Rethinking CMMC: A Collaborative, Mission-Focused Approach to Securing the Defense Industrial Base

Whatever its form, the DoD's new CMMC approach must empower the Defense Industrial Base as a mission-critical partner as it evolves and matures.

Introduction: Realigning Strategy with Mission Priorities

The Defense Industrial Base (DIB) plays a vital role in U.S. national security, driving the innovation and production necessary to maintain military superiority.

Recognizing the critical need to secure this ecosystem, the Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC).

While well-intentioned, CMMC’s current implementation creates complexity and barriers rather than enabling partnership across our Defense base.

Developed by the acquisition community and not operational leaders, CMMC focuses on compliance-driven processes and (largely) ignores mission partner enablement, which is a critical component of the DoD's Joint Warfighting Doctrine and Zero Trust Strategy.

This divergence from operational principles has fostered a bureaucratic and fragmented ecosystem that isolates the DIB, incentivizes private sector profit over collaboration, and adds unnecessary complexity without measurable results.

I believe a more effective strategy needs to align CMMC with core operational principles like centralized control, decentralized execution, simplicity, and partner enablement.

This article examines the current (unintended) shortcomings of CMMC, evaluates alternative approaches, and proposes actionable recommendations to achieve the vital cybersecurity objectives that are desperately needed.

Thesis

The current CMMC approach prioritizes compliance over collaboration, placing undue burdens on contractors and fragmenting the cybersecurity ecosystem across the DoD and DIB.

A centralized, DoD-led solution—focused on enabling the DIB through secure infrastructure, streamlined processes, and operational alignment—offers the clearest path forward to meet the Vision, Mission, and Goals of the DoD DIB Cybersecurity Strategy.

Main Points and Supporting Arguments

1. The Problem: A Fragmented and Inefficient Ecosystem

CMMC has introduced structural inefficiencies and complexities that hinder its effectiveness.

• Accountability Misplaced: CMMC shifts critical responsibility for sensitive data away from the DoD and onto the Defense Industrial Base. This approach conflicts with DoD’s Zero Trust principles, which emphasize centralized control and mission partner interoperability.
• Unnecessary Complexity: Unique scoping guidance, asset categorization, and an unproven compliance system add administrative burdens without demonstrably improving cybersecurity.
• Profit-Driven Ecosystem: The reliance on Certified Third-Party Assessor Organizations (C3PAOs) incentivizes audits and consulting services over meaningful security improvements.
• Impact on SMEs: Small and mid-sized businesses (SMEs) face disproportionate financial and operational burdens, diverting resources from innovation to compliance.

2. CMMC Misalignment with DoD Operational Principles

DoD missions are guided by the principles of centralized control and decentralized execution.

CMMC, however, has veered from this approach in order to institute a "compliance-centric" approach to managing and securing Controlled Unclassified Information (CUI) across the DIB.

• Developed by Acquisition Personnel: CMMC originated in the acquisition community, prioritizing contract compliance over operational enablement. This design unintentionally treats the DIB as an audited entity rather than a mission-critical partner (which they indeed are).
• Fragmented Security Efforts: Rather than leveraging centralized infrastructure and proven processes, CMMC fragments efforts across contractor networks, increasing vulnerabilities and operational risk to CUI and the mission.

3. An Opportunity for Realignment

DoD already possesses the wherewithal to enable secure and effective DIB collaboration.

• Leverage Centralized Control: Platforms like the Mission Partner Environment (MPE) could be adapted to create a secure “DIBNet,” giving contractors centralized systems for managing CUI while simplifying contractual cybersecurity requirements.
• Adopt a Decentralized Execution Model: Contractors can focus on executing their missions securely within a DoD-managed infrastructure and defined Risk Management Framework.
• Streamline Processes: Simplifying compliance by centralizing control and removing redundant layers (e.g., scoping guidance and asset categories) would reduce costs and foster trust.

