• Credit: Shutterstock/Niyazz
     Credit: Shutterstock/Niyazz

CMMC Implementation Poses Challenges for Government, Contractors

December 1, 2020
By Robert K. Ackerman
E-mail About the Author

Everyone wants cybersecurity, but it may be prove more difficult than expected.

The Defense Department’s new cybersecurity maturity model certification (CMMC) coincidentally took effect on the first day of TechNet Cyber, AFCEA’s virtual event being held December 1-3. Leading officials with the Defense Department, the Defense Information Systems Agency (DISA) and industry discussed what its implementation will mean to the defense industrial base (DIB) and the community as a whole.

They concluded it was a step in the right direction, but both sides must work out the bugs that will come up as the complex plan is implemented over the next five years. Unintended consequences will emerge as the complexity of defense acquisition vies with the complexity of CMMC to vex planners and implementers in both government and industry.

Katie Arrington, chief information security officer (CISO) for Acquisition and Defense at the Defense Department, led the discussion by pointing out that the first day of the symposium coincided with the first day of CMMC implementation. Companies now have to login to the performance risk system (SPRS) platform and record their assessments of how they are implementing NIST Special Publication 800-171.

“The new clause has created three new rules: the crawl, the walk and the run for cybersecurity,” Arrington pointed out. She later added that security is an allowable cost for contractors. Arrington also stated that CMMC measures could be applied across the spectrum of national cybersecurity needs.

“This is beyond [the Defense Department],” she said of the need for the CMMC. “If you read the National Cyberspace Solarium Commission report that was out in Spring of 2020 … it states that the whole of the United States should have a national cybersecurity program.”

But implementing the CMMC offers challenges, particularly when companies try to self-assess their security criteria. The rules are complex, particularly in terms of how they apply to the different kinds of contractors and contract vehicles employed by the Defense Department.

“Communication between government and industry is going to be key,” said Sara Crabtree, chief financial officer and director of contracts, LightGrid LLC. “I’d like to see communication that speaks to the differences between larges and smalls.”

Government is working with industry to mitigate any confusion or ambiguity about the CMMC. “We are looking at developing a CMMC scoring rubric,” said JenniLynn Bushby, risk management program analyst at DISA. “We are in learning mode. I am waiting to see how this is going to play out in [CMMC] Pathfinder.”

Christopher C. Newborn, professor of cybersecurity, Defense Acquisition University, said, “It is so key to take a look at the crawl, walk and run methodology, and we are trying to come up with a training mechanism for that critical thinking.”

Kemal Piskin, CISO at LinQuest, offered that being actively involved in the DIBNet has helped his company deal with CMMC.

But everyone admitted that, despite the carefully constructed plans, the CMMC offers many unknowns as government and industry move forward with its implementation. “We have a lot of concerns,” said Maj. Gen. Garrett S. Yee, USA, assistant to the director, DISA, adding, “there are a lot of concerns about what we don’t know.”

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.


Share Your Thoughts: