Is the Department of Defense’s (DoD) new Cybersecurity Maturity Model Certification (CMMC) the future, or just another compliance initiative in the long line of competing cyber standards across a fragmented landscape.
One thing is certain, this is a different approach. To date, the government has been mostly disjointed when it comes to cyber. Regulators have focused on privacy, mostly at the state level, and post-breach notification. 50 states have a data breach law, all different, all that rely on individual businesses to take on the burden proactively to secure themselves against a risk they don’t understand and is costly to address. There is HIPAA, GLBA, GDPR, CCPA, and more. Effectiveness of the different compliance regulations is a legitimate question, especially when compared to the burden they bring for businesses.
The disjointedness has led most business, especially the small, to simply ignore toothless regulations, and roll the dice on a data breach knowing they likely won’t even learn of one even if it does happen, let alone be required to notify anyone. Business owners intuitively know this is important, but lack of clear regulations, enforcement and affordability has resulted in little progress addressing the issue.
It is precisely under these circumstances where the Federal Government should step in, establish a winning compliance standard that incorporates but supersedes all others, removing the overwhelming burden from business and addressing the overly fragmented regulatory environment.
This brings us back to the federal government and its contractors. NIST 800-53 is a beast, with an entire consulting industry built on it, and has successfully become an effective standard in the acquisition of government systems. How effective it’s been in securing government contractors is unclear. NIST 800-171 is less burdensome, focused mostly on confidentiality (as opposed to availability and integrity), and was developed with small businesses in mind. The problem with either framework has been adoption by private businesses, which is directly tied to the ability of the government to enforce. Adoption has mostly been voluntary, and/or unenforceable. That is not the case with CMMC, it comes with a stick and a plan to use it. Make no mistake, CMMC has teeth.
Then there’s FedRAMP. Brought about to address the movement to cloud computing, FedRAMP enables commercial companies with cloud products or services wanting to do business with the federal government to get their infrastructure, application or system certified once, so it can be sold and used again and again by multiple government clients. This one to many approach is a departure from NIST 800-53 and RMF but is possible due to the scalability and centralized control inherent in the cloud.
CMMC is the natural evolution of NIST’s comprehensiveness and FedRAMP’s marketplace and impact level approach. Will it meet its ambitious goal of becoming the one standard to encompass them all? The answer depends on 3 big questions:
What will happen to small business government contractors?
Rest assured, the large and mid-sized DoD contractors will both absorb CMMC and capitalize on the market opportunity in stride. In one sense, CMMC is creating an industry overnight. Businesses of all sizes (including the ultra-small) can get certified and become third party (independent) assessing organizations (3PAO). That said, who will they assess. Average ongoing cost of CMMC compliance is estimated to be $3,000 per employee per year with an initial one-time implementation cost of $500 - $1,000 per employee. As with any regulation that reduces the bottom line, there is at least some risk that small business will consolidate into larger business and/or exit the industry all together.
With PCI-DSS (a comparable solution in the sense that it had teeth and the enforcing body had power over the regulated), many businesses exited the business of payment processing, instead outsourcing to accredited solutions and therefore eliminating their compliance burden. An additional cost, yes, but one offset at least partially by the automation brought by third party solutions.
Will this be the same for CMMC? Maybe. There is talk of pre-certifying SAAS solutions (see one to many approach above) and/or reciprocity with other compliance regulations such as FedRAMP, but there is one key difference: scope. PCI regulated the function of accepting credit card payments. CMMC is anticipated to be much more comprehensive, regulating how businesses process information and use technology. This is the core of what most businesses do, and compliance will not be as simple as outsourcing one function of their business. There has been talk of an allowance to ease the burden on small businesses and, at the end of the day, if enough advanced notice is given the cost of compliance can be baked into any proposal submitted to the DoD. This ultimately leaves the government holding the bill, which begs the question of what will be sacrificed to pay for CMMC?
Will CMMC go beyond the DoD (i.e. is this the federal standard we’ve been waiting for)?