Proposed Courses of Action (COAs)

COA 1: Maintain the Current CMMC Model

• Description: Retain the existing framework with incremental adjustments to address stakeholder feedback.
• Strengths: Establishes standardized benchmarks and a scalable ecosystem.
• Weaknesses: Continues to fragment security efforts, incentivizes profit-driven behavior, and burdens SMEs.

COA 2: Create a Secure, Centralized "DIBNet"

• Description: Develop a DoD-managed infrastructure (e.g., DIBNet) that centralizes CUI management, aligns with Zero Trust principles, and simplifies contractor requirements.
• Strengths: Enhances security consistency by keeping CUI under DoD control. Reduces contractor costs by centralizing infrastructure and oversight. Promotes mission partner collaboration and operational alignment.
• Weaknesses: Requires initial investment to adapt and scale DoD infrastructure for DIB use.

COA 3: Expand Mission Partner Environment (MPE)

• Description: Scale the MPE to include the DIB, enabling secure collaboration and compliance.
• Strengths: Builds on an existing, proven mission partner information sharing platform that encourages information sharing and reduces redundancies. Centralizes DoD control of CUI.
• Weaknesses: Requires additional resources to tailor MPE capabilities to DIB needs.

COA Evaluation Criteria

In the DoD's Joint Planning Process, COA evaluation criteria are defined standards commanders and staffs use to measure the effectiveness of one COA relative to others.

Developing these criteria is standard part of commander's planning guidance and they are designed to to eliminate bias in COA comparison.

For the above Proposed COAs, suggested evaluation criteria might include:

1. Collaboration: Does the approach foster trust and cooperation between the DoD and the DIB?
2. Cyber Resilience: Does it enhance the DIB's ability to continue to operate while detecting, responding and recovering from cyber threats and attacks (i.e. mission assurance)?
3. Cost Efficiency: Does it reduce financial and operational burdens, particularly for SMEs?
4. Simplicity: Does it streamline compliance processes to reduce unnecessary complexity?
5. Alignment with DoD Strategy: Does it align with existing strategies like The DoD Zero Trust Strategy, the DIB Cybersecurity Strategy and Joint Warfighting Concept?
6. Scalability: Can the solution accommodate the diverse needs of DIB contractors easily?

Recommendations: A Centralized and Collaborative Path Forward

Among the proposed options, DIBNet (COA 2) offers the greatest potential to balance security, cost efficiency, and operational alignment. This centralized enclave could function as the defined CUI authorization boundary across the DIB for all DoD CUI in the supply chain.

To achieve this, the DoD could:

1. Develop Centralized Infrastructure: Invest in a secure DIBNet platform for CUI management and contractor access. Leverage existing DoD infrastructures and government cloud services.
2. Streamline Contractor Compliance: Pivot from fragmented third-party assessments to centralized oversight. Shift from vendor audit to mission partner collaborative approach.
3. Define Metrics for Success: Establish clear measures of effectiveness to ensure continuous improvement and accountability. Leverage RMF to authorize vendor connection to DIBNet.
4. Empower Decentralized Execution: Equip contractors with the tools and training needed to operate securely within the centralized system. Shift DIB focus back to what they do best.

Conclusion: Enabling Partnership for National Security

CMMC’s goal—to secure the DIB—is essential. However, its current approach fragments security efforts and overburdens contractors. This must remain a focus as we continuously evaluate the effectiveness of CMMC.

By leveraging centralized control, decentralized execution, and existing infrastructure like the MPE, the DoD can realign CMMC as a collaborative strategy that empowers the DIB to innovate while maintaining robust cybersecurity.

Again, no matter how we move forward one thing will remain paramount and unchanging.

The Defense Industrial Base is a national treasure and the foundation of our warfighting capability.

We must remain fully committed to ensure the DIB is treated as a vital mission partner in order to support our warfighters and the mission with maximum effectiveness.