The Cybersecurity Maturity Model Certification (CMMC) — the new third-party cybersecurity testing program that applies to all Department of Defense contractors — is off to a turbulent start.
A recent request for proposals posted by the CMMC accreditation body, the nonprofit that will play an essential role in overseeing the training and certification of assessors, caught many companies and military officials off guard.
The RFP asks for ways the board, the assessors, DOD officials and the contractors themselves can continuously monitor open-source information about companies’ cybersecurity and be notified if they are slipping below standards. The board wants a cloud-based tool that will essentially offer dashboards for the parties to monitor.
The seemingly rushed RFP, issued April 22, has a nine-day response window with no corresponding request for information or other publicized market research.
On top of that, no one knows who is going to pay for it. Katie Arrington, the CISO for acquisition and sustainment in the DOD and project lead on CMMC, told FedScoop that DOD isn’t footing the bill. Nor will it be providing funds in general to the independent accreditation body, she said.
Contractors will have to start meeting CMMC requirements under RFIs this summer and in RFPs this fall. The new model will replace older standards in the Defense Federal Acquisition Regulation (DFARs) before the end of the calendar year as well, Arrington has said.
With the sudden release of the continuous monitoring RFP, some have described the CMMC accreditation board as a private layer of bureaucracy that will only hamper progress on securing sensitive government information entrusted to contractors.
“CMMC is a deeply flawed way to achieve this objective,” Frank Kendall, the former undersecretary of defense for acquisition, technology and logistics, wrote in Forbes late Wednesday. “The Defense Department should at least delay CMMC implementation, and probably cancel it altogether.”
Until this point, most of the cybersecurity industry has cheered on CMMC’s implementation with glowing LinkedIn posts and general excitement over its development. For many cybersecurity firms, CMMC offers a new business opportunity to help some of the 350,000 contractors who must now comply with new rules, which are largely based on National Institute of Standards and Technology standards.
Now, posts about the eight-page procurement document are trailed by long chains of security professionals firing heated questions back and forth and raising legal concerns.
CEOs and CISOs of cybersecurity firms have also told FedScoop that the process seems muddled and unlikely to result in a better rollout of CMMC.
“It’s not that I don’t think it should be done quickly,” Simone Petrella, CEO and co-founder of CyberVista, said of the monitoring tool procurement and general implementation of CMMC. “But why would we want it done this quickly that we don’t get it right?”
When asked, the board said this RFP doesn’t guarantee it will buy or build anything.
“The [Accreditation Body] is under no obligation to implement any of the proposal responses and won’t make that decision until we review and assess all responses,” Mark Berman, chairman of the body’s Communications Committee, said in an email to FedScoop. “The buy/build decision will follow a review of the types of data, accuracy of the data, and exactly how the data may be used to accomplish the objective.”
‘Cart before horse’
The request for technology comes before the accreditation body has released information on the standards and training of auditors. The training will roll out in a cascade of layers that all need to click into place for CMMC to work. The board, which is an all-volunteer group of working professionals, plays the critical role of beginning the process of training the certified third-party assessor organizations (C3PAOs). Those certifying organizations will then have some level of authority—although this part is unclear—over training the 10,000 auditors board members estimate the defense industry will need. Those auditors will be the ones to actually physically inspect networks and certify DOD contractors to a CMMC level.
The accreditation body is ultimately responsible for much of this work and has yet to clarify how it will do it — instead, releasing the RFP for a continuous monitoring tool which has raised more questions than answers on progress for starting training.
“It seems a little ‘cart before horse’,” Mike Hamilton, CISO of CI Security, said about the RFP in an interview. “It’s a little strange for a nonprofit to be creating something like this,” he added of the continuous monitoring tool.
The accreditation body doesn’t need to follow the Pentagon’s acquisition regulations because it’s not officially a government office. The memorandum of understanding between the DOD and accreditation body officially named the AB as the entity in charge of setting standards and training assessors, Arrington said. The memorandum has not been released publicly. The department has not mentioned if there are provisions that allow the board to purchase goods or services the government will eventually use.
“Our intent is to explore mechanisms to ensure the CMMC Standard is effective,” Berman said. He added: “Importantly, there is no plan to have the [continuous monitoring] capability (if implemented) impact the status of a [defense industrial base] company’s CMMC certification status.”
The RFP’s fast turnaround time struck Hamilton and others as a sign the RFP was written with specific companies in mind. Berman did not deny this was the case and wouldn’t say when the idea was brought to the board. The idea had not been discussed publicly in the many CMMC-related events FedScoop regularly observed before the RFP was posted on LinkedIn.
“We feel that a one-week timeline is adequate for companies that are established in this domain to develop and submit a response to the RFP,” Berman said.
Correspondence reviewed by FedScoop shows that those involved in the decision-making indeed have specific companies in mind as models for what they are looking to potentially purchase. But how the accreditation body will pay for the tool is unclear as it currently doesn’t appear to have any funding streams.
“As a private entity, the CMMC-AB does not disclose internal finances prior to the annual reporting that is required of all nonprofits,” Berman said.
Max Aulakh, president and CEO of Ignyte Assurance Platform, didn’t mince words. He called the RFP process a “real-time train wreck.” Aulakh said that the RFP is “just one of many” issues and just adds to the likelihood, in his opinion, the board won’t succeed in solving the extremely complex problem of securing the defense industrial base.
“It is just going to fail,” he said.