Should DHS Contractors Worry About CMMC?
As CMMC continues to show up outside of DoD contracts, many have theorized that it could become a standard across the federal government. We sat down with Bob Kolasky, Assistant Director at Cybersecurity and Infrastructure Security Agency and Director of the National Risk Management Center, to ask how the U.S. Department of Homeland Security is watching the CMMC rollout.
This article by Ryan Heidorn originally appeared in Homeland Security Today.
It’s almost impossible to talk to a DoD contractor and not get pulled into a discussion of CMMC.
For those who somehow missed it, the Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard that’s designed to reduce the theft of Controlled Unclassified Information (CUI) from companies in the defense industrial base. Ron Ross, a fellow at NIST and author of cybersecurity publications used across the federal government, said of the state of U.S. cybersecurity, “We literally are hemorrhaging critical information [to our adversaries].” CMMC is aimed at stopping the bleeding.
Published in January, the CMMC model contains five levels of cybersecurity maturity at which companies can be certified, ranging from basic cybersecurity hygiene (Level 1) to advanced practices designed to defend against nation-state actors (Levels 4 and 5). Although DoD contractors were already required under DFARS to protect CUI on their networks by implementing the 110 security requirements in NIST SP 800-171, CMMC (which is largely based on NIST SP 800-171) serves as an enforcement mechanism by requiring a third-party assessment of a contractor’s information systems. All DoD contractors – primes and subcontractors – will need to achieve certification at a specified level to win new DoD business.
Assuming that CMMC is successfully incorporated into DFARS (at the time of writing, an Interim Final Rule including a new DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, is open for public comment), the goal is a five-year rollout to incorporate CMMC requirements into every DoD contract. But observers are already predicting that CMMC could become a standard across the federal government; it is, in fact, already starting to show up outside of DoD, including the General Services Administration’s $50 billion STARS III contract, which states that “STARS III contractors should begin preparing for CMMC.”
Other agencies, including DHS, appear to be watching the DoD’s rollout of CMMC with keen interest. In a May 12 presentation for NCMA Boston, Stacy Bostjanick, director of the CMMC program at the DoD’s Office of the Under Secretary of Defense for Acquisition and Sustainment, indicated that DHS could adopt CMMC and is closely watching the DoD rollout.
I sat down (virtually) with Bob Kolasky, assistant director of the Cybersecurity and Infrastructure Security Agency (CISA) and director of the National Risk Management Center, to ask if DHS contractors should be preparing for CMMC.
How DHS Views CMMC As a Model
Although information systems that process sensitive information for DHS must meet the cybersecurity requirements in the DHS 4300A Sensitive Systems Handbook, contractors’ own networks are currently held to a lower standard, creating an attractive target for adversaries. As director of the National Risk Management Center, Kolasky takes supply chain risk management seriously, and believes cybersecurity for non-federal information systems needs to improve.
“We think there’s a fairly significant risk right now in terms of a breach or exfiltration originating from non-federal contractor systems,” he said. “That’s why there’s so much urgency around CMMC to help close the level of risk. Of course, I would hope that some of the risk is mitigated by companies getting better at cybersecurity in general, aside from CMMC, and that they recognize it’s in their own business interest to bolster their cybersecurity strength whether it’s a requirement or not. But CMMC will certainly serve to close the loop.”
With DoD as the bellwether, Kolasky is watching the CMMC rollout to see if it will move the needle to secure the DoD’s supply chain and what impact will it have on broader ICT supply chains. “Agencies and even other countries will look to see if it is having the intended effect,” he said. “Are there fewer major breaches? Has CMMC decreased the revenue that is annually lost to stolen technology? Are there loopholes built in that can potentially be circumvented by experienced hackers?”
“From an outsider’s view, we would want to assure that the content is good, the framework is achievable, and is it producing the intended results,” Kolasky continued. “Did it raise the baseline of security? And is the end result worth the time and trouble it took to get there?”
It’s worth noting the security requirements in DHS 4300A have a lot in common with CMMC – they’re both derived from NIST SP 800-53. If DHS were to require something like CMMC for its supply chain, Kolasky thinks the security posture of many contractors won’t be too far off from requirements.
“I don’t believe there’s a huge gap, at least not for the bigger contractors like the Northrop Grummans, for example,” said Kolasky. “For the companies that do business with CISA, the big ones who deal with the defense industrial base regularly, they’ve already got strong cybersecurity protocols in place that will likely give them a leg up on CMMC-like requirements.”
“What we don’t want to see, however, are two different sets of protocols,” he continued. “Whether DHS goes as far as full CMMC adoption or some variant, we would hope that the regimes wouldn’t be too much different from each other. Having any possible DHS version be relatively similar to the DoD version would be less costly for contractors.”
Given the unique nature of DHS’ purview over national infrastructure, which puts an additional focus on cyber-physical risk, would DHS require an organizational technology (OT) overlay to CMMC?
“Probably not,” Kolasky explained. “We work with numerous electric utilities, but there are areas in which we make no specific demands in terms of security. In other areas we can place requirements on supply chain security, but there are other aspects of operational technology in which most agencies would like to see proper security practice in place. But whether CMMC requires that, or we can incentivize it via contract language, remains to be seen.”
Cybersecurity Maturity for Small Business
One concern expressed by some DoD contractors – and some DHS contractors as well – is whether CMMC might create a barrier to entry for smaller companies that lack the resources and skilled personnel to implement and manage a mature cybersecurity program. DoD contractors are still coming to terms with the process maturity requirements of CMMC which, at Level 3 (the minimum level required for a contractor that handles CUI), require a contractor to demonstrate that security requirements are actively managed through policy, documented procedures, and written plans that describe how the organization provides “adequate resources” for each of the 17 capability domains found in CMMC.
CMMC signals a sea change for contractors, who now need to view cybersecurity as a separate, critical business function, not unlike accounting or business operations. To protect the government’s sensitive information, contractors should maintain three distinct skillsets: IT, cybersecurity, and compliance. “We have an IT guy” is no longer an acceptable strategy. Kolasky acknowledged the crucial role managed service providers (MSPs) play in helping contractors meet security requirements, and highlighted resources for DHS contractors looking to get a jumpstart on CMMC readiness.
“As a DHS contractor, especially a smaller one, I would start by taking advantage of info-sharing programs and resource links that DHS offers on its website through CISA,” he said. “These assets can help make contractors aware of the most current threats and vulnerabilities, a great first step in preparing for CMMC adoption. They can start with cybersecurity essentials and supply chain essentials as a way to begin their CMMC journey.”
“It’s also a good idea to get company executives on board as early as possible,” he added. “Often, it’s difficult to get management buy-in to any kind of IT function, much less a cybersecurity program. The earlier you start, the sooner you can start addressing objections and highlighting benefits.”
But whatever the size of the business, the time for contractors to begin preparations for additional security requirements is now, because the DoD rollout has the potential to serve as a prototype not just for DHS but many other agencies as well.
Stacy Bostjanick, director of the CMMC program at the DoD OUSD A&S, said, “As the CMMC program continues to pass critical milestones like the successful training of the first classes of provisional assessors, we realize that other federal agencies are watching the CMMC rollout as a potential model for addressing risks in their own supply chains. We’re confident that CMMC will be successful in its mission and serve as an example for other agencies to adopt.”
“The rollout will take time and won’t be without its challenges,” she added. “But we’re grateful for the support of cybersecurity leaders like Bob Kolasky at DHS who recognize that building cybersecurity maturity across our supply chains is absolutely critical to protect the government’s sensitive information.”