Top Air Force IT leader has ‘mixed feelings’ about CMMC

The Air Force’s chief information officer has concerns about how the Department of Defense’s new cyber standards for contractors could harm small businesses trying to enter the defense market.

Lauren Knausenberger worries that the strictness of the Cybersecurity Maturity Model Certification, a program that requires third-party verification to a range of security controls, will limit small innovative companies from working with DOD. While she supports the need for better cybersecurity standards for DOD’s IT supply chain, CMMC may not be the best way to do it, she said.

“I have mixed feelings on it personally,” she said during an America’s Future Series webinar. “I think if we lock it down so that we are not going to do business with certain people because they don’t meet [CMMC], I think that limits our options.”

CMMC is a five-tiered system to increase cybersecurity controls that is being phased into contracts over the next five years. Contractors will be required to hire an accredited assessor to verify they meet one of the five levels, a process that remains in development as assessors are being trained and overseen by an independent accreditation body.

Knausenberger is not directly involved in the CMMC program, which falls under the undersecretary of defense for acquisition and sustainment’s authority. But her job as the top IT official in the Air Force gives her significant insight into the department’s technology needs and the potential impacts of barring some companies from its supply chain. She also was an investor and entrepreneur in the private sector before joining government, giving her insight into the challenges that may arise for tech companies.

For small companies hoping to work with the military, the costs of CMMC consultants, meeting the model’s security requirements and the fee for an assessor could be prohibitive. And if they fail to meet the CMMC level defined in a contract, the door to that opportunity is then shut.

“I would rather just say, ‘Hey let’s just give you some endpoint requirements,'” Knausenberger said.

While CMMC is all about the maturity of networks, Knausenberger said having some end-point security requirements and virtual means to connect into the department’s secure networks would likely cover necessary security needs.

“I don’t really care a whole lot about the other pieces” of the maturity model, she said.

Accreditation Body makes new industry council

Also Tuesday the CMMC Accreditation Body, the organization in charge of accrediting assessors and managing implementation of CMMC, announced a new industry advisory council. A group of a dozen industry executives will provide a “crucible for industry dialogue” on how CMMC will impact them, the group said in a news release.

Most of the members come from large defense contractors, like BAE Systems, Amazon Web Services and Accenture. One member, Nicole Dean, is a former board member.

“[J]ust like the volunteer professionals in the AB, the IAC volunteers have chosen to serve a higher cause,” CMMC-AB Board Chair Karlton Johnson said in a statement. “Their leadership, skill, and professional expertise will greatly contribute to the overall success of the CMMC program.”

The council mirrors previous groups the AB had during its initial creation. The volunteer board members led “working groups” of other volunteers from industry who worked on specific parts of CMMC implementation. The AB is looking for more volunteer members for the council to fill a diversity of perspectives, it said.