Companies in line to become certified assessors for the Department of Defense‘s supply chain cybersecurity program are facing a new roadblock: Getting and passing an assessment of their own.
There’s a bottleneck in licensing assessors under the DOD’s Cybersecurity Maturity Model Certification (CMMC), according to multiple organizations waiting to go through the process. It not only frustrates these companies that are waiting to enter a potentially lucrative market but also threatens to complicate the timeline for implementing a critical DOD cybersecurity program.
The CMMC program requires every contractor in the defense industrial base to hire a licensed assessor to inspect its networks, something that cannot be done if there are no fully licensed assessors to hire.
“There is … a little bit of a logjam,” Johann Dettweiler, director of operations for TalaTek, a prospective Certified Third-Party Assessor Organization (C3PAO), said in an interview.
TalaTek’s assessment is slated to get its required assessment from the DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) this spring if all goes well with those in line before it. But Dettweiler was concerned that might not be the case, after learning on a call with other C3PAOs that they were having difficulty meeting CMMC level three, the mid-tier level of security required in the DIBCAC assessment.
Four people familiar with the matter who asked not to be named said they also were told initial audits were difficult and taking longer than expected; one source directly familiar with the matter pointed to the maturity documentation associated with level three as what was tripping some up.
“You have to be able to show that you have the policies and that you have been living the policies, and that last part is really tricky” Jim Goepel, a former CMMC Accreditation Body member and the CEO of Fathom Cyber, said in an interview.
The CMMC Accreditation Body, the organization that issues licenses to C3PAOs and oversees other parts of the CMMC ecosystem, announced in March that one assessment had been completed but did not share the results or name the company. More than 100 companies are cleared to get their assessment and hundreds of others are awaiting their initial background check and training from the AB.
The AB had little comment on the bottleneck besides expressing its steadfast support for the current requirements and saying the “CMMC-AB is on target for projections” to meet demand. DOD and DIBCAC did not return multiple requests for comment.
In public comments, Katie Arrington, the chief information security officer for acquisition and sustainment, has defended the need for the level three requirement for assessors, saying it’s a security imperative.
“Why? Because they’re going to be the ones processing your company’s information and inputting that into the only place that your company’s information will be stored,” in DOD’s own database called eMASS, Arrington said last week at an Amazon Web Services summit.
Cascades of bottlenecks
A secondary challenge with the C3PAO rollout is that it is a critical piece of a multi-step process to ensure the success of the CMMC program. The end goal of having a third-party verification of the cyber standards of the roughly 300,000 contractors in the defense industrial base relies on having those third parties available to do the verification. Without enough assessors and C3PAOs, the entire ecosystem could fall short of its stated goals.
The DOD has given the program five years to get its feet under it — after that, CMMC will be a requirement in all defense contracts. The AB, which is largely responsible for rolling out the program, says it remains on track to meet the DOD’s timeline. But Dettweiler and others have concerns about the potential downstream effects from the current pace of C3PAO accreditation.
“If you do the math on that…how is that feasible?” Dettweiler said of getting the number of companies certified by C3PAOs on time.
Matt Titcombe, CEO of Peak InfoSec and chief information security officer of its parent company Gigit, added a strong “no” on whether he thinks the program is on track to meet the eventual demand for CMMC assessments.
“I don’t know if we are even going to get one done this year,” he said, adding that he thinks the current timeline is based on a “perfect world” scenario.
Many offered potential fixes, such as allowing for the initial assessment for the C3PAOs by DIBCAC to be less stringent and allow for assessors to submit their plans to meet compliance instead of demanding maturity of compliance upfront. Others have urged DOD and the CMMC AB to issue a more clear written policy on the scope of assessments.
“You’ve got to make this upfront huge investment without having any potential business from the DOD at all,” Max Aulakh, CEO of Ignyte Assurance Platform, said of the current state of security requirements.
Small assessors, bigger concerns
For small assessors, the concerns are even more acute. With only five people on his team, Steven Senz, CEO Ascertis Solutions, knows he would have to hire more people just to meet the level three security maturity requirements. He said in an interview he is hoping to subcontract with larger C3PAOs to be able to do assessments in the future.
Senz said he wished there was more regular, official communication from DOD and the AB about the requirements and policies of the program. If he had known more when the initial application payment was due, a $1,000 fee, he may have chosen a different path for his new company.
“Pay $1,000 in, then another $3,000 to show you can be CMMC level three, but you never really put a disclaimer in that unless your company is of a certain size, don’t bother to apply,” he said of the information provided by the AB when he initially applied. “You took my money and I’m not certain under the criteria now you are imposing on C3PAOs I am actually going to be able to get through all the gates.”