SPOT: CMMC: When 32 = 17 (Security Controls)
Why mathematics and the CMMC don’t seem to work….
Security controls MUST be either established, addressed in a cybersecurity policy document, or a Plan of Action and Milestone (POAM). The CMMC sub-set of controls extracted from the Code of Federal Regulations (CFR) is pure duplication. Specifically, the CMMC addresses basic safeguarding of Covered Contractor Information Systems to include Controlled Unclassified Information (CUI), Controlled Defense Information (CDI), and Federal Contract Information (FCI).The CMMC requires 15 security controls from 48 CFR 52.204-21, AND they are duplicayed by 17 NIST 800-171 existing controls under Level I CMMC certification.
There are ONLY 17 security controls in CMMC Level I
Why the confusion? The personnel working this cybersecurity policy apparently have little understanding or quality control measures in place to oversee true cybersecurity protection measures. While the author has great respect for the two institutions assisting in the formulation of the CMMC, it is apparent that there are serious gaps in the current expertise—there is a lack of cybersecurity professionals who truly understand what NIST 800 cybersecurity protections controls mean and how they provide cybersecurity protection measures.
We continue to fail, and the CMMC is just one new attempt to fix the broken state of cybersecurity. For this reason, the author in no way is critical of the strategic, but the tactical efforts and mis-steps executed by the DOD to-date.
Additionally, a Prime Contractor is also required to include the substance of this clause in subcontracts, i.e., “flow-down requirements,” under a DOD contract. This includes subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items, in which the subcontractor may have Federal contract information residing in or transiting through its Information System (IS).
The CMMC is proving very problematic, and the numbers just do not add up. There are other examples in Level II where the math shows an additional 10 controls that have not been accounted, and the CMMC adds a new family of controls for Process Maturity (ML) .
The CMMC requires a more detailed planning effort that affords the details needed by tens of thousands of contractors and vendors…quickly.
Ms. Columbus has worked in the Intelligence Community (IC) for over 20 years. She retired from the US Air Force in 2014 after working as a Senior Advisor providing authoritative advice on all aspects of Cyberspace operations, force structure and organizational concepts. She oversaw strategic support activities to enable the right mix of cyber capabilities for future operations.