CYBERSECURITY
CMMC: Defense Industry Gears Up For Cybersecurity Program Implementation
iStock illustration
Shortly before the start of the new year, the final rule for the Defense Department’s Cybersecurity Maturity Model Certification program went into effect, over five years since the program was created.
Months later, many defense companies are moving forward with preparations for the program’s implementation, but some are still taking a “wait and see” approach given its previous delays, experts say.
The program, known as CMMC, is meant to be the Defense Department’s mechanism for verifying contractors are compliant with the Pentagon’s cybersecurity requirements.
As the department outlines in the CMMC final rule — which went into effect Dec. 16 — it previously relied upon self-attestation by contractors, but the Pentagon “found that contractors did not consistently implement mandated system security requirements for safeguarding” sensitive information.
The CMMC model consists of three levels, with the majority of contractors expected to need Level 2 certification. While a small number of Level 2 companies will be allowed to perform a self-assessment, most will need to be evaluated by a thirdparty assessment organization.
Cole French, director of cybersecurity services at Kratos Defense and Security Solutions, said since the final rule went into effect, “we’ve definitely seen an increase in interest and in folks wanting to move the ball forward within their organization.”
“That could be actually scheduling an assessment, that could be doing the work to get ready for the assessment,” French said in an interview. “There’s definitely been an increase in traffic. … However, I would say it’s not what we expected.”
Cybersecurity companies Coalfire and Kiteworks in March released a report on industry’s preparedness for CMMC. Of the 209 organizations surveyed for the study, only 46 percent reported being ready to seek Level 2 certification, while 57 percent had yet to complete a thorough gap analysis against the Defense Department’s cybersecurity requirements.
French said the hesitance within industry to implement the necessary security controls can be traced back to “the delays that have hampered the CMMC program for quite some time. I think there’s a belief that those are going to continue.”
After launching the program in 2019, the Defense Department released a CMMC interim final rule in 2020. But after significant backlash to the rule from industry, the Pentagon conducted an internal review and revamped the program in 2021.
And while the CMMC final rule went into effect in December, implementation of the program has not begun, as the follow-on Title 48 rule to update contractual requirements in the Defense Federal Acquisition Regulation Supplement is still in the rulemaking process, French said.
“I think there’s still a belief that either CMMC is not going to come to fruition, or somehow … there’s going to be another set of delays,” he said.
James Gillooley, information technology management specialist at the Defense Department, said the Trump administration’s executive orders that have frozen all federal regulations have paused progress on the Title 48 rule.
“We’re working through the process of trying to get a waiver or some other way to move the [rule] forward, but as of right now it is paused, along with everything in the federal government,” Gillooley said during a panel at the CS2 Reston conference in May. The department’s goal is to publish the rule sometime this summer or fall, he added.
“CMMC is an operational reality. It is not going away,” he said. “The administration is not going to kill it, no matter how many [executive orders] they put out. So, be prepared.”
No hard date for CMMC implementation is a big reason why “folks are kind of still waiting on the sideline,” French said. “Once we see a hard date, then we’re really going to see people start to move on this.”
Another consideration is the changeover in presidential administrations, French said. While there’s no expectation the Trump administration will “do anything to the Title 48 rule from an implementation perspective,” the government is now looking at regulations like CMMC with “a different lens” than the Biden administration, he said, which could “push the timeline out farther.”
Michael Duffey, President Trump’s nominee to be undersecretary of defense for acquisition and sustainment, said ahead of his nomination hearing before the Senate Armed Services Committee in March that, if confirmed, he plans to “review the current requirements of the CMMC program and evaluate options to improve the requirements and implementation so that industry can affordably maintain pace with current cybersecurity best practices.”
“I recognize the critical importance of ensuring that contractual requirements for protecting DoD information are met by defense contractors,” said Duffey, who had yet to be confirmed as of press time. “Managing and assessing cybersecurity compliance are important roles to ensure our [industry] partners are applying cybersecurity best practices to protect critical information.”
