Making the Case for CMMC 3.0
Allison Giddens
President, Operations (SMB Manufacturing) | Community Volunteer | Humorist
Heck of some clickbait, huh?
CMMC should be anything but an all or nothing assessment and I am confident that doing so would not only vastly improve security of the Defense Industrial Base, but also prevent a barrage of disastrous supply chain interruptions.
First, let’s state some basic facts:
1. CMMC is an assessment model that scores against an existing requirement: NIST 800-171 (currently Rev 3 is in draft mode).
2. If you have 252.204-7019 (Notice of NISTSP 800-171 DoD Assessment Requirements) flowed down to you by your customer, you have likely uploaded a self-assessed score to the Supplier Performance Risk System (SPRS). If you have received a DIBCAC audit, that score may not be self-assessed, but determined by DCMA.
3. Whether or not you are compliant with NIST 800-171, meeting all requirements can be tough – regardless of your size business.
There will be people to fight me on the third item above. I’ll get LinkedIn messages about it, no doubt.
Anyone that says this is easy hasn’t been paying attention. If it’s easy, why are we not dragging just a few non-compliant slackers while 90% of industry boasts 100% compliance? Whether a company is struggling because of financial limitations to technical investments, people shortages to make it all happen, or a company’s middle-management is fighting the top management about mis-aligned security priorities: NIST 800-171 is not a piece of cake.
Still with me?
If you are not already compliant (or awfully close to it), NIST 800-171 Rev 3 may have made you realize that you’re further behind than you thought you were. It’s not as though NIST made things more complicated: It spelled some things out and clarified what it assumed you were doing all along. It even gave you the opportunity to, MADLIBS style, to fill in the blanks with some of the parameters.
Regardless, NIST 800-171 requirements assume a lot. Take a look at the allow list function. As one colleague put it, even if you had the technology and resources - set up is relatively easy, maintenance is not.
No company is perfect. At least, not along a continuum, forever. Are there companies that score 110 in DIBCAC assessments? Absolutely. Those companies likely have ample resources and business process flows conducive to controlling the flow of CUI – and those business flows may have even been created specifically with NIST 800-171 in mind.
Your average machine shop, on the other hand, has lived and breathed ISO 9001 or AS 9100 for years.
ISO 9001 is the international standard that specifies requirements for a quality management system. AS 9100 is the aerospace version (essentially, ISO on steroids). Compliance with these standards is common in the Defense Industrial Base (I don’t know any company doing business in the DIB that is not at least ISO 9001 Certified). Compliance to ISO 9001 or AS 9100 means fewer planes falling out of the sky. It means conforming product is the standard, period. Many manufacturers know the ISO 9001/AS 9100 standard extremely well.
In fact, manufacturers are so familiar with ISO 9001/AS 9100, that our yearly audits to maintain our quality certifications are something we understand quite well. Heck, if you do anything long enough, you get better and better.
Do you see where I’m going with this?
What if the DIB continued to self-assess themselves and maintain their score in SPRS while the third-party assessment function of CMMC evolved to be more in line with audits like those of ISO 9001 and AS 9100?
In an ISO 9001/AS 9100 audit, the company communicates the scope of their environment to the assessor. From there, the assessor uses the quality management standard to determine what aspects they will be spending their time analyzing. They’ll review procedures, they’ll ask for evidence, they’ll walk through an example on site. They have a set amount of time and they work in the topics according to their sample plan. They may spend half a day on your purchasing procedures and workflow, and simply just glance at your shipping procedure.
The assessor makes sure that any non-conformances reviewed last year are closed out and investigates to ensure that the company is not still making the same mistakes it was.
What if a CMMC assessment used a sample plan based on the scope of the company’s environment?
A CMMC assessment would take less time. Therefore, a CMMC certificate would be less expensive for a business, incentivizing them to take steps forward towards security and compliance.
Why would you sign up for a marathon when you can’t even run a 5K? It’s easier to stay on the couch.
But what if you told a business they could still earn their 5K t-shirt by walking the 3.1 miles – isn’t that a “win” when it comes to a person’s health?
ISO 9001/AS 9100 certificates do not assign a score. The assessor either recommends you for a certificate, or not. If a company has a lot of non-conformances that don’t get closed out in a timely manner following the assessment, the company is at risk of not receiving the certification.
Is that not what we are seeking to do in the DIB? Determine which companies are high risk of not protecting data, and then no longer permitting them to handle it?
There are not enough assessors to accommodate all the companies who would need an assessment when that day comes – that’s assuming, of course, all companies who need an assessment would actually be ready for assessment… oh, and that they could afford an assessment.
