Industry Plagued by CMMC ‘False Starts’

iStock illustration

The first phase of the Defense Department’s long-awaited Cybersecurity Maturity Model Certification program is set to begin in November — and yet, many defense companies are struggling to even pass a pre-assessment of their networks.

The CMMC program is the department’s mechanism for verifying that contractors are compliant with the Pentagon’s cybersecurity requirements. The regulation outlining the program’s acquisition policy and standardized contract language — known as the 48 CFR rule — was published to the Federal Register in September and goes into effect on Nov. 10, at which point the first of the program’s four implementation phases will begin.

Rhia Dancel, technical scheme lead for information security at NSF — a third-party organization, or C3PAO, certified to carry out CMMC assessments — said in an interview 25 percent of the companies her firm evaluates experience a “false start,” meaning they fail to pass the pre-assessment that validates their readiness for an actual assessment.

The pre-assessment is “really a readiness check to confirm that required documentation is available and that the … assessment scope can be determined,” Dancel said. “We’re reviewing your system security plan for completeness, accuracy and consistency, but we’re not looking at adequacy and sufficiency for your implementation. … We’re just making sure that your SSP is approved, it’s all there and documented.”

During pre-assessments, NSF has found that many companies have network diagrams and asset inventories that are inconsistent with one another or have assets incorrectly categorized, she said. “Really, there’s a level of effort that [defense industrial base] contractors underestimate for the assessment.”

Companies overestimating their preparedness for CMMC is nothing new, said Jacob Horne, chief security evangelist at Summit 7.

The main takeaway from a report released last year by Manufacturing x Digital, a Defense Department Manufacturing Innovation Institute, was that the defense industrial base “has overconfidence in their posture for CMMC. I think that’s exactly what we’re seeing with false starts,” Horne said in an interview.

The amount of false starts is not something the department currently tracks — but it should, he said.

“Tracking false starts as a metric would be helpful because it gives a clear insight with a single metric into what’s going on,” he said. It would provide a “signal to the industry that you are probably overestimating how prepared you are and that you need to go back and make sure that you’re good to go,” and for the Pentagon it “would be a very clear way to shake people out of complacency and reinforce why this program is so important. … It’s pretty rare that you could have a single metric do both of those things.”

If “there’s a 25 percent chance of anything happening, you need to pay attention to it,” he said.

However, the Defense Department’s appetite to actually track false starts is uncertain, Horne said.

The Government Accountability Office is currently conducting an analysis of CMMC, with a report expected toward the end of the year, Horne noted.

“I would love it” if GAO recommended that the department track false starts, he added, but “short of GAO saying, ‘You need to track this metric,’ … I don’t think they’re going to do it organically.”

Many of the companies experiencing false starts are new entrants into the defense space who were not previously subject to the Pentagon’s cybersecurity requirements, as well as small businesses who “wear many hats, and so they may not necessarily have the time to look into” all of the assessment processes and guidance, Dancel said.

Many small businesses have to outsource IT and cybersecurity work to a third-party managed service provider, meaning they’re “hyper-reliant on this specialized work that they don’t necessarily know how to do,” Horne said.

However, if a managed service provider tells a company, “‘Yeah, you’re good, you’re good, you’re good,’ and then the assessor shows up and it turns out that that’s not true, then they get left holding the bag,” he said.

Horne noted that the MSP Collective maintains a public database of managed service providers that have achieved CMMC Level 2 compliance, “which is a strong indicator that they can help you with the CMMC requirements. … If you’re trying to figure out how to vet the market for lemons here, the fact that they’ve gone through it is probably a good indicator.”

Dancel said the most effective approach for avoiding a false start is doing a mock assessment of your network, which will “show you your realistic snapshot of your current compliance posture.”

“If you go through that mock assessment, you’ll be able to understand what’s in your network and how things should be categorized,” she said. “The mock assessments really are … just telling you what your gaps are — there’s no remediation — but you’ll be able to better understand what’s missing and what type of effort you need to put in in order to actually go through” a formal assessment.

While it can’t hurt to do a mock assessment, a false start during a pre-assessment has tangible consequences, Dancel and Horne said.

With the 48 CFR rule now published, “the floodgates are going to open,” Dancel said. “There’s going to be C3PAOs that are scheduled really tightly, and so if you need to repeat your” pre-assessment, “it really pushes you back, and you’re kind of at the mercy of a C3PAO’s schedule.”

This will result in not only lost time and money, but potentially lost contracts as well, Horne said.

If the time between solicitation and award is six months, “you essentially have six months to implement all of your requirements, schedule an assessment, successfully make it through your assessment and be issued your certification,” he said.

“You’re cramming a lot of work into a very short period of time, and so if you false start, and you have to go to the back of the line … you might miss that award window,” he said. 

 

Topics: Industrial Base