French said Duffey’s statements about reviewing CMMC were likely “a holistic response to just programmatic reviews in general.”
“I don’t anticipate there’s going to be a specific program review that is focused or targeted to CMMC,” he said. “I expect that they will review programs and things like that as needed as part of an overall approach and how they would review programs in general, but I don’t believe there’s going to be anything specific to CMMC. And I don’t believe, based on what I’ve heard, … there’s going to be anything that negatively impacts CMMC’s implementation timeframe.”
Joe Devine, president of Axiotrop, noted the Trump administration named Katie Arrington — whom Devine called the “architect of CMMC” — as the Defense Department’s acting chief information officer.
“The fact that she came back on board” is an indication the Trump administration likely has no plans to curtail the program’s implementation, Devine said in an interview.
Additionally, the government’s effort to secure its sensitive information has progressed across multiple administrations of differing political parties, he said.
It really “started after 9/11 with George Bush,” and then “Obama, a Democrat, signed the executive order … that started the whole [controlled unclassified information] program,” Devine said. The CMMC program started during Trump’s first term, and “Biden, a Democrat, didn’t change it, didn’t do anything to affect it, and now we’re back with Trump. So, I feel like the sequence of different parties in the office doesn’t matter. It’s our national security information.”
And while it has taken a push from the government to implement its cybersecurity requirements, many defense contractors understand the importance of those security controls, he said.
“They are true patriots. They’re in support of our country and our ideals and the warfighters,” he said. “I think they all recognize that we can’t have another generation of” Chinese weapon systems that look “just like ours, because they stole all of our drawings.”
However, the cost of implementation could prove prohibitive for some companies, particularly small businesses. In the Kiteworks and Coalfire report, 36 percent of respondents identified budgetary and resource constraints as their greatest challenge, followed by technical complexity at 31 percent.
The Defense Department is developing a marketplace to help small businesses find pre-vetted managed service providers or cloud service providers for their networks, Gillooley said.
“We’re working with those CSPs to get lower-cost services set up for the [defense indiusrty] specifically, but outside of that, there probably will not be any other avenues for free services,” he said.
Amy Williams, vice president of CMMC at Coalfire Federal, said “a lot of people in the ecosystem are working really hard to figure out” how to “reduce the cost as much as they possibly can of assessments, of solutions, of advisory work.”
However, small businesses need to also recognize that if they are the smallest company in the defense industry, they’re probably one of the smartest companies and “where the engineering magic happens that really drives the innovation of the products and services that the prime contractors are offering,” she said during a talk at the CS2 Reston conference. “You might think that because you’re small, you’re not a target, but if you’re small, you are the number one target, because you’re not expected to have robust cybersecurity in place.”
Small businesses are “usually a foothold into the larger companies as well, so most of the attacks on small companies that are successful don’t stop there,” she said.
Rob Sims, co-founder and chief technology officer at Alchemi Data Management, said these companies must treat cybersecurity as “DNA, not just clothing to put on the mannequin” and as “core to their business.”
Rather than just “getting the check mark … and moving on,” companies need to shift their mindset and methodology and “truly embrace CMMC’s purpose” to secure the government’s sensitive information, Sims said in an interview.
French said he agreed with some of the cost concerns for smaller organizations, but added that CMMC is a “process-driven framework.”
The primary cost for a smaller organization is “the time that goes into building out CMMC compliance,” he said, and “once it’s built out, it can be fairly easily maintained at a relatively reasonable cost point.”
“As people really move the ball forward on this and we get moving, we’re going to find that it isn’t as costly, I think, as some folks are espousing currently,” he said. “We’re going to see security improve, and I don’t think we’re really going to see much of a degradation in terms of the government’s ability to acquire what’s necessary, either from a technology, hardware or service perspective.”
Topics: Cybersecurity, Defense Department