A Prognostication for the Arm-chair Cyber Generals

In 2019, the Department of Defense (DOD) announced the development of the Cybersecurity Maturity Model Certification (CMMC). The CMMC is a framework not unlike National Institute of Standards and Technology (NIST) 800-171; AND, unfortunately mostly duplicates NIST 800-171.  CMMC is nothing more than an evolution of NIST 800-171, with elements from NIST 800-53 and ISO 27001, and several other cybersecurity frameworks, to provide a better cybersecurity posture for companies and agencies conducting business with the US government. This is a positive evolution that includes and requires third-party auditing by cybersecurity professionals recognized by the DOD.

In addition to assessing a company’s implementation of these wide-ranging cybersecurity controls, the CMMC will also assess the company’s maturity/ institutionalization of cybersecurity practices and processes. The security controls and their associated methodologies will be implemented by the principles of cybersecurity governance.  These will be the rules and standards established by the DOD as the Tier 1 governing body per NIST 800-37, Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems: A Security Life Cycle Approach, the foundational document for RMF.

Who’s Watching the Watchers?

The DOD will specifically require third-party assessment of a company’s Information Technology (IT) systems and data protection measures using a majority of  NIST controls as found in NIST 800-53 revision 4 (with revision 5 pending).  Of particular concern, at the time of this publication, DOD is wrestling with identifying companies that could provide security control assessments as outlined under the CMMC.  This manual predominantly follows the NIST 800-171 control implementation; however, several controls were derived from outside NIST 800-171 or NIST 800-53, respectively. This book uses a best practice approach to address controls from the other frameworks to include ISO 27001 and others as discussed later.

NIST 800-171 formerly allowed for self-assessment by contractors. The CMMC does not permit this explicit weakness of NIST 800-171. It recognizes that the technical capabilities of the defense contracting community have been less than complete. When it comes to an understanding of the RMF, CMMC is a result of historically poor cybersecurity contracting management and oversight that has plagued the DOD as well as the entirety of the federal government for years.

The CMMC framework arose in response to the many extreme breaches of DOD information and weapon systems to include, for example, the F-35, Joint Strike Fighter program, where Chinese cybersecurity operations against the US have been highly successful.  DOD’s prior reliance on the security controls in NIST 800-171 did not require third-party assessment and was presumed enough to thwart the increasing and evolving threat; however, that has been proven as the poorest of decisions by the DOD.

Contractors will now be required to be certified by a third-party auditor.  There has been little guidance to-date of what certification a CMMC audit company must have—who will audit the auditors?

Furthermore, the Defense Contract Management Agency (DCMA) and the Defense Counterintelligence and Security Agency (DCSA) will have purview over the CMMC. However, these agencies lack the current technical capabilities nor experience to execute the CMMC framework. The DCMA has stated it does not have the capability or resourcing to meet former NIST 800-171 mandates, and now with CMMC the expectation is no different.

Additionally, a company or businesses will coordinate with an accredited and independent third-party commercial certification organization as designated by the DOD. According to Ms. Katie Arrington, DOD lead for CMMC, the target is to identify and hire a “nonprofit company” to execute auditing duties. The DOD, via a contract, will select the certification level as either high (for sensitive DOD systems) through low (basic systems) per NIST guidance 800-53 and 800-37.

Expected Real CMMC Timelines

Companies will be certified by late 2020 at the appropriate CMMC level based upon the sensitivity of the system and its data. However, as typical for the DOD in cybersecurity policy development, expect at least a one to two-year delay in full implementation. The DOD has chosen to demure its responsibility and oversight appearing to be an effort to shift risk it cannot or should not do.  These positions will only add to delays in CMMC implementation, and the author does believe the overall objective effort is worthy of pursuing. 

Furthermore, the CMMC will include portions of various cybersecurity standards, such as NIST 800-171, ISO 270001, and ISO 27032; however, at its core, NIST 800-53 is the universally authorized standard for DOD systems. NIST 800-53/RMF will provide the basis of any standards of best security practices and a measure of the “maturity of a company’s institutionalization of cybersecurity practices and processes.”

The cost of certification will become allowable as a reimbursable cost of contract negotiations under the Federal Acquisition Regulation (FAR), and more specifically, under the Defense Federal Acquisition Regulation Supplement (DFARS). While the current guidance states that the costs “will not be prohibitive,” the DOD has yet to identify specified tasks and activities required to conduct auditing by third-party organizations that meet the CMMC “standard.” The DOD has also not defined any cost limits or controls. This too will add to expectations by the defense contracting community to poorly service the tens of thousands of defense contractors needed CMMC certification by 2022.

For additional and updated information, it is best to regularly check the Office of the Under Secretary of Defense for Acquisition and Sustainment website at https://www.acq.osd.mil/cmmc/index.html. The DOD is planning to release Version 1.0 of  CMMC by January 2020; however, expect it to be delayed as is typical for these extensive—but critical—efforts by the DOD. Contractors are expected to include CMMC costs in future proposals by June 2020; however, expect that to be delayed more likely into the 2021-2022 timeframes.

The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 Billion in 2016.

 [Source: The Cost of Malicious Cyber Activity to the U.S. Economy, CEA, 2018]

The DOD has given up on CMMC oversight without setting up the rules and requirements FIRST.

[1] The author has over a decade working with NIST 800-53 and 800-171, respectively. Unfortunately, this is a key problem of RMF in that senior leadership lacks the depth and understanding of the application of RMF, vis-à-vis 800-53 and 800-171. 

Dr. Mark Russo

Dr. Russo is currently the Senior Data Scientist with Cybersenetinel AI in Washington, DC. He is a former Senior Information Security Engineer within the Department of Defense’s (DOD) F-35 Joint Strike Fighter program. He has an extensive background in cybersecurity and is an expert in the Risk Management Framework (RMF) and DOD Instruction 8510, which implement RMF throughout the DOD and the federal government.  He holds a Certified Information Systems Security Professional (CISSP) certification and a CISSP in information security architecture (ISSAP).  He has a 2017 Chief Information Security Officer (CISO) certification from the National Defense University, Washington, DC. Dr. Russo retired from the US Army Reserves in 2012 as a Senior Intelligence Officer.