We are no stranger to the concept that CMMC is a Maturity Model Certification that is being placed on defense contractors that support the DoD. But what about other federal agencies supporting various warfighters? Are other agencies looking to implement a cyber standard upon its customers as well? The Department of Homeland Security (DHS) recently surfaced to share their thoughts on cyber implementation and what their plans are for the future. Hold on tight folks…some of this makes good sense and some, pre-dates CMMC.
DHS has recently gone on the record to say that they are going in a different direction when it comes to cyber assessments and software assurances. They have publicly stated that they feel CMMC is not the right model in which they want to emulate. According to Homeland Security Department on January 19, 2017, the office of the Chief Procurement Officer has proposed a draft rule that states, “…the purpose of this proposed rule is to implement adequate security and privacy measures to safeguard Controlled Unclassified Information (CUI) and facilitate improved incident reporting to DHS. The proposed rule also includes inspection provisions and post-incident activities and requires certification of sanitization of government and government-activity related files and information. Additionally, the proposed rule requires that contractors have in place procedures and the capability to notify and provide credit monitoring services to any individual whose Personally Identifiable Information (PII) or Sensitive PII (SPII) was under the control of the contractor or resided in the information system at the time of the incident.” Dare I say that sounds vaguely familiar?
The proposed rule, according to the Federal Register, is scheduled for release this month showing in Final Rule Stage Office of the Secretary 1601-AA76. The proposed rule was drafted in 2015, comments were accepted for consideration in 2017, and now is being proposed for release in 2022. If doing math in public makes you nervous, allow me to take that burden off your shoulders. Essentially, this proposed rule from draft to release is working off of SEVEN years. And because of that insane timeline, it’s worth noting that 2015/2017 completely pre-dates CMMC, which potentially shows it to be a pioneered approach to cyber compliance. I reached out to Vincent Scott, CEO of Defense Cybersecurity Group, a cyber consulting company focused on the new DoD Cyber requirements for the DIB, to get his thoughts on DHS and the direction they are looking to take their cyber compliance.
Scott says, “The draft rule mentioned above was written many years ago and does not conform to the 32CFR2002 regulation, which applies to DHS, and require the use of NIST 800-171 as the basis for CUI security in non-federal systems. I expect the final version will be significantly different but do not know what that will look like. My impression is that DHS has been softening their position on CMMC-like enforcement but we will have to see what they come out with.”
Scott is a retired Navy Cryptologist/Information Warfare Officer and also serves as the FBI Infragard DIB Subject Matter Expert on Cyberwarfare. With this much experience under his belt, I had to ask the question on whether or not Scott believes the DoD is the gold standard for cybersecurity.
“No. NIST 800-171 standard is for Confidentiality only and ignores the Integrity and Availability aspects. NIST 800-53 is, in my view, something only the government could love. It is too complex and not really based on a maturity model. As far as execution of their own cybersecurity, I don’t have a lot of visibility. Where I do have visibility is on things like deploying Windows 98 operating systems (in some cases because upgrades are too hard). I am not impressed. If you want a gold standard, the best I have seen is Walmart.”
It’s obvious that DHS is interested in developing a strong cyber compliance comparable to what DoD is trying to achieve with CMMC. It’s a comforting thought to know other agencies in addition to DoD are recognizing this is a needed commodity. I am not holding my breath for its execution to be without its hiccups but I am hopeful that between these two agencies we will see a stronger cyber world which will produce a steadfast defense against our adversaries. But only time will tell.