An assessment with a sample plan could expedite audits to allow auditors to complete more audits in a shorter amount of time.
There is a contingent out there that will whole-heartedly disagree with everything I have stated. They will say that self-assessment has not worked and a sample plan isn’t good enough.
I argue that industry has done a very good job bringing the conversation to the table. Contrary to what some consultants may want you to believe, most companies were not sneakily checking a box and childishly refusing to follow contractual requirements. Many companies did not understand the fine print and its ramifications. Is ignorance a defense? No, but tell me again how much beating the dead horse helps the warfighter.
To those who are in the full-assessment-only camp, I respectfully ask: If CMMC is a result of the U.S. Government addressing the risk of businesses handling sensitive information, what's the higher risk:
- A bunch of companies not perfect, but more secure than they were last year;
OR
- Or some DIB companies arguably good for a snapshot at the time of an assessment every three years, but a significant portion of the DIB throwing up their hands and giving up – no more secure than yesterday - now causing supply chain disruption and requiring special workarounds to exempt key suppliers all in an effort for the supply chain not to come to a screeching halt?
----------------
Allison K. Giddens is the co-owner of Win-Tech, an aerospace machine shop in Kennesaw, Georgia. She is actively engaged in industry and has... opinions.
Check out some helpful resources she helped develop with ND-ISAC community members:
I've got a theory on this, and it's that most people (consultants, assessors, owners of cybersecurity programs) don't really know what "good" looks like when it comes to cybersecurity posture. There isn't a good template for "put x,y,z in place, and then do these activities on a regular basis". The interpretation of "good" (even with the AOs) changes from assessor to assessor and becomes subjective very quickly by people who don't have a cybersecurity background. It's almost falling into the same trap as ISO and *gasp* SOC2 assessors (CPAs, wtf?) where you have folks that are performing assessments (and providing advisory) on cybersecurity posture who have no clue about the underlying infrastructure or how to implement the specific control past repeating what is stated in the assessment guide. I'm not seeing a lot of practical training and advisory on how to actually implement the controls in a real world organization the size of the majority of the DIB (SMBs), it's mostly high level rewording of the requirements and AOs which is a poor allocation of limited cybersecurity dollars.
Kieri Solutions | CMMC educator | Cybersecurity advocate
1 年By awarding contracts over and over to the lowest price bidder (AKA the one not spending on cybersecurity), the government has created a perverse incentive to falsely claim compliance. It is so powerful that I'd argue that small businesses that did spend on cyber have lost work due to increased costs and likely closed their doors over time. The solution is at the core of CMMCs original vision: require ALL bidders on a contract to have a third-party certified system. Then all bidders will have that additional 20% overhead and can compete fairly.
Chief Security Officer (CSO) Sierra Nevada Corporation
1 年Roughly 1,396 available work days, or approximately 11,168 available work hours. This is the amount of time DIB contractors have had to implement NIST 800-171 controls under DFARS 252.204-7012 since it went into effect on December 31, 2017. This doesn't include the additional 15 months (October 2016) when the DoD informed industry that it would become a requirement in December 2017. NIST 800-171 controls are the absolute basic and should be considered the low bar for cyber protections. The problem isn't that the requirement is hard, technically challenging or overly burdensome, the problem is that those that are complaining the loudest simply haven't put in the work. Executive leadership teams and advisory boards should be asking why so many organizations simply sat on their asses for over five years.
CEO, Defense Cybersecurity Group (DCG), CMMC Lead Assessor, FBI Infragard SME on Cyberwarfare and Deputy Sector Lead, Defense Industrial Base
1 年Allison Giddens. Insightful as always and I concur completely. 100% implementation is not an achievable goal in the DIB any more than the DoD has succeeded with their vast resources in 100% implementation of those same controls in the DoD. There a number of interlocking factors and reality here. One of them I think is NISTs adamant statement that the level of protection must be the same in an SMB network as in the DoD, and Jacob Horne's well turned phrase the "living below the cybersecurity poverty line." A significant portion of the innovation and work in the DIB supply chain actually comes from companies that live below the cybersecurity poverty line. The DoD must either decide to jettison them, or manage the risk and live with it.
Fooling with Words and Identities
1 年I think ISO 9001 or AS 9100 auditors should just start offering a BOGO or a +171 option. If a company is starting their audit cycle doing the delta between the two isn't that great a lift, and it provides a road map companies have used for success. I wish the CMMC Assessment Plan was just called "Sampling Guidance" Sampling is also a more reliable assessment than trying to measure an entire population. This is established measurement science