The Biden administration is forging ahead with a scaled-back plan to regulate cybersecurity in the vast and complicated defense industry marketplace. But the halting rollout of the Cybersecurity Maturity Model Certification, or CMMC, program illustrates the perils and pitfalls of rewriting supply chain cyber rules for the defense industrial base.
Only 1 in 4 defense contractors can currently meet Pentagon cybersecurity standards designed to protect U.S. weapons systems from enemy hackers, according to officials — numbers that spell trouble for a renewed push by the Biden administration to extend those standards across the whole DOD supply base.
Three-quarters of the 220 defense contractors assessed by DOD experts over the past three years failed to implement baseline cybersecurity controls and had to enter into a special agreement to remediate security weaknesses, according to John Ellis, director of the Pentagon’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
These previously unreported numbers come as the Biden administration is gearing up to draft new rules that will impose those same cybersecurity standards on more than 200,000 companies that sell goods or services to the DOD. The CMMC program is the latest and most ambitious Pentagon effort to stanch a wave of hacking attacks by U.S. adversaries against defense contractors going back more than a decade, which has led to the hemorrhaging of confidential weapons design and other data.
DIBCAC assesses compliance with 110 cybersecurity requirements set by the National Institute of Standards and Technology in its Special Publication 800–171. Those same standards are also the basis for the CMMC program, Ellis said.
“We expect that the [CMMC] assessment methodology … will look very much like the assessments the DIBCAC performs today,” Ellis told README by email.
The DIBCAC numbers suggest that the majority of defense contractors can’t currently pass a rigorous assessment of their compliance with NIST standards —rules that within two years will become mandatory for all defense contractors.
“It is clear that a very large number of companies have a very great deal of work to do” to meet the CMMC standards, said Robert Metzger, an attorney and former member of the Defense Science Board Task Force on Cyber Supply Chain.
CMMC 1.0: A “bureaucratic monster”
The shocking numbers are the latest blow to CMMC, which was launched under the Trump administration to impose a multi-level system of cybersecurity standards on the web of companies that sell to the DOD. The program aimed to create a for-profit ecosystem of thousands of Pentagon-endorsed third-party assessment organizations, or 3PAOs, to certify that companies were meeting CMMC requirements.
But CMMC 1.0 ran into a buzzsaw of criticism from industry advocates who complained it was unnecessarily complex and rigid, especially for small businesses. In an April 2020 Forbes opinion piece, current Air Force Secretary Frank Kendall, then working as an independent consultant, predicted the program would create bureaucratic bloat and risk a blizzard of lawsuits if companies were barred from bidding on defense contracts because they failed a third party assessment.
He called on DOD to “kill this bureaucratic monster before it gets any bigger than it already has.”
CMMC was also hit by a hailstorm of ethical questions about potential conflicts of interest surrounding the process for accrediting 3PAOs. The CMMC program office anointed the Cybersecurity Maturity Model Certification Accreditation Body, or CMMC-AB, to review and authorize 3PAOs. But the nonprofit organization was underwritten by some of the same companies that would be petitioning it for 3PAO accreditation. And because CMMC 1.0 required third party assessment for most defense contractors on a very aggressive timeline, early accreditation as a 3PAO would effectively grant exclusive access to a huge captive market of defense vendors required to seek certification quickly.
“There were multiple red flags and conflicts of interest” with CMMC-AB, said John Weiler, a long-time gadfly in federal IT and founder of the IT Acquisition Advisory Council.
Senior DOD officials had to publicly disown companies that jumped the gun by claiming they could provide CMMC accreditation before the standards had even been defined.
In a bizarre coda to CMMC 1.0, the public face of the program — Katie Arrington, the CISO for DOD’s acquisition and sustainment office — was placed on administrative leave in May last year, Bloomberg reported. The move came after the NSA accused her of an unauthorized disclosure of classified information. Arrington, a former GOP state lawmaker who unsuccessfully ran for Congress in South Carolina in 2018, had her clearance suspended and faces having it completely revoked, effectively a permanent ban on any employment in a national security role.
