Steep costs, troubling questions roil DOD cybersecurity program rollout

About 80,000 companies that sell to the U.S. military will need to pass a cybersecurity audit before they can bid for business under rules the Defense Department plans to impose next year. But many small defense contractors aren’t prepared for the brave new world of the Cybersecurity Maturity Model Certification (CMMC) program.

When Michael Dunbar first heard about the CMMC cybersecurity standard during a conference in Texas for engineering firms doing business with the federal government, he was mystified.

As president of a small company that sells fuel and lubricants to the DOD, “we were going to have to be compliant with this stuff,” Dunbar told README. “But they just kept using all these different acronyms, and I had no idea what anything meant.”

The U.S. Navy veteran asked a few questions at the November 2019 session hosted by the Society of American Military Engineers, but after he couldn’t understand the answers, “I just thought, ‘this is so far over my head, I’m going to leave,’” Dunbar said.

Later, one of the speakers stopped by the booth for Dunbar’s company, Ryzhka International LLC. Jonathan Hard “wasn’t trying to sell me anything,” Dunbar recounted. “He just wanted to help a fellow veteran and explain what was going on.”

Hard, CEO of cybersecurity consultancy H2L Solutions, told Dunbar all about how cyber vulnerabilities in the DOD supply chain put U.S. military innovation at risk from foreign hackers and spies, sacrificing the technological advantage that the U.S had enjoyed for the past half century.

Even a small supplier like Ryzhka could provide a point of entry for America’s enemies, as Hard put it. That’s because technical information like blueprints has to flow outwards from the DOD and its prime contractors through a network of subcontractors, creating a connection with the IT networks of all those companies. Dunbar and his counterparts were effectively on the frontlines of a new kind of war.

“That’s when I started to understand this is a big issue,” Dunbar said.

More than a decade earlier, the U.S. government had started to understand it, too.

In 2007, Chinese cyber spies stole “many terabytes of data” about the then in-development F-35 Joint Strike Fighter, according to an NSA assessment leaked in the Snowden trove and published by German news magazine Der Spiegel. The data included detailed engine schematics and radar design for the cutting edge 5th generation stealth warplane, enabling China to short-circuit billions of dollars worth of R&D and unveil their own advanced stealth fighters, the J-20 and the J-21, years of schedule in the following decade.

The spies initially broke in, officials later concluded, through a Lockheed Martin subcontractor.

DOD’s flagship effort to head off similar supply chain threats, years in the making, has faced delays and headwinds as small businesses like Dunbar’s struggle to prepare for the shifting demands and complicated rules of CMMC.

U.S. Secretary of Defense/Flickr

Evolving requirements

China’s hack of the $1.7 trillion F-35 program planted the seed of CMMC. But the program did not begin to take shape until 2015, when federal scientists at the National Institute of Standards and Technology developed a catalog of security controls to help Dunbar’s firm and thousands of others like it shore up their cybersecurity.

NIST Special Publication 800–171 contains 110 security controls, organized into 14 families. These range from access control measures like limiting the number of login attempts to protocols for configuration control and software updates.

Since 2016, the Defense Federal Acquisition Regulation Supplement or DFARS has required defense contractors handling certain kinds of government data to implement the steps laid out in NIST SP 800–171.

“The government has been very consistent over many years about what it intends, and what it intends is: Contractors that handle [controlled unclassified information, or] CUI have to implement SP 800–171,” said Jacob Horne, chief cybersecurity evangelist for security and compliance company Summit 7.

But there are a lot of problems with the DFARS requirement, Horne added. For one, there is no enforcement mechanism. The regulations operate on an honor system: Contractors self-attest that they have implemented the security controls and therefore meet the requirement.

Worse, said Horne, who previously worked for NIST in an industry outreach program, many subcontractors and other small businesses didn’t even know they were supposed to implement the controls.

“Nobody even knew what DFARS was, they had no idea what NIST 800–171 was … There was clearly a disconnect,” he said.

Recognizing the issue, in 2019, Congress included language in the annual defense authorization bill creating a framework to ensure contractors were meeting their obligations under DFARS — and CMMC was born.

But a two-year rulemaking process to lay out CMMC standards and create a huge marketplace for private sector assessors to ensure compliance ultimately stalled. What doomed it, in part, was a blizzard of criticism from industry advocates who complained the program was unnecessarily complex and its requirements were too rigid, especially for smaller businesses. It was also hobbled by ethical questions surrounding the process for accrediting assessors who would ensure contractor compliance.

CMMC reborn

The Biden administration overhauled the program at the end of last year. CMMC 2.0 attempted to fix the problems with the initial effort by lowering the bar for most contractors. Under the new version, about 80,000 companies will be in level two, where they’ll need an independent audit of their compliance with SP 800–171 by a certified third-party assessment organization, or C3PAO. A few hundred companies working on the most sensitive defense programs will be level three, where they will have to be assessed by government auditors.

And the largest group by far, about 120,000 defense contractors, will be defined as being in CMMC level one, where the only requirement will be for a self-assessment.

But even a self-assessment would likely be beyond the capability of many small business subcontractors to complete, Dunbar said. Despite spending countless hours educating himself on CMMC — he testified before Congress last year about it — Dunbar said when he visited the DOD self-assessment portal recently, he could not understand how to go about answering most of the questions.

“I am an expert on my business. I know how to make money running my business. I am not a cybersecurity expert,” he said. “I answered five of the first 33 questions — that’s how little knowledge I have of that.”

Dunbar said he is typical of small business owners throughout the DOD supply chain. “A lot of business owners, they are going to make their best guess,” when they answer self-assessment questions, he said. “How’s that going to help cybersecurity?”

