers to questions needed to prepare for their assessments. For example, one representative told GAO that they have been unable to obtain sufficient information on when assessment organizations will be certified to begin assessing DIB companies. Other participants said they need more information and guidance from DOD on specific technical questions.
In November 2021, DOD announced CMMC 2.0, which includes a number of significant changes, including eliminating some certification levels, DOD-specific cybersecurity practices, and assessment requirements. DOD also announced that it intended to suspend the current CMMC pilot and initiate a new rulemaking period to implement the revised framework. GAO’s review is therefore timely and enables DOD to address the shortcomings that were found. For example, DOD indicated it intends to use rulemaking to implement reciprocity for CMMC 2.0 by clarifying acceptance agreements with other cybersecurity standards and assessments.
Under the terms of CMMC 2.0, a company will no longer be required to pass an external assessment to achieve level 1 certification. Instead, companies will have to submit an annual self-assessment to achieve and maintain level 1 certification. For the new level 2 (advanced), some companies will still be required to pass a third-party assessment to achieve certification; however, the assessment criteria will be based solely on all 110 practices in NIST Special Publication 800-171. For the new level 3 (expert), CMMC documentation notes that companies will be required to pass a government-led assessment to achieve certification. According to DOD, requirements for level 3 are planned to include all 110 practices in NIST Special Publication 800-171 and a subset of practices in NIST Special Publication 800-172.
GAO’s report makes three recommendations, with which DOD concurred:
- Provide sufficient and timely communication to industry on CMMC, including when additional information will be forthcoming.
- Develop a plan to evaluate the effectiveness of the CMMC pilot, including establishing measurable objectives, collecting relevant data, and identifying lessons and plans to use that information to inform future decisions about the CMMC.
- Develop outcome-oriented performance measures to evaluate the effectiveness of CMMC as a component of the department’s efforts to enhance cybersecurity for the DIB.
In response, DOD said it has begun initial engagement with congressional staff and industry on the transition to CMMC 2.0, and has also initiated activities to identify metrics to evaluate implementation and measure performance. DOD also stated that it has not yet determined the specific structure and scope of any pilot under CMMC 2.0, but that it supports this recommendation and agrees to develop a plan to evaluate the effectiveness of CMMC implementation, including any piloting when conducted.
Writing for Homeland Security Today in November 2020, Ryan Heidorn, a managing partner at a cybersecurity firm specializing in compliance for the DIB, said other agencies, including the Department of Homeland Security, appear to be watching DOD’s rollout of CMMC with keen interest.
Heidorn spoke with Bob Kolasky, assistant director of the Cybersecurity and Infrastructure Security Agency (CISA) and director of the National Risk Management Center, who said that agencies and even other countries will look to see if CMMC is having the intended effect. “Are there fewer major breaches? Has CMMC decreased the revenue that is annually lost to stolen technology? Are there loopholes built in that can potentially be circumvented by experienced hackers?”, Kolasky said. “From an outsider’s view, we would want to assure that the content is good, the framework is achievable, and is it producing the intended results,” Kolasky continued. “Did it raise the baseline of security? And is the end result worth the time and trouble it took to get there?”