Last month six technology industry associations called out the Department of Defense’s (DoD’s) cybersecurity maturity model certification (CMMC) efforts and warned that without more clarity the initiative falls short and could even fail. Among the groups was the Alliance for Digital Innovation, BSA, The Software Alliance, the Cybersecurity Coalition, the Information Technology Industry Council (ITI), the Internet Association and the Computing Technology Industry Association (CompTIA).
In a letter to DoD’s Ellen M. Lord, under secretary of defense for acquisition and sustainment, and Katie Arrington, chief information security officer in the Office of the Undersecretary for Acquisition and Sustainment, the industry groups outlined a series of recommendations on how the CMMC program could be improved.
“We represent the producers and operators of some of the most sophisticated and widely used information technologies and have considerable first-hand knowledge of the challenging and evolving nature of the most persistent cyber threats. As cyber threats continue to evolve, it is essential that the federal government ensure their front-line cyber defenses stay current and are equipped with the tools and techniques to protect sensitive systems and information of the government and industrial partners,” read the letter, which was posted by Federal News Network.
It offered a number of suggestions while also questioning the way the program is being handled. It called for enhanced clarity of CMMC’s scope, applicability and an implementation timeline. It also suggested that there be flow-down requirements as well as consistency in procurement requirements.
Standards and Practices
However, what those six groups actually expect remains a bit unclear, said Jim Purtilo, associate professor in the computer science department at the University of Maryland.
“The signatories comment chiefly about the bureaucracy – administrative details, approval processes and contracting language – and not so much about actual technology or standards,” Purtilo told ClearanceJobs. “Getting details right is important, of course, but we’re not served by slowing the slowing adoption of a CMMC vision in order to first sort out all special cases to everyone’s satisfaction.”
Moreover the six groups could also be seen to ask many questions without providing a clear enough suggestion on how the issues raised could be handled.
“The letter to the DoD from vendors and associations knowledgeable about cyber-security is deeply concerning, especially since the points it raises are anything but obscure or mundane,” added technology industry analyst Charles King of Pund-IT.
“Instead, the associations point out specific weaknesses and redundancies in the new cybersecurity maturity model certification process that might either delay or disarm the adoption and implementation of needed cybersecurity solutions and processes,” King told ClearanceJobs. “Given the very real cyber threats that the United States faces from a wide range of individuals, groups and foreign governments, it is critical that the shortcomings noted in the associations’ letter be addressed with all possible speed.”
Lost in the Details
The letter was clearly in response to the DoD and CMMC’s Accreditation Board memorandum of understanding (MOU) from March 25. Many of the concerns expressed by the six groups are also not new, and according to reports from Federal News Network, a concern from those sending the letter is that any “fix can be more painful than getting it right the first time around.”
However, the CMMC wasn’t meant to be a new checklist, but rather a metric for the DoD to evaluate vendor cybersecurity programs across five levels of maturity. More importantly nothing in CMMC should be seen as written in stone, and as such it is likely it could evolve as required.
“The U.S. Constitution is a spectacular document without also trying to embody all the regulations that flow from it; we’d never have seen it ratified had people held out for those details first,” explained Purtilo “Clarity in chartering documents is important, but that doesn’t seem to be what these groups are holding out for. It sounds like they won’t be on board until they see a confirmation that their views of how standards should be interpreted will prevail.”
There is precedent in the software maturity models that surely inspire the present CMMC effort, he added.
“Early vision statements charted the direction, but did not carve decisions in stone; the field benefited from the ongoing, healthful and sometimes spirited discussions about how to interpret, and then re-interpret, one or another practice with respect to those models,” Purtilo told ClearanceJobs. “It helped us grow. In my opinion, the chief value of such frameworks is not that you get to put a certificate on the wall after sufficient bureaucratic flagellation, rather, it is the illumination that comes from detailed, focused and thoughtful discussion about one’s shop or practices.”