The Defense Department’s main effort to protect its supply chain from cyber threats charged ahead through the pandemic but not without controversy.
In 2020, an ambitious Defense Department effort to account for its suppliers’ cybersecurity had many in the community kicking and screaming in tow, but represents a new collective policy thrust that won’t be dismissed.
The program, led by Katie Arrington, the chief information security officer for Defense acquisitions, is based on the idea that the government should incorporate security standards into its contract administration. Arrington’s presentations on the program often include an estimate of how much is lost each year through cyber disruptions—$600 billion, according to research cited in the DOD’s answers to frequently asked questions about the program—and highlight intellectual property theft by China.
Before the idea of CMMC, companies within the defense industrial base simply pledged their adherence to cybersecurity practices outlined by the National Institute of Standards and Technology. A 2015 rule required Defense contractors to report cyber incidents and to provide “adequate security” using NIST Special Publication 800-171 to protect covered information. But it wasn’t until summer 2019 that the Defense Department started checking whether companies were implementing the standard.
Following a pilot in June 2019, the Defense Contract Management Agency officially stood up the Defense Industrial Base Cybersecurity Assessment Center and now does spot checks on companies. John Ellis, DCMA’s software division director, told consultant Leslie Weinstein the selection of companies for these is informed by DOD priorities and threats observed in the cyber realm.
However, more than a year in, the DIBCAC has completed about 100 audits, just scratching the surface of the roughly 300,000 contractors serving the department. The sheer number of companies that work with the department is why Arrington said a whole new ecosystem of independent auditors is necessary to implement CMMC. She said she also considered turning to an existing official entity such as MITRE, a federally funded research and development corporation, for help with the audits, but that would have been prohibitively expensive.
The Drama of the Nongovernment Auditors
To scale up auditing, the department issued an interim rule Sept. 30 sanctioning a nonprofit group, the CMMC Accreditation Body, or CMMC-AB, to “accredit and oversee multiple third-party assessment organizations (C3PAOs) which in turn, will conduct on-site assessments of DoD contractors throughout the multi-tier supply chain.”
The group raised eyebrows from the start. Instead of a formal process, the CMMC-AB was populated by volunteers from a meeting DOD held with industry stakeholders about the program. It also turned out Ty Schieber, the initial chairman of the board, had worked with Arrington for years in military and government sales and that he financially supported her 2018 run for a seat in Congress. Arrington refutes any impropriety associated with the Scheiber connection and has heaped praise on all members of the CMMC-AB for their unpaid dedication to the cause.
Still, the volunteers seemed to struggle with funding. They took out lines of credit to establish operations, and Schieber and another board member were replaced suddenly, after a controversial sponsorship proposal that Arrington said the department could not condone.
The CMMC-AB takes fees from individuals and entities applying to participate in the ecosystem in various capacities, including as auditors and consultants. It is now searching for a CEO as a newly formed 501.C(3), according to a post on its website, but concerns remain that have prominent members of the DIB reaching for the arms of government.
Private-sector entities don’t usually cry out for the government to be more involved in monitoring their business practices, but 2020 has been anything but typical, and when it comes to the CMMC, that’s exactly what some of the largest tech companies are doing.
“While BSA understands that the Department of Defense seeks to create private sector-based certification infrastructure in order to enable it to meet the requirement for certifications across such a large group of vendors, the current approach creates a number of challenges undermining the integrity of the process, including potential for conflicts of interest, profiteering, and outsourcing of an inherently governmental function,” BSA | The Software Alliance wrote in response to the interim rule.
The Information Technology Industry Council expressed similar concerns and had outstanding questions about the adjudication process in the event audit outcomes are protested.
“The establishment of an independent Accreditation Board composed of representatives from the Defense Industrial Base holds the potential to put industry representatives in a position to oversee the evaluation of their competitors, a troubling potential conflict,” read the comments from BSA, which has a number of members in common with ITI. “One approach would be for the Department to re-establish the Accreditation Board as a government body, and to put in place guide rails to prevent excessive certification pricing or other abuses. In any event, the current approach must be revisited.”
Learning about the CMMC has generally been a challenge due to irregular official communications about how the program is unfolding.
“Unfortunately a lot of the best information would require essentially skimming LinkedIn on a daily basis and hoping you got the right people,” Robert Metzger, shareholder at government contracts practice group Rogers Joseph O’Donnell, said during a CMMC briefing for the National Security Space Association. “It’s frustrating because knowledge is needed by a lot of people for reasons that affect their business and their finances and their opportunity and it’s hard to get. The distribution of that information is more episodic and accidental than systematic and trustworthy.”
Source: https://www.nextgov.com/cybersecurity/2021/01/cmmc-dramatic-year-pentagons-contractor-cybersecurity-program/171084/
