2020 in review: A nonstop year of CMMC growth
This year has been one of nonstop growth — and nonstop growing pains — for the Department of Defense‘s new contractor cybersecurity standards, the Cybersecurity Maturity Model Certification (CMMC).
In a year wrought with painful change, supply chain cybersecurity has been no exception. But CMMC was able to go from “zero to sixty” during a time when many other large programs were slowed to a halt because of the pandemic. The DOD’s accomplishments were not without error or misstep, but ultimately it accomplished much of the change the program’s leaders promised back in January. Over the course of 12 months, the final CMMC model was released; an accreditation body was stood up and has started issuing stamps of approvals to provisional assessors; and the Defense Federal Acquisition Regulations System was officially altered to include CMMC.
The model, a five-tiered system of security controls ranging in complexity, presents a sea-change for how the DOD handles its contractors’ cybersecurity. The department now can require assessments to be done by third-party assessors against the controls, meaning contractors need to ensure they get a certification before being awarded a CMMC-based contract. Soon gone are the days of simple self-assessments and empty commitments contractors can make to the government that they are meeting cybersecurity requirements. (While the rule change is in effect, DOD has said it will phase the third-party verifications in over the next five years.)
“Today is a new day,” Katie Arrington, chief information security officer for acquisition and sustainment and the DOD’s lead CMMC official, said at AFCEA’s TechNet Cyber event in early December when the rule change went into effect. Over the course of the year, Arrington appeared on dozens — or possibly hundreds, by her own count — of webinars talking about CMMC.
The accomplishments did not come without a fair share of tumult. Most of CMMC’s drama centered on a much-maligned and occasionally dysfunctional accreditation body, a group of volunteers that have led much of the roll-out of the program. Trouble started when the AB surprise-posted a request for proposal seeking a continuous monitoring solution. More than 50 contractors responded with proposals, none of which were selected despite the one-week deadline contractors had to submit their bids.
Backlash start to mount on LinkedIn posts, with some of the anger spilling into complaints that the AB should go altogether. Despite the growing group of what some on the AB call “the haters and the nay-sayers,” the AB’s work continued.
The trouble didn’t stop there. A trend was emerging in less-than precise movements by the AB that made industry question if a dozen or so volunteers were the right group of people to carry out a highly technical regulatory rollout for a cybersecurity program. The AB’s defense generally centered on the fact it is an all-volunteer board of self-described “patriots” doing their best. But how far could their collected zeal for the flag and the cyber take them? Looking back on the year, it took them very far.
Tumult turns to ouster
The AB’s biggest controversy came in September when an ill-advised “partner program” was announced to the surprise of many — even some of the board members. Most people saw the program, which created an avenue for companies to be marketed by the AB, as a “pay-for-play” scheme, despite denials from the board’s leadership of any conflict of interest. The AB’s first chairman, Ty Schieber, and communications chair, Mark Berman, were forced out days later. Acting Chair Karlton Johnson continues at the helm of the group at the time of publication.
“Many people were surprised and offended at a scheme that asked for so much money,” Robert Metzger, head of the Washington, DC offices of the law firm Rogers Josephs O’Donnell, told FedScoop at the time.
Other challenges came in a long series of negotiations between the AB and the DOD program managers. Officials at DOD and the AB described the discussions as “sporty” and “passionate.” But unofficial communications reviewed by FedScoop showed talks had turned potentially terminal between the two.
Ultimately, a resolution came this November when the two finally signed a deal that solidified the AB as the sole accreditor for the program. With the new contract in place that replaced the AB’s original memorandum of understanding, the AB showed that it was here to stay.
When push came to shove, the AB was able to deliver on its most critical duties. It started training and approving provisional assessors in September, a critical responsibility to get contractors certified as CMMC is put into contracts. As of publication, the AB has cleared nearly 100 provisional assessors and 13 Certified Third Party Assessment Organizations (C3PAOs), along with training for consultants and other groups.
The AB’s yearend successes coincide with a dramatic new look many are taking at supply chain security. The SolarWinds hack, in which suspected Russians compromised government networks through its software supply chain, has shined a light on CMMC even more. While CMMC would likely not have been able to stop the hack if it was fully implemented, it’s a reminder to many of the importance of securing supply chains from cybersecurity vulnerabilities.