Department of Defense, Government Guest User Department of Defense, Government Guest User

Qualifying CMMC Auditors in the Age of COVID-19

As much of the World grinds to a halt with the spread of COVID-19, the Department of Defense (DoD) and the CMMC Accreditation Body (CMMC AB) are charging forward with implementing the CMMC.

As much of the World grinds to a halt with the spread of COVID-19, the Department of Defense (DoD) and the CMMC Accreditation Body (CMMC AB) are charging forward with implementing the CMMC.  The CMMC AB is charged with several large tasks to make the CMMC a success, which include certifying CMMC auditors and C3PAOs (the companies who employ the CMMC auditors).  Both the CMMC auditors and the C3PAOs must meet a set of requirements being established by the CMMC AB in order to perform the network assessments/audits that will be recognized by the DoD as meeting the new CMMC requirement.  The DoD intends to include the CMMC requirements in 10 new requests for proposals (RFPs) in fall 2020.  The DoD estimates that 1,000 companies will be impacted by the CMMC requirement in the initial 10 RFPs.  The current timeline of the CMMC implementation will require all 1,000 companies to receive their CMMC certification by time of contract award, which could be as late as June 2021 (let us assume June 1st for now).  

The CMMC AB intends to qualify CMMC auditors via in-person CMMC auditor training.  The auditor training will be conducted by trainers who are trained by the CMMC AB.  Only auditors who attend the approved CMMC auditor training will be considered qualified to conduct the CMMC audits recognized by the DoD. The CMMC AB plans to launch initial train-the-trainer training in April 2020.  It is unclear how long the training for auditor trainers will last, and what the throughput will be, but let’s say that CMMC AB approved auditor training for auditors had planned to begin in earnest in June 2020.  With COVID-19 making in-person training impossible for the foreseeable future (as evidenced by many state school systems canceling in-person classes until the 20-21 school year), it is unclear if training for trainers will kick off in April as planned.

For simplicity, let’s also assume that each audit takes on average two weeks and requires two auditors to complete, realizing that CMMC Level 5 audits will require more time and manpower than a CMMC Level 1 audit.  In order to prevent a bottleneck in the DoD supply chain on June 1, 2021, more than 60 auditors need to be certified by the CMMC AB each month starting in June 2020.  It is difficult to see how the current method of training-the-trainer and conducting certified CMMC auditor training will meet this initial demand, let alone see how it will scale to meet the exponentially growing demand over the next five years.  In addition to in-person training not being easily scalable (especially given that the current CDC guidance suggests no gathering larger than 10 people), the flaws in this method is even more apparent in this new COVID-19 reality of telework and widespread government mandated lockdowns.  It is hard to know exactly when training could commence.  

Instead of continuing with the model for training trainers, providing training to auditors, and waiting out a world-wide pandemic, the CMMC AB should spend its limited time and manpower developing a CMMC auditor certification.  According to the American National Standards Institute (ANSI) National Accreditation Board (ANAB) “a certification reflects attainment of established criteria for proficiency or competency in a profession or occupation and is granted upon an assessment of an individual’s knowledge, skills, and abilities. Certification is valid for a specific time period. A certification program has ongoing requirements for maintaining proficiency or competency and can be revoked if ongoing requirements are not met.”  Creating a CMMC auditor certification is a scalable model for qualifying auditors around the globe in a short amount of time.  

ANSI does not allow an organization that owns a certification to also conduct training for that certification.  This practice prevents organizations from simply training personnel to pass a test.  It allows only third parties without knowledge of the examination criteria to provide training on the knowledge, skills, and abilities that are tested for in the certification exam.  Establishing the CMMC auditor certification frees the CMMC AB from having to conduct CMMC auditor training.  Instead, the CMMC AB could partner with established training companies to enable them to provide official CMMC auditor training in a much more scalable manner.  Companies that specialize in training can rapidly develop and deploy CMMC auditor training through established training pipelines, including through online and virtual formats that are nearly impervious to the COVID-19 limitations.  

The Department of Defense has been using ANSI approved certifications to set baseline qualification standards since 2005 when DoD CIO published DoD 8570.01-Manual.  8570.01-Manual established a list of baseline certifications for the DoD Cybersecurity Workforce. Personnel performing cybersecurity functions must obtain one of the certifications listed for their position category or specialty and level in order to be considered qualified for their position.  In the same way that having an approved 8570.01-Manual certification does not guarantee that an employee is fully qualified, having a CMMC auditor certification would be a good baseline qualification standard but does not guarantee a fully qualified CMMC auditor.  Cybersecurity auditors have existed for at least 10 years, so the concept for creating CMMC auditors is not entirely novel.  The CMMC AB could put in place a robust set of experiential requirements for CMMC auditors, to add to the CMMC auditor certification, to ensure they have the most qualified CMMC auditors possible.  

