The new chairman of the Cybersecurity Maturity Model Certification-Accreditation Body wants to eliminate the drama often associated with the Department of Defense’s contractor cybersecurity regulations and turn it back into the “boring” process it was intended to be.
To do that, Jeff Dalton says it’s finally time to turn the board that oversees the Accreditation Body into a more professional group of strategic advisers rather than the startup staff it has operated as for the past 18 months.
“Our role was creation and invention and innovation and trying … to get things out as quickly as possible. And we were not technically a corporate board,” said Dalton, who was voted in as CMMC-AB board chairman in December. “So, it’s time to make that transition.”
The Cybersecurity Maturity Model Certification is the DOD’s proposed framework of cybersecurity requirements for defense contractors that handle sensitive controlled unclassified information. Once under contract with the department, some companies will either need to self-inspect or get a third-party assessment of their networks to continue working with the DOD.
The AB accredits the cyber inspectors that will conduct the assessments, as well as certified CMMC trainers, registered consultants and other parts of the ecosystem. It’s a position that puts the AB, and by extension Dalton, at the heart of bringing CMMC to life.
Gone will be the daily board meetings, detail-oriented decisions and, hopefully, the turnover and drama that often followed the AB board since it was first stood up in early 2020, Dalton told FedScoop in an interview. He added that he will require all board members to be trained on ethics and professional board member guidelines from the National Association of Certified Corporate Directors. He also wants to bring on new, more experienced members to grow the board to 12-15 members.
Dalton will conduct his first meeting as chair in the coming weeks. Previously, he served as vice chair to former-chairman Karlton Johnson and was a founding member of the AB, experience that gives him “institutional knowledge,” he said.
The biggest change members of the CMMC ecosystem will see under his leadership is a more vocal approach for advocating for CMMC to be a valuable certification for businesses of all kinds, Dalton said.
“I am going to be very vocal … because we are in a war,” Dalton said.
He is already talking with state CIOs and big businesses, adding that “every state CIO I talk to is talking about CMMC and wanting to adopt it.”
Despite 18 months of daily meetings, controversy and, so far, not getting any stipend or salary, Dalton pointed to the mission to promote better cybersecurity for U.S. national security and defense as what’s kept him around.
“I am still here because I love this country,” Dalton said. “I feel like that now that I have moved into this role … I think I can help”
Impacts of CMMC 2.0
When first created, the CMMC rules stipulated that every single defense company—whether they are landscapers or makers of fighter jets—would need to pay for a certification. It was a bar that many small businesses felt was too high, but one that was giving the AB enormous demand from cyber companies looking to be accredited.
In November, CMMC was reduced in scope, a change that shrunk the number of contractors that would need a third-party inspection. This worried the AB’s CEO, Matthew Travis, that there could be a shortage in demand for assessors and CMMC assessments.
Dalton said the demand for assessments from DOD contractors is “still a huge number,” even though it’s smaller, and he expects demand from other sectors to follow suit.
“The operationalization of the AB did not change dramatically with [CMMC 2.0],” he said.
The biggest change Dalton says that will impact the AB is time. With a new rule-making process underway, Dalton worries demand may not come soon enough.
“There are two things that I worry about: One is the ruling-making timing, the fact that it might take a year or more,” Dalton said. “A significant delay to that might make some hardship.”
The other concern is a lack of incentives from the DOD for companies to start adopting the model before it is required. Dalton said the AB will soon be rebranding itself, including a new website, that he hopes will make the case for why companies should get a CMMC assessment sooner rather than later.
Dalton said beyond the AB’s bottom line, the longer companies wait to implement the security controls in CMMC, the longer they are at risk of attack.