It’s time for the public and private sectors to take a strategic pause as we digest the existing frameworks and determine what is and isn’t working before adding a new burden on both communities.
There is no shortage of security requirements when it comes to protecting government information and IT systems. For DoD contractors there are not only several requirements but also an ever increasing number of frameworks to substantiate compliance and manage risk. While the spirit of most of the requirements and frameworks are similar, the policy owner’s interests and expectations are unique.
The release of the draft Cybersecurity Maturity Model Certification (CMMC) from the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD (A&S)) is just another mandate that has the convenience of narrowing the scope to the office’s particular interest without much consideration of the holistic impact another mandated framework would have on industry.
The need for foundational cybersecurity that scales based on data definition, business and mission impact is undeniable. Both government and industry need to step up their game when it comes to identifying and protecting controlled unclassified information (CUI). However, discussing contractual mandates and associated deadlines when the CMMC process and requirements are still in a draft PowerPoint is premature at best.
Having participated in a few CMMC roadshow events, I was initially energized by the effort. I was on board with the patriotic call for immediate action by industry with a return commitment from government of avoiding another checklist, paired with a pledge to educate both government and industry on the CMMC. However, the release of the draft PowerPoint deck, with duplicative slides, lofty goals and no real “process” was a disappointment.
Trying to stay positive, I thought, surely the meat must be in the control matrix? While I can appreciate the effort to “leverage” existing frameworks, there does not appear to be much original thought in the maturity model criteria. Even those criteria that are not tagged with NIST 800-171 or Cybersecurity Framework (CSF) references are already covered under NIST controls. The primary difference being that they have removed the due diligence in clearly defining the control, and allowing for transparent public comment.
Maybe It’s Time to Hit “Pause” On Rolling Out New Mandates.
At this point, are we really trying to solve the problem or are we distributing liability? Perhaps it is time for the public and private sectors to take a strategic pause as we digest the existing frameworks and determine what is and isn’t working before adding a new burden on both communities.
Theoretically, the CMMC makes sense, but as with everything related to security, the devil is in the details. Take for example a company that supports contracts with CUI where all work is completed on site with government-furnished equipment. Based on the limited detail available on CMMC today, it would appear that such companies would be forced to achieve CMMC 4 even though the government data would never touch their corporate networks. This is why the well-thought-out-guidance from NIST enforced by the Defense Federal Acquisition Regulation Supplement (DFARS) requirement makes more sense.
Looking at this scenario under the DFARS, the component requesting the service, along with the associated acquisition staff, would determine what CUI is associated with the contract. Based on the data definition, expectations for how the information should be protected are conveyed. Because the data never makes its way to the corporate network, the company employs security consistent with their business risk assessment strategies but does not need to undertake the cost and effort of a CMMC.
The naysayers would argue that companies that currently have government data are not actually complying with DFARS hence the need for CMMC. Wrong again. If the issue is that the company is not following the contractual requirements, there is already a process to address those issues. However, I have had multiple discussions with DoD employees at various levels, and many of them are not even looking at the DFARS requirement. Sure, they might have the clause in their contracts, but many do not have the knowledge or cycles to fulfill their end of the bargain. Many don’t even know what they would be looking for in demonstrating compliance. Government has to know and define their data before communicating expectations on how to protect it, let alone make it a condition of contract award. This is just one of the many fundamental problems that needs to be solved, not creating a subjective certification that will have 3PAOs laughing their way to the bank.
Federal agencies have a great opportunity to turn things around in cybersecurity. However, it won’t happen if we continue to avoid the difficult questions. The maturity model we should be looking toward, both within government and industry, is the NIST Cybersecurity Framework (CSF). In the end, we all have a lot of work to do to protect our data and privacy. Let’s start with transparency and acknowledge there is an “as is” and “to be” state for both sides of the equation.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.