The National Defense Industrial Association has released a white paper urging the Pentagon to provide more clarity on the requirements contractors must meet to reach compliance with DOD’s cyber certification program, and to make other changes to help companies meet the program’s objectives.
The paper has several suggestions to improve the program, including the creation of a “government-furnished [cloud] environment” for small businesses and “new entrants” to the defense market that meets Cybersecurity Maturity Model Certification requirements, and more targeted guidance from the Pentagon on what to expect in upcoming contracts with CMMC language.
NDIA’s intent is “to raise a lot of questions to encourage both the DOD and other policymakers in this area to think about essential questions we believe are being underserved as part of the current conversation,” Corbin Evans, NDIA’s principal director of strategic programs, said of the white paper released today.
Evans told Inside Cybersecurity NDIA wants to “raise the profile” on specific issues to a new level within the Defense Department, the CMMC Accreditation Body and “potentially even within Congress to ensure these issues are being debated and hopefully addressed prior to the continued rollout or implementation of the program.”
The paper asks DOD to “take advantage of the inherent capabilities of the cloud where it makes sense” for contractors. “This process can include collaborating with CSPs to deploy preconfigured and CMMC-compliant cloud environments for small businesses to easily adopt,” NDIA writes.
NDIA conducted a tabletop exercise last week for its members on the implications of using a cloud environment to fulfill CMMC requirements, featuring the Defense Contract Management Agency’s Nicholas Delrosso, Alexy Johnson of consulting firm Sera Brynn, stackArmor CEO Gaurav Pal and Microsoft’s Shawn Veney.
Evans said CMMC-AB executive director Matthew Travis participated in the tabletop and was able to hear perspectives from companies on “interpreting the CMMC regulations and what types of guidance they are looking for from the AB and DOD.”
The Defense Department needs to do more to “reinvigorate” the CMMC maturity model, NDIA says in the paper, arguing “The current all-or-nothing compliance system moves the CMMC program away from a model based on maturity of implementing cyber controls and instead imposes a checklist regime that requires full compliance with the set-forth requirements.”
The paper says there are requirements starting at maturity level one that “would likely cause all organizations seeking certification to fail,” referencing the Identification and Authentication control 1.077 from the model as an example of a requirement where “when taken literally not to allow any non-approved devices access to information systems.”
NDIA says, “Instead of taking steps towards the maturity of implementing controls as the CMMC levels increase, the controls require full compliance at each level to receive certification. This rigid method of compliance will likely prove difficult to implement when reaching the assessment and certification stages of implementation, and so it should be further examined. There is also some question of whether such an approach will be effective in mitigating the adaptive nature of the cyberthreat.”
NDIA calls current DOD guidance materials “helpful” but says they “fall short of providing clear examples of effective implementation while also demonstrating a rubric with which the assessor will determine compliance. Every company is currently approaching the adoption of the CMMC program from a different starting place and with a different existing network architecture.”
The paper says, “The vagueness of NIST SP 800-171 standards as well as the delta between NIST and CMMC requirements provide flexibility, but they leave companies having to interpret exactly how to implement the controls in a way that will satisfy an assessor. Reference materials that provide clear examples of compliant methods for CMMC implementation will help to drive up compliance while driving down compliance costs.”
One NDIA proposal is the creation of “complete technical documentation” for DOD contractors, “including pre-developed System Security Plans (SSPs) based on each blueprint, along with recommended implementation approaches for the remaining subsystems and non-technical requirements. Complete technical documentation will also offer DIB members the ability to replicate the implementation on their different system if they choose not to use a specific blueprint.”
NDIA argues the Pentagon should expand “the universe” of assessors who can do CMMC assessments to include government, which is currently conducting audits of independent, certified third-party assessment organizations for compliance with CMMC level three through DCMA’s Defense Industrial Base Cybersecurity Assessment Center.
The paper says, “We recommend that CMMC consider reassessing its second CMMC objective ‘to provide the Department assurance, via external assessment, that all contractors and subcontractors . . . meet mandatory cybersecurity requirements.’ Under an alternative proposed approach, external assessment would not be the only option for DOD assurance. The DCMA DIBCAC group has already demonstrated the ability to successfully perform CMMC assessments and could provide needed capacity.”
NDIA raises concerns over the role of the CMMMC-AB, saying “Turbulence has hindered the trust in, and the effectiveness of, the CMMC Accreditation Body (CMMC-AB). The turbulent history and continued uncertainty surrounding the CMMC-AB -- to include multiple resignations, charges of conflicts of interest, changes in leadership, and shifts in mission -- have proven detrimental to trust in the organization and have increased the risk of a failed deployment of certifiers.”
The paper says DOD needs to “publish clear expectations of the CMMC-AB and exert more oversight of the AB to ensure that assessments and compliance can be effectively implemented and monitored.”
Other alternatives offered in the white paper include providing clear guidance on cost allowability for contractors, controlled unclassified information and the pathway to adoption for CMMC.
NDIA signed onto a Sept. 9 multi-association letter to DOD leaders asking for more transparency on the future of the CMMC program and identifying areas of concern including DOD’s ongoing internal review. NDIA’s Evans said Deputy Defense Secretary Kathleen Hick’s office acknowledged receipt of the letter, but has not responded to the issues raised.
The Defense Department needs to “Prepare for What Comes Next,” NDIA says, referencing a May cyber executive order to secure federal systems as a key part of the government’s future efforts around cybersecurity.
The paper says, “Implementing [NDIA’s] approach better positions the Department and the DIB to work collectively to address growing near-term (e.g., ransomware, phishing, DDOS, and others risks) and evolving threats as well as to better prepare for future challenges. The President’s recent Executive Order on Improving the Nation’s Cybersecurity directs a public-private partnership to ‘adapt to the continuously changing threat environment.’ We understand that changes to CMMC and other cyber requirements will be needed over time. Using a collaborative, public, and hands-on approach will help to ensure broad adoption and to raise the cyber foundation of our entire defense and manufacturing industrial bases.”
Further, NDIA says, “Despite CMMC’s early implementation challenges, cybersecurity remains a national priority. We must protect CUI stored and processed throughout the DIB. We fully support that priority and recommend that CMMC embrace the mission to provide the DIB with a flexible, affordable, and effective implementation for assured cybersecurity at scale. That mission can only be achieved by taking steps to implement the solutions suggested herein. With those solutions in place, the CMMC program can assure compliance while continuously developing improvements and preparing for evolving cybersecurity threats. We are ready, willing, and able to assist a collaborative approach to accomplishing this national priority.”