One of the biggest, most complicated projects in the defense industrial base isn’t a new weapons system or cloud computing environment. It’s the Cybersecurity Maturity Model Certification (CMMC), which is set to upend how the Department of Defense does business with 300,000 contractors who provide everything from advanced aircraft to the shoelaces in soldiers’ boots.
The program is the Pentagon’s latest response to years of neglect that left the door open to hackers to steal critical defense information, and the second half of 2020 will be a crucial stretch for the new, 15-person volunteer board at the heart of the CMMC process.
The days where a contractor just needed to sign on the dotted line to self-certify cybersecurity compliance will soon be gone, provided the board can create an entire industry of cyber assessors from scratch. The idea is to accredit thousands of people who will test companies against a new system of security controls. Without a CMMC certification, a company will not be able to land a DOD job (without a waiver).
The new board, which oversees the CMMC’s nascent Accreditation Body, has been trying to get assessors into the field only six months after its incorporation to meet a timeline dictated from DOD officials. Contracts will start to have CMMC requirements this fall, pending a federal rule change. As the board continues to push ahead with all the tasks related to hiring and training those cybersecurity assessors, many are starting to ask if the task is simply too large and the deadlines are too tight.
“If they keep charging on ahead, it will blow up,” Frank Kendall, former undersecretary of Defense for acquisition, technology and logistics, said in an interview.
Here’s how it’s supposed to work, and why observers like Kendall see the potential for problems: Depending on a company’s DOD work, its computer networks must meet one of five new levels of security. The department has estimated most contractors will need only a level one certification, but even those cases can be complex because their subcontractors also will get a visit from assessors.
The assessors and third-party assessment organizations (C3PAOs) will be accredited by the Accreditation Body (AB). The AB so far includes the 15-person board, who populate the different committees, and larger all-volunteer working groups under the committees, the sizes of which vary.
The Pentagon holds a small office called the CMMC Program Manger’s Office, which works with the board, academic institutions creating some of the cyber guidance and the rest of the department on regulatory issues. The DOD created the actual model the AB is implementing and has been working to update contract language and regulations around how controlled unclassified information is marked.
The AB expects to eventually become a fully staffed organization with paid professionals who will train, operate and be the final arbiters of the quality of the entire system. But for now, it is a group of volunteers — many coming from either the defense or cybersecurity industry at large — offering their time out of dedication to a critical national security mission.
So far most of the people involved with the process remain optimistic. Many commend the dedication of the board and the work done by the PMO in the Pentagon. But beneath the surface, many structural challenges remain, and those unresolved issues are raising questions about whether CMMC will become the most important four-letter acronym for those wanting to do business with the DOD — or be added to the ash heap of failed Pentagon cybersecurity initiatives.
Many of those questions are coming from staffers on Capitol Hill, from industry groups that are protective of the thousands of companies that work for the military and from cyber professionals waiting to help get companies to compliance but are unsure of exactly what that will entail.
“The need is real, everybody recognizes that,” said Gordon Bitko, a former FBI CIO and now senior vice president at the IT Industry Council. “They are trying to tackle a very large problem and in an ideal world this would be going a little bit more gradually.”
There is still “a lot of curiosity” around how it exactly will work out, said Corbin Evans, head of strategic programs for the National Defense Industry Association.
“Where we are looking for clarity,” Evans said, “is mostly directed at CMMC AB.”
Questions of competence
A series of bungles earlier this year, from botched webinars to accidental publications of internal documents, sparked questions of the board’s operational competence. A potential assessor who asked not to be identified wrote to FedScoop after one such incident: “My concern is that if they can’t even get a webinar going … then how are they going to get the entire program off the ground in the next few months?”
The questions are deeper than that, of course. Kendall said the fundamental problem is that instead of fixing a “fairly straightforward” problem and working with existing contractual cybersecurity requirements, “they are creating a huge and complex independent bureaucracy outside of government.”
This nongovernmental bureaucracy is vulnerable to “very creative” lawyers who could pick apart the AB and its work, Kendall and others warn.
The board fervently denies the doom-casting of the “nay-sayers and rock throwers,” as Ty Schieber, chairman of the board, likes to call them. So far, he said, members have made strides in publishing information on credentialing, training and standards. And they’re seriously listening to the critical comments they receive, Schieber said in an interview. He said progress will continue, even with the inevitable bumps along the way.