The new reality created by COVID-19 has caused even the oldest institutions to reconsider how they currently conduct business, and the CMMC AB should similarly adjust.  There is still time to make these changes, and the CMMC AB should strongly consider this alternate path to qualifying auditors. Creating a CMMC Auditor certification will create a larger auditor workforce in a shorter amount of time, and has the ability to ensure a more highly qualified auditor workforce than CMMC AB auditor training alone can provide.

—————

Leslie Weinstein is an Army veteran and management consultant with 14 years of experience in intelligence and cyber operations, and strategy and policy consulting with eight years of experience in a joint environment, and three years of experience at the OSD level. Five years of active duty, complementing eight years as a federal civilian and consultant provides her a diverse and unique skill set that she has successfully leveraged to solve some of the most complex issues facing the Department of Defense.

Read More
Compliance Guest User Compliance Guest User

CMMC – The Cyber Compliance Standard We’ve Been Waiting For?

Is the DoD’s new Cybersecurity Maturity Model Certification (CMMC) the future, or just another compliance initiative in the long line of competing cyber standards across a fragmented landscape. One thing is certain, this is a different approach.

Is the Department of Defense’s (DoD) new Cybersecurity Maturity Model Certification (CMMC) the future, or just another compliance initiative in the long line of competing cyber standards across a fragmented landscape.

One thing is certain, this is a different approach. To date, the government has been mostly disjointed when it comes to cyber. Regulators have focused on privacy, mostly at the state level, and post-breach notification. 50 states have a data breach law, all different, all that rely on individual businesses to take on the burden proactively to secure themselves against a risk they don’t understand and is costly to address. There is HIPAA, GLBA, GDPR, CCPA, and more. Effectiveness of the different compliance regulations is a legitimate question, especially when compared to the burden they bring for businesses.

The disjointedness has led most business, especially the small, to simply ignore toothless regulations, and roll the dice on a data breach knowing they likely won’t even learn of one even if it does happen, let alone be required to notify anyone. Business owners intuitively know this is important, but lack of clear regulations, enforcement and affordability has resulted in little progress addressing the issue.

It is precisely under these circumstances where the Federal Government should step in, establish a winning compliance standard that incorporates but supersedes all others, removing the overwhelming burden from business and addressing the overly fragmented regulatory environment.

This brings us back to the federal government and its contractors. NIST 800-53 is a beast, with an entire consulting industry built on it, and has successfully become an effective standard in the acquisition of government systems. How effective it’s been in securing government contractors is unclear. NIST 800-171 is less burdensome, focused mostly on confidentiality (as opposed to availability and integrity), and was developed with small businesses in mind. The problem with either framework has been adoption by private businesses, which is directly tied to the ability of the government to enforce. Adoption has mostly been voluntary, and/or unenforceable. That is not the case with CMMC, it comes with a stick and a plan to use it. Make no mistake, CMMC has teeth.

Then there’s FedRAMP. Brought about to address the movement to cloud computing, FedRAMP enables commercial companies with cloud products or services wanting to do business with the federal government to get their infrastructure, application or system certified once, so it can be sold and used again and again by multiple government clients. This one to many approach is a departure from NIST 800-53 and RMF but is possible due to the scalability and centralized control inherent in the cloud.

CMMC is the natural evolution of NIST’s comprehensiveness and FedRAMP’s marketplace and impact level approach. Will it meet its ambitious goal of becoming the one standard to encompass them all? The answer depends on 3 big questions:

What will happen to small business government contractors?

Rest assured, the large and mid-sized DoD contractors will both absorb CMMC and capitalize on the market opportunity in stride. In one sense, CMMC is creating an industry overnight. Businesses of all sizes (including the ultra-small) can get certified and become third party (independent) assessing organizations (3PAO). That said, who will they assess. Average ongoing cost of CMMC compliance is estimated to be $3,000 per employee per year with an initial one-time implementation cost of $500 - $1,000 per employee. As with any regulation that reduces the bottom line, there is at least some risk that small business will consolidate into larger business and/or exit the industry all together.

With PCI-DSS (a comparable solution in the sense that it had teeth and the enforcing body had power over the regulated), many businesses exited the business of payment processing, instead outsourcing to accredited solutions and therefore eliminating their compliance burden. An additional cost, yes, but one offset at least partially by the automation brought by third party solutions.