The Pentagon at night. Geoff Livingston/Flickr

An unaffordable burden?

For the firms in level two, there’s a different problem: The cost.

Dunbar said that he had been quoted $200,000 as the cost of a level two CMMC compliance assessment for his six-person company, plus $100,000 annual ongoing costs. “In an average year, $200,000 would exceed the net profit of the company,” he said, “That is not affordable.”

He’s not alone. “For many of those companies [in level two], the expense is formidable,” said Robert Metzger, an attorney with Rogers Joseph O’Donnell and former member of the Defense Science Board Task Force on Cyber Supply Chain. “For some it may be unaffordable. And there’s no particular method in place, other than the uncertainties of market competition among the very small number of assessors, to ensure that the price of assessments will come down to a point where they are affordable.”

Metzger pointed out that there are twelve C3PAOs certified so far, signaling a lack of progress in the program generally. “It remains troubling, that we are so long in this effort of gestation, without a single company yet being assessed, much less certified,” he said.

For the CMMC program to work, for-profit C3PAOs will have to conduct tens of thousands of these six-figure assessments, but the responsibility for setting the rules that will govern this massive marketplace was farmed out to a hastily created nonprofit dubbed the CMMC Accreditation Board, or CMMC-AB. The board has struggled to set standards amid the moving goalposts created by the shift to CMMC 2.0, and a hailstorm of questions about potential conflicts of interest.

Gearing up for a “massive influx”

Matthew Travis, who was appointed to lead the CMMC-AB as CEO in April 2021, told README that over 400 companies were lining up to get certification just as the DOD announced the review that led to CMMC 2.0.

“The market response to the ecosystem was pretty strong,” he said.

Travis acknowledged that the board “needs to do a better job of getting more [companies] certified” so they can begin conducting assessments.

Part of the issue, he said, is that, like companies in level three CMMC, the C3PAOs must be assessed by government auditors from the DOD’s Defense Industrial Base Cybersecurity Assessment Center, or DIBCAC.

“I know DIBCAC is looking at how they can get more resources to improve the throughput of how many they are assessing each year,” he said. At the same time, CMMC-AB has been “working with the pipeline of candidate C3PAOs to make sure they’re prepared to go and get assessed. Have you done this? Have you done that? Because we don’t want to send them to the DIBCAC and have them fail.”

C3PAOs face a time crunch, said Kratos Defense and Security Solutions CMMC Practice Lead Cole French. Kratos is one of the twelve authorized C3PAOs and has a team of “six to ten people” ready to begin assessments once the standards are laid out, he told README.

The problem, he said, is that many companies might wait until the last minute to seek certification, doing so only when the rules compel them, rather than at the earlier date when assessments can begin.

“It’s more likely that there’ll be a rush of folks getting certification when the rule-making is complete, versus when they issue the authorization for us to begin the provisional period,” he said.

“I’m not sure that the ecosystem is ready to support a massive influx of folks who want to get certified,” he added.

To prepare for that flood of defense contractors seeking CMMC accreditation, Travis said the board is working on an online marketplace for C3PAOs, which he compared to the online marketplace TrueCar. The website “we’re aspiring to build,” he said, would offer “near real time bid and proposal functionality” where a defense contractor could enter some basic data about their company and get an online quote for an assessment.

An online marketplace will enable competition on price, and neither Kratos nor other companies contacted for comment would comment on pricing, but industry sources told README that in part, the cost of assessments is driven by the scale of the exercise and the length of time needed to complete it.

The U.S. Army/Flickr

What will CMMC assessments look like?

The Process Guide that will paint a detailed picture of a CMMC assessment has not yet been published, but comparable assessments carried out by the DIBCAC involve week-long engagements by multi-person teams, with an onsite component, said Kate Growley, a cybersecurity partner at law firm Crowell and Moring.

Growley described a multistage DIBCAC process designed to ensure that defense contractors are following the relevant NIST security policies.

Assessors would begin by obtaining copies of company security plans and prior self-attestation statements. The second stage was the assessment itself. “It is intended to be a quote, unquote, over the shoulder confirmation that what you have written on paper is actually happening in practice,” Growley said.

“There are demonstrations: For example, you might be asked to display an actual configuration setting to confirm that what you have written in your [security plan] is actually what is happening in practice,” she said.

The third stage is the “outbrief,” where the team presents a draft report to the contractor.

If the contractor disagrees with the preliminary findings, they can submit a “reclama,” Growley said, “which is essentially a rebuttal … another bite at the apple, another opportunity to provide additional information, to clarify potential confusion.”

The DIBCAC team might accept the contractor’s position and update its findings — or reject the reclama and keep the outbrief as it is, she said.

In the DIBCAC assessments that have taken place over the past few years, only 1 in 4 defense contractors have passed, README reported earlier this year.

Heads in the sand

DOD officials have said they hope to publish a draft rule implementing CMMC for public comment by March 2023 and start writing the standard into contract offerings by May that year.

There’s a danger that CMMC could end up driving some companies out of the defense industrial base altogether, said Metzger, the Rogers Joseph O’Donnell attorney. “There is a risk that some companies will decide not to sell to DOD,” he said. But he added that a worse risk is if the cost and difficulty of CMMC just push many contractors to put their heads in the sand.

“Many companies may bet that they will not become subject to a mandatory certification requirement for several years … and that there’s no need to confront or incur this expense until they know that the new regulations are in place and know that their contract will be subject to the new regulations,” he said.

Correction: This story has been updated to reflect there are now 12 certified C3PAOs, not six; and NIST Special Publication 800–171 contains 14 families of security controls, not 11.