There are few more powerful customers in the world than the United States Department of Defense, and while we must start somewhere, will CMMC catch on beyond its initial implementation. It’s logical to think that if proven successful, other federal departments will adopt what the DoD started. Then what? State governments? Local governments? While they don’t have the same buying power as the federal government, they do have legislative power. If CMMC does filter down to states and municipalities, where will the money come from? If budget increases or cuts from other programs are not feasible, then we must circle back to the above question and ask if this will just lead to exits and consolidations among small businesses, essentially eliminating the small business ecosystem this country prides itself on.
Many excited service providers like to throw around the idea that this will become THE standard for all businesses in the United States, which would be great for cybersecurity, but again may not be so great for the smallest businesses. Furthermore, it’s easy to make the argument that the DoD supply chain is a target of interest for nation state cyber actors around the world. Can the same case be made for state contractors? What about the average small business who is more of a target of opportunity than a target of interest? Then there are the alarming stats:
Small and Mid-sized business (SMB) represent 99% of all U.S. businesses and employ more than 60% of Americans
More than half of SMB data breach victims are out of business within 6 months of being attacked
As we know, most small businesses lack the resources and expertise to protect themselves and as discussed above, the disjointedness of the regulatory approach to date has led most small business to simply ignore toothless regulations. Add that all up and it’s not too far of a stretch to imagine the scary scenario a well-crafted piece of malware wiping about a good portion of the American economy.
This brings us back to the question at hand: can CMMC, or any compliance regulation for that matter, be rolled out beyond government contracting and effectively address cybersecurity without resulting in too great of a burden for the small business community that makes up the fabric of our economy?
Eventually, the disjointedness of regulatory compliance around cyber is likely to stop, and one framework/model will win out. It stands to reason there is a good chance it’ll come from the federal level due to the resources, legislative and buying power they hold.
How do you maintain quality of CMMC service providers?
As already discussed, anyone worth their salt in cybersecurity has posed this question at least once: how effective is compliance at actually reducing incidents and successful attacks? Take a look at Service Organization Controls (SOC) compliance, for example. It was created by accountants! Should the AICPA be the governing body of a compliance regulation? What qualifications do they have? Who were their technical advisers? The fact is that cyber, like any new industry, has often been approached as a race to market and then figure it out afterwards. The winners get financial gain and credibility, but this can be dangerous in a risk-based industry.
Furthermore, while academia and industry has begun to address the giant chasm between cybersecurity need and qualified talent, there is still an overwhelming talent gap between qualified cybersecurity engineers and open positions. It’s not a switch you can flip overnight and expect the problem to be reasonably addressed.
This begs the question: how will it work when the DoD creates a critical cyber industry overnight? There will be a race to market. Who will regulate quality? Who will staff the service providers AND the regulators? Current thinking is a non-profit will be the consortium that certifies the service providers. They better know what they are doing because a quick way to kill CMMC in its tracks will be quick to market snake oil solutions and/or unqualified 3PAOs that miscertify contractors or worse, rubber stamp them because they are paying their bills and the government has no quality control mechanisms in place. All of this would effectively make the standard ineffective and a giant waste of time.
These questions and more are being debated by the CMMC team as of this writing and we must give them time to do so, but we must also give them input. One way to do so is by filling out the CMMC Marketplace survey. In the end, the success of CMMC will depend on questions such as the 3 posed above and our ability to think through them now, PRIOR to the aggressive 2020 roll out target. While we won’t have all the answers, healthy debate and industry input is critical to the ultimate success of CMMC.
---------------------
Chris served six years in the U.S. Marine Corps where he was the country Chief Information Security Officer for the Republic of Georgia, a role in which he oversaw protecting USMC digital infrastructure in a highly vulnerable cyber threat environment. Upon returning to the United States, Chris left the Marine Corps to pursue a Masters in Computer Science and MBA from UCLA, and also worked for the MITRE Corporation as a cybersecurity engineer. In 2014, he founded Ariento, a cybersecurity, compliance and IT service provider. Chris is a member of numerous cyber organizations including the FBI Infraguard and the Secure The Village Leadership Council, he teaches on the topics of cybersecurity and privacy at UCLA, and is a regular speaker and contributor to the Wall Street Journal Pro - Cybersecurity.