NIST-funded small business centers push back against Pentagon messaging on CMMC preparedness

By Sara Friedman  / November 18, 2020

Two leaders from National Institute of Standards and Technology-funded centers focused on the manufacturing sector are expressing concerns on whether small businesses will be prepared for implementation of the Pentagon's cyber certification program on Dec. 1.

"The issue really is knowledge," Eugene Jones, an industry adviser for Purdue University's Manufacturing Extension Partnership, said at an event Tuesday. While manufacturers in the defense industrial base recognize the need for the Defense Department's Cybersecurity Maturity Model Certification program, Jones said, "they have their own challenges" and cybersecurity isn't their core business.

Jones said, "They are in business to make a specific product. They don’t have expertise in that area. Normally at the smalls there is one person doing lots of different things so getting out of the IT debt associated with cyber takes a significant amount of time and money."

Jennifer Kurtz, who leads Colorado's designated national MEP center, agreed with Jones, saying CMMC is seen as "an IT problem, not a business problem" and her clients have other concerns around the "security triad" that take priority. Kurtz said the triad is confidentiality, integrity and availability and the importance of those three is situational depending on everyday business operations.

When it comes to risk appetites, manufacturers range from being "promiscuous to permissive to prudent to paranoid," Kurtz said. With CMMC, Kurtz said her clients are "perplexed and paralyzed."

These companies don't know what NIST Special Publication 800-171 is, Kurtz said, and they don't understand how it applies to them. "They don't know where to start," she said.

Jones and Kurtz participated in a panel discussion at Hack the Building's Control Systems Cyber Conference on Tuesday with DOD acquisition Chief Information Security Officer Katie Arrington, Defense Acquisition University Professor Christopher Newborn and Shannon Jackson from DOD's Office of Small Business Programs.

The Defense Department is rolling out the CMMC program over a five-year period. Starting on Dec. 1, contractors who handle controlled unclassified information will need to submit a self-assessment on their compliance with NIST 800-171 through DOD's Supplier Performance Risk System when they submit a bid for a new contract.

DOD amended its acquisition rules three years ago to require companies to meet the 110 controls in NIST 800-171, but implementation across the industrial base has not been consistent. CMMC installs a new cyber regime focused around "trust but verify" where companies will need to get certified for CMMC to compete for DOD contracts.

At the conference, Arrington said compliance with NIST 800-171 is "nothing new."

"You as a community -- the MEP -- are so critical to national defense," Arrington said. "You are national defense. You may not realize it or see it but you are it. It doesn't get anymore 'it' than you and the adversary is targeting you."

Arrington continued, "In 2015, I owned my own small business. I didn't think like I do today. I didn't think two years ago like I did today. We have to realize the adversary is definitely changing the tune at how they come at us. When they come at the small businesses, they are coming in and taking everything. They are not just manipulating drawings. They are messing with everything. They are taking everything on your employees. They are following people on LinkedIn from research institutions right to your manufacturing facility."

To address these issues, Arrington said DOD is allowing companies to include the costs to obtain and prepare for CMMC as part of their contract bid.

The rule implementing CMMC assumes that contractors are already meeting the requirements in 800-171, mandated under the current standard Defense Federal Acquisition Regulations Supplement clause 252.204-7012. The CMMC program builds on 800-171 in level three with 20 additional controls and three processes that contractors will need to demonstrate compliance.

However, not all contractors meet the current standard for 800-171 and DOD doesn't take into consideration companies that fall below that standard in its allowable cost estimates for CMMC levels three, four and five.