In a lawsuit filed last year, Arrington alleged that she faced a Kafkaesque dilemma — she couldn’t answer the allegations against her because she wasn’t allowed to know what they were or see the evidence underlying them, owing to the suspension of her clearance. The lawsuit was settled late last month and her lawyer told SC Media that Arrington now has access to information about the alleged disclosure she needs in order to respond to the effort to revoke her clearance, and that “we hope that this matter will be completely favorably resolved within a few months.”
CMMC 2.0: A pared back standard
The Pentagon launched a review of CMMC after President Biden took office last year, and in November, top defense officials pledged a do-over of the program, now dubbed CMMC 2.0.
CMMC 2.0 slashes cybersecurity requirements for the vast majority of defense contractors; simplifies the compliance scheme from five levels to three; and removes the requirement for third-party assessments for all but a subset of vendors — throttling down the demand for certification and drastically shrinking the proposed for-profit 3PAO ecosystem.
Importantly, the new version of the program allows contractors who fail their third party assessment to enter into a special agreement, called a Plan of Action and Milestones, or POA&M, to fix their security deficiencies — and to continue bidding or executing on DOD contracts while they do.
Deputy DOD Chief Information Officer for Cybersecurity David McKeown laid out the CMMC 2.0 numbers last year at a C4ISRnet event:
- About 220,000 companies make up the defense industrial base.
- Of those, roughly 140,000 hold only federal contract-related data — “not information that anyone would really care about if it was lost to the enemy,” McKweon said. These companies will be defined as CMMC level one, meaning they only need to certify they meet NIST 800–171 standards in an annual self-assessment accompanied by an attestation from a senior company executive.
- The other 80,000 contractors also hold controlled unclassified information and fall into the “advanced” CMMC level two category. But McKeown said only half of those contractors hold information that is considered “critical to national security” and will require a third-party assessment from a 3PAO. The other half hold less critical data and will still only be required to submit a self-assessment.
- About 500 companies working on the most sensitive contracts will be defined as level three — and must meet additional, much more rigorous NIST standards from Special Publication 800–172. These companies will require a level two certification from an independent 3PAO and then a separate certification by DIBCAC experts.
Publicly, industry groups and defense trade associations say CMMC 2.0 addresses many of their criticisms of the original plan.
Privately, they’re still nervous. That’s partly because of a new Justice Department initiative aimed at combating so-called “Civil Cyber-Fraud.” DOJ prosecutors have announced their intention to vigorously pursue government contractors who “knowingly misrepresent… their cybersecurity practices or protocols,” in order to get government business, Deputy Attorney General Lisa Monaco said last year. The Civil Cyber-Fraud Initiative will use federal authorities under the False Claims Act, or FCA, to financially incentivize whistleblowers and prosecute contractors who fail to meet mandatory cybersecurity standards.
The FCA provides for whistleblowers to be awarded a portion of the funds recovered when the government successfully sues a contractor. But its use by the “Civil Cyber-Fraud” initiative casts the shadow of criminal prosecution over the CMMC compliance process, and could make routine self-attestations look like a trap.
“Overall, the FCA is useful, but there are dysfunctional consequences to using it this way,” explained Metzger, the attorney. “You are incentivizing whistleblowers who may believe that they‘re acting in the public interest, but who have a monetary incentive as well. … FCA is not a good tool to enforce [DOD vendor] compliance with cybersecurity standards.”
Despite this, there are hopeful signs for vendors as the administration embarks on a public rule-making process that could take up to two years, Metzger added.
For example, scoping guidance for level two compliance means that contractors can limit the extent of third-party assessments. “This … is important, and helpful, to reduce risks of unnecessarily inclusive scoping,” Metzger said.
Regardless of how the program unfolds, there’s no reclaiming the time lost on the failed CMMC 1.0 roll-out, Weiler pointed out.
“We basically wasted three years,” he said. “I bet the Chinese were very happy about that.”