“They are going to be just that — they are going to be just bumps,” Schieber said. “We are just going to find a way.”
The central gripe — even from some of the board members themselves — is that the board is playing two roles: tactician and strategist. It has been trying to deal with the here-and-now and the then-and-there without the staffing, finances or expertise to carry out either. It’s a dual-hatting that Schieber said is difficult but by no means long-term.
“It is not sustainable forever and it is certainly not our intent,” he said.
How the board got here
The AB was conceived in the meeting room of the Professional Services Council, a trade organization representing service and IT contractors. On a mid-November day in 2019, a phalanx of DOD officials came with a recent request for information the DOD published. The Pentagon, the largest buyer in the world, was in the market for something it rarely acquires: an accreditation body. But it wasn’t really looking to buy anything. It wanted the industry to just create it.
Among the DOD officials in attendance was Katie Arrington, the chief information security officer in the Office of the Undersecretary for Acquisition and Sustainment. As the self-described “mother of CMMC,” she saw the idea for an all-volunteer board as a way to bring fresh energy to a long standing problem.
“As you change culture, you need a new culture agent,” Arrington said in an interview.
She and the others made their pitch, turned the microphone back to PSC CEO David Berteau and walked out, leaving those in the room to step up and volunteer.
“It was a change of course from what they had articulated in the RFI,” said Berteau, who is a former DOD official. The initial RFI called for a nonprofit to act as an accreditation body for the new program, and it had received several responses. But the Pentagon’s pitch in the room in November was a change in direction from the RFI that indicated interest in partnering with an already established organization to complete the AB’s assignments.
“It is not common,” Berteau said of the arrangement.
One of the hands that went up was that of Chris Golden, a former Air Force officer. Initially, he thought participating would be a meaningful side project to his day jobs also in cybersecurity and compliance assessments. But eventually, the work ballooned into the reason he was staying up late into the night and working weekends.
Golden’s experience was not unique. Some board members described a “more-than-I-bargained-for” situation in interviews and in CMMC documents reviewed by FedScoop.
But many stressed the passion and sense of duty that has fueled their work. They say it’s a story of a group of patriots dedicated to solving a critical national security challenge.
Placement on the board and in the working groups that toil on the minutiae of the CMMC assessment ecosystem has been contentious for some. Several industry sources told FedScoop they were offered placement in working groups in a quid-pro-quo for quieting social media criticism. Communications reviewed by FedScoop also indicate that some potential assessors saw access to working groups as a way to get a jump on the market and be ahead in the assessment accreditation process.
It’s against the code of ethics of the board to try and gain access via the working groups and the board said “there has never been a policy to offer Working Group slots based on anything other than the criteria posted on our website.” Everyone signs a nondisclosure agreement.
Schieber, the board’s chair, will be the first to tell you he was not expecting to be in the position he is. He is a former Marine with a lifetime of service but little time leading major startup organizations the size of CMMC from birth through their tumultuous toddler months. He had been following the development of CMMC and has a long and close working relationship with Arrington — a factor that caused some board members to push him to be their leader.
“It was one of those things that I wanted to roll up my sleeves and try and figure it out,” said Schieber, who has a day job as a senior director of executive education at the University of Virginia.
The “coalition of the willing,” as Arrington likes to call those early volunteers in her stump speeches for the program, incorporated into the CMMC AB in January. Since, board work has consisted of hours-long meetings taking the place of some members’ full-time jobs that range from work with big prime contractors like Raytheon and Microsoft to small compliance shops new to the DOD space. Their long meetings at times have included “heated” debate, per a board member’s “National Conversation” video, and others have said there are tensions over the direction of the program’s development.
Arrington said she is “blown away by the quality on the board.”
“I think it is amazing to see what the board is doing,” she said in an interview.
Within the independent board, the deep experience that some members bring has also brought allegations of conflicts of interest. Some members advertise CMMC expertise on their companies’ websites. It’s a sensitive issue for the board, which forbids members from trying to exploit their positions for personal gain.
