We’ve got the DoD’s final certification standards, but a lot is still unknown
By Chris Sullins
February 12, 2020
The headline quote was from Katie Arrington, Special Assistant to the ASDA for Cybersecurity, at CMMC Impact On GovCon: Now and in 2020, an event hosted in late January by law firm, Holland & Knight.
It’s Not as Close as You Think
While September 2020 is the goal for implementation of the Cyber Maturity Model Certification Program (CMMP), Arrington said it was highly unlikely that any contracts containing CMMC requirements would be awarded before 2021. Certification is not required for a company to bid on a new contract, only to be awarded one. And, how many government contracts are awarded within three months of an RFP?
In practice, CMMC is expected to take five years to be fully implemented as existing contracts aren’t affected until renewal or modification. So, it will be FY26 before every Department of Defense (DoD) contract will have CMMC certification requirements.
The Roll Out Will Be Thorny…for the Regulators
Despite the presumed burden of CMMC compliance within the DoD supply chain, Arrington explains, “Level 1 will be on the bulk share of Department of Defense contracts.”
Level 1 consists of 17 basic cyber hygiene controls and essentially is equivalent to FAR 52.204-21. However, the larger obstacle to getting certified is more likely to involve difficulty locating and scheduling a qualified assessor than being prepared to pass the certification audit.
Why? The regulatory bodies have two staggering supply/demand-imbalance challenges ahead of them given the fast-approaching roll out of CMMC.
There will be a significant shortage of assessors
Self-certification, which was possible under NIST 800-171, is not an option with CMMC. The only avenue for certification is through a certified assessor at a credentialled C3PAO (CMMC Third-Party Assessment Organization).
But, there are no certified C3PAOs or assessors at this time. And, the requirements to become a C3PAO haven’t been established, nor has a training curriculum been developed for assessors.
Yet, training is slated to start this spring. Trainers are needed to run these classes, but they also need to be trained. Several iterations of training/feedback/tweaking are envisioned to determine what training is (and isn’t) successful in the curriculum.
The security clearance backlog is worrisome
Assessors will be required to have a security clearance to conduct CMMC audits, although the clearance level has not been defined. While the security clearance backlog has decreased substantially from the April 2018 peak of 725,000 to around 200,000 in January 2020, CMMC will add upwards of 10,000 assessors (over time) who need to be fast-tracked.
In addition to the backlog, there is processing time. While clearance processing times also are improving, they’re too long for the CMMC timetable. In 4Q19, it took 181 days on average to obtain a Secret clearance. As of this writing, September 1, 2020 is only 202 days away and 2021 starts in 324 days. (Again, clearance level hasn’t been specified).
But, Have Faith in Those Who Accepted the Challenge
During another presentation at the Holland & Knight event, Ty Schieber, Chair of the newly established CMMC Accreditation Board (CCMCAB), acknowledged the concerns.
“There is a lot of uncertainty and angst about what (CMMC) is or isn’t (due to) a lack of information or misinformation. And, a lot of the information that people want to know is still undecided,” he said. “The job of the Accreditation Board is to turn unknowns into knowns as soon as possible.”
The CMMCAB is keenly aware of the impending shortage of qualified, credentialled assessors and they expect the deficit to persist for the first six months to a year. As such, they are committed to mitigating the effects.
“We will come up with a system that allows prioritization for people who have contracts that they are planning (to bid) on, or contracts that they have bid on and are anticipating a possible award. We’re going to make sure that the system works, but we don’t know how yet. We’ll figure it out.” said Board member Mark Berman.
Of fundamental importance to the CMMCAB is ensuring that a contract earned by a cyber-ready company isn’t lost due to audit scheduling. “At the end of the day,” noted Berman, “the Accreditation Board cannot be the roadblock between a business and its contract.”
Likewise, the onerous hurdle created by the security clearance requirement for assessors is not lost on the CMMCAB or the DoD. Currently, the DoD is investigating ways to speed the clearance process for CMMC assessors, so it doesn’t become a chokepoint in the process.
Why the Rush?
It may seem that CMMC came out of nowhere and is moving at a rapid pace. In fact, several defense industry associations have urged the DoD to slow down. But, the CMMCAB contends that they are being deliberate and carefully considering decisions, while appreciating the sense of urgency.
Even so, Arrington says we’re running out of time. “Electronic warfare is not static” she said. “You solve one problem, the adversary finds another.”
For example, our adversaries exfiltrate about $600 billion a year from the U.S., which is nearly the size of the defense budget and costs taxpayers $4,000 per citizen…after tax.
What’s more, Arrington said that the next five years will bring the commercial availability of both Quantum computing and 5G. Together, these technologies have the potential to be catastrophic: Quantum computing breaks basic level encryption and 5G provides open access.
At that point, $600 billion could look like peanuts.
Be Part of the Process
The board views CMMC as a collaborative effort and wants input from the industry. The CMMCAB website provides a way to contribute with their “One Thing” question. It reads, “If you have experienced an audit or assessment from a regulating authority before, what is one thing that would have made it a better experience for your organization?”
Everything submitted on the website is read. Also on the website is a stakeholders section where you can subscribe for updates.
Like anything new, the introduction of CMMC could experience hiccups or require revisions. Nonetheless, it’s worth noting that everyone I’ve encountered who is involved in the development and/or implementation of CMMC is passionate about their mission and unwavering in the belief that the DoD and our industrial base must be secure.
Asked why he wanted to take on his role, Scheiber replied, When you look at the significance of this in terms of the threat to the nation, that’s why I get up every day.”.
“We have an opportunity here to change the world…to make this a safer country,” Berman added. He also shared his regret that his career path did not include military service. “This is my chance, that I didn’t take when I was in my twenties (to serve the country.)”
A troubling statistic in IT security is that 30% of IT managers do not know how many devices are on their networks, according to a 2018 LogMeIn report. Likewise, 10% of IT administrators surveyed by the Sans Institute said they didn’t know how many management servers they were using. Even more surprising, Gartner disclosed results from a survey of clients who found 60% more endpoints on their networks than they thought by using an automated IT asset management tool.
What’s behind the lack of visibility?
There are several trends that contribute to poor network visibility.
1.Decentralized networks. Companies with several locations increase the complexity of the network and introduce the potential for security gaps. For instance, almost half of participants in a 2018 survey by SANS Institute reported having at least six operating systems and 12% said they have at least 11.
2.Bring Your Own Device (BYOD). A 2018 report from Bitglass found that 85% of the companies surveyed allow BYOD to not only employees, but also contractors (27%), partners (25%), customers (22%), and suppliers (19%). And, many employees use multiple connected devices at work, which aren’t always authorized or known by the IT department.
3.Internet of Things (IoT). Many IoT devices are not added to the inventory list of connected devices so they’re not detected by network scans.
What’s the Risk?
Lack of network visibility is a critical issue facing IT managers given the inherent vulnerability of connected devices. According to IDC, 70% of breaches occur on endpoint devices. Research from Absolute Software found that 42% of endpoints are without security at any point in time. As a weakly protected path to the network, connected devices are an appealing target for cyber criminals.
Complicating this issue is the rapid growth of devices that connect to corporate networks. Statista estimates that there were 22 billion devices connected to corporate networks and the internet at the end of 2018. That number is expected to reach more than 30 billion by 2020 and over 75 billion by 2025. Consider also, that these devices have their own apps and software.
What to do?
IT departments must make device visibility a priority. It’s essential to know and inventory all devices on the network, when the devices are connected, who is using them, what is running on them, and what’s their security posture.
Keep in mind that it only takes one unknown or unprotected device to provide a gateway for hackers to infiltrate your network.