Will this be the same for CMMC? Maybe. There is talk of pre-certifying SAAS solutions (see one to many approach above) and/or reciprocity with other compliance regulations such as FedRAMP, but there is one key difference: scope. PCI regulated the function of accepting credit card payments. CMMC is anticipated to be much more comprehensive, regulating how businesses process information and use technology. This is the core of what most businesses do, and compliance will not be as simple as outsourcing one function of their business. There has been talk of an allowance to ease the burden on small businesses and, at the end of the day, if enough advanced notice is given the cost of compliance can be baked into any proposal submitted to the DoD. This ultimately leaves the government holding the bill, which begs the question of what will be sacrificed to pay for CMMC?

Will CMMC go beyond the DoD (i.e. is this the federal standard we’ve been waiting for)?

There are few more powerful customers in the world than the United States Department of Defense, and while we must start somewhere, will CMMC catch on beyond its initial implementation. It’s logical to think that if proven successful, other federal departments will adopt what the DoD started. Then what? State governments? Local governments? While they don’t have the same buying power as the federal government, they do have legislative power. If CMMC does filter down to states and municipalities, where will the money come from? If budget increases or cuts from other programs are not feasible, then we must circle back to the above question and ask if this will just lead to exits and consolidations among small businesses, essentially eliminating the small business ecosystem this country prides itself on.

Many excited service providers like to throw around the idea that this will become THE standard for all businesses in the United States, which would be great for cybersecurity, but again may not be so great for the smallest businesses. Furthermore, it’s easy to make the argument that the DoD supply chain is a target of interest for nation state cyber actors around the world. Can the same case be made for state contractors? What about the average small business who is more of a target of opportunity than a target of interest? Then there are the alarming stats:

  • Small and Mid-sized business (SMB) represent 99% of all U.S. businesses and employ more than 60% of Americans

  • More than half of SMB data breach victims are out of business within 6 months of being attacked

As we know, most small businesses lack the resources and expertise to protect themselves and as discussed above, the disjointedness of the regulatory approach to date has led most small business to simply ignore toothless regulations. Add that all up and it’s not too far of a stretch to imagine the scary scenario a well-crafted piece of malware wiping about a good portion of the American economy.

This brings us back to the question at hand: can CMMC, or any compliance regulation for that matter, be rolled out beyond government contracting and effectively address cybersecurity without resulting in too great of a burden for the small business community that makes up the fabric of our economy?

Eventually, the disjointedness of regulatory compliance around cyber is likely to stop, and one framework/model will win out. It stands to reason there is a good chance it’ll come from the federal level due to the resources, legislative and buying power they hold.

How do you maintain quality of CMMC service providers?

As already discussed, anyone worth their salt in cybersecurity has posed this question at least once: how effective is compliance at actually reducing incidents and successful attacks? Take a look at Service Organization Controls (SOC) compliance, for example. It was created by accountants! Should the AICPA be the governing body of a compliance regulation? What qualifications do they have? Who were their technical advisers? The fact is that cyber, like any new industry, has often been approached as a race to market and then figure it out afterwards. The winners get financial gain and credibility, but this can be dangerous in a risk-based industry.

Furthermore, while academia and industry has begun to address the giant chasm between cybersecurity need and qualified talent, there is still an overwhelming talent gap between qualified cybersecurity engineers and open positions. It’s not a switch you can flip overnight and expect the problem to be reasonably addressed.

This begs the question: how will it work when the DoD creates a critical cyber industry overnight? There will be a race to market. Who will regulate quality? Who will staff the service providers AND the regulators? Current thinking is a non-profit will be the consortium that certifies the service providers. They better know what they are doing because a quick way to kill CMMC in its tracks will be quick to market snake oil solutions and/or unqualified 3PAOs that miscertify contractors or worse, rubber stamp them because they are paying their bills and the government has no quality control mechanisms in place. All of this would effectively make the standard ineffective and a giant waste of time.

These questions and more are being debated by the CMMC team as of this writing and we must give them time to do so, but we must also give them input. One way to do so is by filling out the CMMC Marketplace survey. In the end, the success of CMMC will depend on questions such as the 3 posed above and our ability to think through them now, PRIOR to the aggressive 2020 roll out target. While we won’t have all the answers, healthy debate and industry input is critical to the ultimate success of CMMC.

 ---------------------

Chris served six years in the U.S. Marine Corps where he was the country Chief Information Security Officer for the Republic of Georgia, a role in which he oversaw protecting USMC digital infrastructure in a highly vulnerable cyber threat environment. Upon returning to the United States, Chris left the Marine Corps to pursue a Masters in Computer Science and MBA from UCLA, and also worked for the MITRE Corporation as a cybersecurity engineer. In 2014, he founded Ariento, a cybersecurity, compliance and IT service provider. Chris is a member of numerous cyber organizations including the FBI Infraguard and the Secure The Village Leadership Council, he teaches on the topics of cybersecurity and privacy at UCLA, and is a regular speaker and contributor to the Wall Street Journal Pro - Cybersecurity.

Read More