To add even more DOD cyber-assessment know-how to the board’s braintrust, the AB recently started soliciting advice from the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The DOD agency already does spot-assessments of contractors after cybersecurity incidents and since May has advised the board. Even though DIBCAC does similar work to the AB and has been doing an “amazing job,” Arrington said it could not have been the AB or built out to run CMMC.
“We couldn’t do this in the DOD,” Arrington said. She added that “we don’t have the money or the resources in our defense budget” to do what the AB must to do.
A central question board members still are asking DIBCAC assessors like Michael Snyder is: How to do assessments, Snyder said.
“Their concern is getting it down to a couple of days,” Snyder said of assessments for CMMC level three and up.
He added another top concern they talk about: money.
No money in it — yet?
The memorandum of understanding the AB signed with the DOD makes clear it won’t be receiving a penny from the DOD. To sustain itself, the AB will need to make money from the training and accreditation process it will eventually be running. For now, their immediate expenses are adding to AB’s debt and obligated future payments.
Some members have grown concerned with the debt the board is accruing and future payment obligations it is signaling. Concerns for some include talks with a marketing firm to redesign the AB’s name and logo, people familiar with the matter say.
The board declined to comment, saying “The CMMC Accreditation Body does not confirm nor comment on internal deliberations, contracts or proposed engagements, except when and if publicly shared on our website.”
The AB has also issued several requests for proposals for major purchases apparently without the money to pay for them.
Some on the board were blindsided by the first RFP in May for a “continuous monitoring tool” to catalog public information on certified organizations’ security status and maintain eyes on the industry — a piece of tech that increased the scope of the board’s mandate and would likely incur significant cost on the organization.
While Golden, who led that particular project, said “I don’t think we made any mistakes at all” when it came to the RFP, others on the board described internal frustrations they had with the quick rollout. More than 50 companies ended up responding, despite the quick turnaround requirements for submitting proposals. The AB’s own quick turnaround time for potentially issuing a contract was not met. The board still has not selected a winner, leaving the 50 companies waiting for answers.
Schieber declined to discuss the board’s finances but said that it currently has some money and soon it will have revenue from those it will train and accredit. The chairman of the AB’s communications committee, Mark Berman, also declined to provide information about debt, funding or other financial information.
So far, the AB is banking on that it will generate millions of dollars — some observers’ back-of-the-envelope calculations say billions — from training assessors. In late June, the AB announced it also will be charging cybersecurity consultants that want to help contractors prepare for their assessment to get a certificate of training, a move not spelled out in the MOU or anticipated by many.
The cost for contractors
Arrington has said level one certifications, which she estimates to be the only level the vast majority of the industry will need, should only cost $3,000 every three years.
It’s still hard to know what the price will be, though, because the assessors themselves will be setting it; certifying a company will be a for-profit business for assessors. The only control the AB has on it is trying to increase supply to meet demand, board members have said.
But no matter how big the supply gets, another practical challenge that the board is working on is preventing a “race to the bottom” for assessors. Meaning that the type of assessor a contractor wants is one that is cheap and will be lenient, ensuring their business with the DOD remains free-flowing. The AB will maintain oversight and sign-off on certifications, according to recent releases from the board, but how closely the organization can monitor all certifications is unclear.
The board’s oversight of contracts leaves it open to legal challenges, especially as an independent nonprofit, Mark Hijar, executive director of the Federal Supply Chain Management Organization (FSCMO), told FedScoop.
“Because there is no government involvement, the AB does not have sovereign immunity from suit,” he said in an email.
If a contractor doesn’t receive the CMMC certification they need and think their rejection was misplaced, there’s no clear path for remediation yet that the board has laid out.
Kendall says this is an example of how the “inherently governmental function” of certification should not be put out to the private sector.
For Hijar, the AB’s lack of clarity on how it will settle disputes is “very concerning” and shows the board is prepared to “make up the rules as it goes along.”
“While many in and out of the industry complain about the excessive rules and red tape involved with contracting with the U.S. government, much of that red tape … are important protections for contractors and taxpayers alike from both innocent and nefarious conflicts,” he said.
Board members recognize the out-of-the-ordinary process they have set up. Golden said it was a bit of a “cart before the horse” situation having a board before an actual organization. But in his mind, there is no choice but for the board to overcome the complex legal, practice and financial issues.
“Come hell or high water, I am going to make this work” Golden said.