CMMC Implementation Poses Challenges for Government, Contractors
The Defense Department’s new cybersecurity maturity model certification (CMMC) coincidentally took effect on the first day of TechNet Cyber, AFCEA’s virtual event being held December 1-3. Leading officials with the Defense Department, the Defense Information Systems Agency (DISA) and industry discussed what its implementation will mean to the defense industrial base (DIB) and the community as a whole.
They concluded it was a step in the right direction, but both sides must work out the bugs that will come up as the complex plan is implemented over the next five years. Unintended consequences will emerge as the complexity of defense acquisition vies with the complexity of CMMC to vex planners and implementers in both government and industry.
Katie Arrington, chief information security officer (CISO) for Acquisition and Defense at the Defense Department, led the discussion by pointing out that the first day of the symposium coincided with the first day of CMMC implementation. Companies now have to login to the performance risk system (SPRS) platform and record their assessments of how they are implementing NIST Special Publication 800-171.
“The new clause has created three new rules: the crawl, the walk and the run for cybersecurity,” Arrington pointed out. She later added that security is an allowable cost for contractors. Arrington also stated that CMMC measures could be applied across the spectrum of national cybersecurity needs.
The new clause has created three new rules: the crawl, the walk and the run for cyber security.—Katie Arrington, CISO for Acquisition and Defense at the Defense Department #AFCEACyber @USDISA @AFCEA
— Bob Ackerman (@rkackerman) December 1, 2020
“This is beyond [the Defense Department],” she said of the need for the CMMC. “If you read the National Cyberspace Solarium Commission report that was out in Spring of 2020 … it states that the whole of the United States should have a national cybersecurity program.”
But implementing the CMMC offers challenges, particularly when companies try to self-assess their security criteria. The rules are complex, particularly in terms of how they apply to the different kinds of contractors and contract vehicles employed by the Defense Department.
“Communication between government and industry is going to be key,” said Sara Crabtree, chief financial officer and director of contracts, LightGrid LLC. “I’d like to see communication that speaks to the differences between larges and smalls.”
Communication [on CMMC] between government and industry is going to be key. I’d like to see communication that speaks to the differences between larges and smalls.—Sara Crabtree, chief financial officer and director of contracts, LightGrid LLC #AFCEACyber @USDISA @AFCEA
— Bob Ackerman (@rkackerman) December 1, 2020
Government is working with industry to mitigate any confusion or ambiguity about the CMMC. “We are looking at developing a CMMC scoring rubric,” said JenniLynn Bushby, risk management program analyst at DISA. “We are in learning mode. I am waiting to see how this is going to play out in [CMMC] Pathfinder.”
We are in learning mode. I am waiting to see how this is going to play out in [CMMC] Pathfinder.—JenniLynn Bushby, risk management program analyst, DISA #AFCEACyber @USDISA @AFCEA
— Bob Ackerman (@rkackerman) December 1, 2020
Christopher C. Newborn, professor of cybersecurity, Defense Acquisition University, said, “It is so key to take a look at the crawl, walk and run methodology, and we are trying to come up with a training mechanism for that critical thinking.”
It is so key to take a look at the [CMMC] crawl, walk and run methodology, and we are trying to come up with a training mechanism for that critical thinking.—Christopher C. Newborn, professor of cybersecurity, Defense Acquisition University #AFCEACyber @USDISA @AFCEA
— Bob Ackerman (@rkackerman) December 1, 2020
Kemal Piskin, CISO at LinQuest, offered that being actively involved in the DIBNet has helped his company deal with CMMC.
One of the things that has been helpful [for CMMC] is being actively involved in the DIBNet.—Kemal Piskin, CISO, LinQuest #AFCEACyber @USDISA @AFCEA
— Bob Ackerman (@rkackerman) December 1, 2020
But everyone admitted that, despite the carefully constructed plans, the CMMC offers many unknowns as government and industry move forward with its implementation. “We have a lot of concerns,” said Maj. Gen. Garrett S. Yee, USA, assistant to the director, DISA, adding, “there are a lot of concerns about what we don’t know.”