In the article, Downer breaks down the impact that Cybersecurity Maturity Model Certification (CMMC) is having on data hygiene and data security management.
More specifically, he discussed the lack of impact that CMMC will have towards securing supply chains. You can read GovCon Expert Bill Downer’s piece below:
What Are We Trying to Secure?
The government community is consumed with the debate regarding the recently established Cybersecurity Maturity Model Certification (CMMC). CMMC is a new certification model designed to verify that Department of Defense (DoD) contractors have sufficient control to safeguard sensitive data.
The debates are concerned with the timing, the role the certifications will play in the source selection process, the auditors and the mechanisms of the audits. I am concerned about how CMMC is being discussed in terms of securing the supply chains of the various suppliers to the U.S. federal government.
In my opinion, CMMC has nothing to do with supply chain management. CMMC is all about data hygiene and security management. CMMC is the implementation and extension of the National Institute of Standards and Technology (NIST) SP800-171 or just 800-171.
NIST 800-171 is a codification of the requirements that any non-Federal computer system must follow to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems. This document is based on the Federal Information Security Management Act (FISMA) of 2002 with moderate level requirements.
Why was CMMC Created?
DoD’s Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD A&S) plans to migrate to the new CMMC framework to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).
CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the department’s industry partners’ networks.
Contractors were able to self-verify their adherence to the data protection and data security management standards before these changes took place. The concept of creating a level playing field for contractors and a consistent method of measurement of compliance is a good thing for all parties.
Why Do We Need CMMC?
As stated on DoD’s OUSD A&S’ website. “The aggregate loss of controlled unclassified information (CUI) from the DIB sector increases risk to national economic security and in turn, national security.”
To reduce this risk, the DIB sector must enhance its protection of CUI in its networks. The Council of Economic Advisers, an agency within the Executive Office of the President (EOP), estimated in its “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” report from Feb. 2018 that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.
The Center for Strategic and International Studies (CSIS), in partnership with McAfee, reports that as much as $600 billion, nearly 1% of global GDP, may be lost to cybercrime each year. The estimate is up from a 2014 study that put global losses at about $445 billion.
Who’s Behind CMMC?
I applaud the commitment and courage of Ellen Lord and Katie Arrington (two 2020 Wash100 Award winners) for their leadership in creating and pushing CMMC. While the schedule is aggressive; it supports the notion that this is something that must be done NOW!
Katie Arrington has been very visible and available during the pandemic to answer all questions and address any concerns. Her desire to make sure that this program works for contractors of all sizes while minimizing the burdens, has been very evident. The U.S. Government needs more leaders like them!
What About the U.S. Defense Industrial Base?
The security of important data about U.S. weapons systems is a paramount concern. The establishment of CMMC is a very important step to do that but with so much critical technology for defense systems being manufactured via global supply chains, there is a bigger task looming on how best to secure the information and intellectual property of these technologies. CMMC does not address this more complex challenge.
The federal government has recognized this very complex problem and has already begun taking the steps to define possible solutions. In future articles, I will spotlight the great work being done by many agencies to secure their supply chains and those of the Defense Industrial Base.
About GovCon Expert
Through Executive Mosaic’s GovCon Expert program, you can access the words of caution and celebration from the elite minds behind the innovation and implementation of emerging technologies across federal agencies and industry, including artificial intelligence, national security, cybersecurity, 5G, cloud, big data as well as competitive intelligence, open source solutions and other aspects of the GovCon industry.
Don’t hesitate to contact us, if you want to become a GovCon Expert and share your voice across our unmatched publications and other social media products that have a weekly circulation of over 1,000,000 direct emails as well as matching inbound traffic.
We look forward to hearing from our next GovCon Expert soon. Click here to become a GovCon Expert.