Defense Leadership Warns of CMMC Deceit
Firms that say they can help achieve certification can’t—yet.
Companies preparing for Cybersecurity Maturity Model Certification (CMMC) should beware of firms that are promising to get them certified, said a government official. Stacy Bostjanick, director of CMMC, Office of the Under Secretary of Defense (A&S), stated that any firms claiming to be able to do that are not capable of that function yet.
Speaking at the AFCEA NOVA Intelligence Community IT Day event, Bostjanick outlined a host of issues confronting CMMC compliance. Her warning about firms guaranteeing certification addressed some of the concerns facing companies worried about the complexity of the certification that are willing to turn the process over to others.
“There are some companies that are saying they can get you certified,” Bostjanick said. “That’s not true. Nobody is approved yet. They have to have their level 3 assessment.
“But there are consultants out there on both sides, and my recommendation is just make sure you talk to the person you bring in and make sure they understand what they’re doing,” she continued. “There are some people who have wasted some money, and we don’t want that to happen.”
For CMMC third-party assessor organizations (C3PAOs), the field remains empty—no organization has been certified yet. That may change by April, Bostjanick offered. “Keep your eye on the CMMC-AB marketplace … we will list them as soon as they are ready to hit prime time, and then you can reach out to them and have them come do an assessment for you.”
At least 25 individual assessors have passed their suitability determination and are ready to go, she said. Some are independent, while others are aligned with C3PAOs. Each C3PAO must have a team of at least five to do an assessment, with two or three full-time people to handle dispute resolution and key components of the assessment. More individual assessors are coming.
“After June … you can go maybe to your local community college and get trained,” she added.
Companies that are not bidding on any of this year’s 15 CMMC pilots need not be certified by a C3PAO. Anyone who is bidding on a pilot will be placed at the front of the line.
One other key task facing the CMMC team is reciprocity with other parts of the government. Bostjanick noted that it has a team working with the General Services Administration (GSA) to align reciprocity with the Defense Department. This brings up FedRAMP, which applies security standards to federal cloud services. The two protocols have some differences in how they approach security. FedRAMP, for example, allows for a plan of action and milestones (POAM), but CMMC does not—a company either is in compliance or is not. The reciprocity team is working to align the different levels, she noted.
She hopes the FedRAMP reciprocity will come by the end of the fiscal year. Reciprocity with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) has been completed, she added, noting that FedRAMP and DIBCAC are the two security protocols that are most closely aligned. Next will come reciprocity for ISO 27001.
“We’re working hard to come up with reciprocity agreements,” she declared. “Let’s keep it standard across all of federal government. Let’s all work together on one standard so our industry partners don’t have to have [different] certifications.”
Companies should look at their own networks to determine their CMMC needs, Bostjanick said. She recommended starting at CMMC level 1, basic cyber hygiene. Level 2 will not be as much of an issue because it largely is a stepping stone to level 3.
Yet, even with these CMMC steps, not everything in it will protect companies. They will do better in terms of cyber situational awareness, she suggests. Ultimately, they will adopt and absorb CMMC practices themselves.
“My hope and prayer is that one day we don’t even need it anymore, because companies all become so aware and they have a culture of security where they start thinking in advance of these threats and think, ‘This could happen to me; I need to protect myself,’” Bostjanick declared.