Former head of acquisition and sustainment for defense Ellen Lord has warned that the Department of Defense’s Cybersecurity Maturity Model Certification risks losing momentum if reviews of the program are allowed to drag on for too long.
“Get on with it, don’t let the perfect be the enemy of the good,” she said in an exclusive interview with FedScoop. She added that “too long of a strategic pause … is detrimental.”
Lord spoke with FedScoop Thursday, shortly before the DOD confirmed that it is targeting a year-end deadline for its current review of the CMMC program.
The program has been under an internal review since March, essentially halting progress on its implementation and keeping many leaders in the department mum on the program. Lord, who was in the top DOD contracting job until the end of the Trump administration, said she has been told by department leaders they plan to continue with CMMC, but it may be in a different “CMMC 2.0” form.
CMMC replaces a system in which contractors self-attest they have met cybersecurity standards outlined by the National Institute of Standards and Technology (NIST), a dated model that was “not credible in the long run,” Lord said. Once CMMC is fully implemented, all contractors will be required to pay for an assessment that will score the maturity of a company’s security controls against five tiers of strictness.
Several barriers remain in place for CMMC’s implementation, Lord noted.
Jockeying for control
While the program is being reviewed, there is jockeying for control of the program. Lord said she is aware that moving the program from the Office of the Deputy Assistant Secretary of Defense for Industrial Policy to the purview of the department CIO is “on the table.”
“While I think there should be collaboration with CIO, I do not support the moving of billets to CIO or handing of overall leadership,” she said.
Lord noted that acquisition and sustainment professionals have deep knowledge of the technical details of contracting that is a needed prerequisite for carrying out CMMC, even if it does involve cybersecurity, which is in the traditional remit of the CIO.
Another major hurdle is the lack of confirmed leadership in the department to oversee the program and make key decisions that the department’s civil service can act on, according to the former acquisition leader.
“The best thing that could happen would be to get an [undersecretary for acquisition and sustainment] and a [deputy undersecretary for acquisition and sustainment] nominated and confirmed,” Lord said.
She added that other key positions, like the chief information security officer for acquisition and sustainment role that first oversaw CMMC, remain filled on an interim basis. The lack of permanent leadership hampers the department’s ability to execute changes. The CIO, John Sherman, also remains in place in an acting capacity.
‘Personalities … can’t stay in the way’
Lord argued the department does not need to be wedded to its current structure of using the third-party CMMC-Accreditation Body (CMMC-AB) to oversee the ecosystem of assessors, trainers for assessors and consultants.
“If there is an issue that can’t be overcome with the third-party model, I wouldn’t be opposed to going to those organizations that do ISO,” she said, referring to the International Organization for Standardization. “Personalities … can’t stay in the way.”
Lord added that she was aware of allegations of conflicts of interest and other complaints about the AB while she was in the Pentagon.
“I was aware of a concern with conflicts,” she said. “I was not aware of any data that supported an issue that would cause us to take a different direction.”
No matter the department’s decision, she urged for action to be taken soon.
Everyone needs to invest in cyber
Lord said she frequently heard from industry groups that costs associated with CMMC would be too high, creating barriers to entry especially difficult for small businesses to overcome.
Despite the complaints, Lord noted that increasing cyberattacks have forced every sector — not just the defense industrial base — to get serious about cybersecurity. Complaints about the financial burden of the new requirements are overblown, she said, because companies are having to make such cybersecurity investments anyway.
One idea DOD is still contemplating is a government-approved cloud infrastructure for software development, she said. By providing a government-approved system to work on, small businesses would not need to invest in security measures to have their own environments certified for use.
No matter what new leadership decides to do, she said now is the time to act. Continued delays leave more time for cyberattacks that could cripple defense systems and harm economic security.
“From my point of view, it’s time to look at CMMC 2.0,” Lords said.