Pending Cybersecurity Standards Loom Over Contractors
Experts foresee unintended consequences to new requirements.
With the U.S. Defense Department’s new cybersecurity verification requirements set to go into effect later this year, the Pentagon gets high marks from cybersecurity professionals for finally addressing the lack of contractor security, but experts also express doubts about the aggressive schedule and the potential for unintended consequences.
Defense Department officials describe the Cybersecurity Maturity Model Certification (CMMC) program as a critical part of ensuring that companies meet cybersecurity standards. The program is designed to ensure that any business working for the government can demonstrate that it can defend its computer networks against adversaries seeking information about government contracts and weapons systems development.
The Defense Department released the final version of the CMMC in late January. Select requests for information to be released this summer are expected to include the requirements. Those requests for information should be followed by requests for proposals in the fall. The CMMC program allows vendors to achieve different degrees of cybersecurity certification, levels one through five. The levels will be tailored to criticality of a system or subsystem. “These levels will measure technical capabilities and process maturity, Ellen Lord, the undersecretary of defense for acquisition and sustainment, says in a written statement published on the Defense Department website. She adds that the CMMC program “establishes security as the foundation to acquisition and combines the various cybersecurity standards into one unified standard to secure the [Defense Department] DOD supply chain.”
Cybersecurity experts agree that CMMC is a necessary step. “Perhaps the greatest benefit, at least at the outset, is that it clearly communicates the seriousness with which DOD intends to address weaknesses in supply chain cybersecurity, and its intention to leverage its vast regulatory and market powers to drive compliance,” says Maurice Uenuma, vice president, Federal, Tripwire. “There is also the benefit of integrating and rationalizing several different standards … into a single framework. If this effort is ultimately successful, the lessons learned and market impact could reach far beyond the defense industrial base.”
Morgan Dwyer, fellow in the International Security Program and deputy director for policy analysis in the Defense-Industrial Initiatives Group at the Center for Strategic and International Studies (CSIS), also praises the effort. “Industrial base cybersecurity is a long-standing and tough problem. CMMC demonstrates DOD’s willingness and commitment to tackling that problem, and DOD should be commended for taking a step in the right direction.”
Both, however, also raise questions and express concerns. Dwyer, who authored a CSIS report on the subject, suggests the department is moving too quickly to implement CMMC, which could create unnecessary problems. She recommends the department initiate a pilot program focused on a small number of the highest-priority contractors. “DOD can use that pilot program to simultaneously work through implementation issues and to improve cybersecurity in priority areas. DOD can then leverage lessons learned from the pilot program to develop a more comprehensive implementation plan for CMMC. Addressing implementation issues in a pilot program will make CMMC’s rollout to the entire industrial base much smoother in the long run.”
Uenuma agrees with the pilot program concept. “The devil’s in the details. The specific metrics and measures will be very important. Striking the right balance will be key, so a pilot program or focusing on a narrower set of initial suppliers or a subsegment may be the way to go.”
Like Dwyer, Uenuma indicates the Pentagon’s schedule may be too ambitious. “The current timeline is very aggressive—so aggressive as to appear unrealistic.” He adds that it may even appear to be a rushed attempt to shift the focus to industry as the Defense Department struggles to implement effective cybersecurity across its many departments and agencies. “While most security professionals applaud earnest efforts to improve cyber hygiene and supply chain reliability, the manner in which this effort is undertaken will affect how broadly and positively the program is accepted in the long run.”
Ultimately, he predicts, the department may not be able to meet its schedule. “Many of us expect that, realistically, that timeline will probably slip anyway.”
The two experts also question the effect CMMC will have on businesses, especially smaller companies. “There are a lot of hurdles to doing business with the government. Unique requirements for anything—including cybersecurity—are just another hurdle that makes it difficult for small businesses to work with DOD,” Dwyer states.
She points out that the current standards established by the National Institute of Standards and Technology are common across government agencies. “My concern with CMMC is that its requirements are unique to DOD and therefore may add an additional hurdle for small businesses that are interested in working with DOD in particular.”
Dwyer explains that the certification program involves three kinds of costs: compliance, third-party assessments and the third-party verification body itself. “Right now, it is unclear what the cost of each of those components is going to be and whether DOD or its contractors will be responsible,” she offers. “I think it’s likely that DOD will be responsible for at least one component of those costs and that is why it’s so important to pilot CMMC first. A pilot program will allow DOD to gain a better understanding of CMMC’s costs and to use that knowledge to develop a cost-informed CMMC policy and implementation strategy.”
Uenuma theorizes that the burden on suppliers will likely grow over time. “Initially, the impact may be minimal. But as larger suppliers adjust to new requirements and begin to burden their smaller suppliers with new expectations, reporting and assessments, even modest requirements could quickly become too much to handle.”
Eventually, those burdens could result in fewer suppliers and less innovation. “The additional business and liability risks associated with CMMC compliance will further burden businesses that are less able to absorb costs and disruptions. This could lead to businesses exiting the supplier market, reducing innovation, competition and efficiencies,” Uenuma says.
However, John Pope, the Navy’s acting program executive officer for command, control, communications, computers, intelligence and space systems, says the CMMC offers a lot of “goodness” and asserts that the military will work with industry to reduce any negative effects. “When we unpack it and understand that some of those costs are allowable costs for the vendors, I’m ready as a PEO absolutely to pay the bills to make sure my industry partners are able to do their jobs securely. That’s part of our partnership,” he offers.
Pope adds that part of the data security problem may be resolved by changing data storage practices. “One of the things we want to make sure with our industry partners … is that they’re ready to accept that information, store it and process it well and have the right level of skills and know-how to protect it. Maybe instead of having my data over a small businesses server, maybe I keep that data on my secure environment that I’ve got heavy duty security on and just give that vendor access to the environment to do their work.”
That echoes Dwyer’s concerns that critical information is sometimes shared too readily with smaller businesses, which are often the weak link in the cybersecurity chain. “Small businesses are tempting targets when they have both valuable data and weak cybersecurity. Small businesses often have valuable data when they are subcontractors to large prime contractors and those primes share system-level information that the subs don’t need. New cybersecurity standards don’t address this problem of unnecessary information sharing.”
Regardless of any challenges associated with implementing and enforcing the CMMC, Uenuma asserts that industry is eager to help. “Many suppliers are not opposed to this type of framework. In fact, anybody who has struggled with cybersecurity challenges … understands and appreciates any effort to rationalize standards into a consistent framework. We certainly support aggressive efforts to improve supply chain cybersecurity. We’re very much onboard, and we do want to be a part of the solution.”