Lack of C3PAO assessors jeopardizes DoD CMMC certification goal

Only 100 approved assessors are available to certify that 300,000 US DoD providers are in compliance with the Cybersecurity Maturity Model Certification by the 2023 deadline.

Stack of legal documents with compliance and regulatory stamp
Thinkstock

If you do business with the Department of Defense (DoD), then the Cybersecurity Maturity Model Certification (CMMC) is known to you. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) approved the first company to become a certified assessor in May 2021. Since then, three additional companies have been approved. That’s it. Four companies have been approved to be a Certified Third-Party Assessment Organization (C3PAO) and assessed DoD contractor cybersecurity compliance with the CMMC.

Approximately 300,000 suppliers to the DoD will be impacted by the implementation of the CMMC.

Only 100 CMMC assessors available--5,000 needed

In an interview with Federal News Network, Chris Goldman, a founding member of the CMMC accreditation body and director of infosec at Horizon Blue Cross Blue Shield of New Jersey opined how CMMC had some shortcomings. He detailed how the DoD is planning to invoke the process with 500 pilot contracts requiring the assessments. This equates to five assessments per provisional assessor, given there are currently 100 provisional assessors. Goldman noted, “we’re certainly going to need to scale to over 5,000 assessors in the ecosystem to do more than 100,000 assessments per year.”

One potential downside to the DoD’s CMMC effort affects the SMBs. The cost of adhering to the CMMC process may cause many entities to self-select out as, according to Goldman, “Its too expensive, I can’t participate in the ecosystem anymore.” Thus, companies providing goods and services the DoD needs are no longer available, as these companies look for more profitable customers.

What this means, according to Don Kulp, director of business development at Saalex, is that the government is using the CMMC process to push good cyber hygiene into the ecosystems of the private sector, including educational institutions. The DoD will have the “maturity level of bidders contained in the actual bid and include the entire supply chain associated with the contract.” He continues how the implementation will include waivers, with the ultimate goal of ensuring “the level of maturity that all bidders must be certified to as well the entire supply chain associated with those contracts.” That isn’t to say it will be smooth sailing, he notes that those contracting communities may make execution of contracts difficult for those doing business with the government.

Navy Submarines not audited due to lack of auditors

One needs only look to the US Navy to see the potential effect of not having timely audits of cybersecurity postures. The Navy Times obtained an internal audit of the submarines in the US Naval Submarine Force Pacific that revealed the 41 submarines and their support ships didn’t have their required “internal and external cybersecurity inspections” conducted from 2016 to 2018.

The checks and balances built into a system to ensure known vulnerabilities are mitigated wasn’t taking place. The Navy Times continued how the Navy lacked the personnel and bandwidth to conduct the inspections. The publication obtained via an FOIA request a more precise answer, “Personnel informed us that they do not have enough staff to meet the triennial inspection requirement for all information systems, so they excluded Navy submarine networks.”

The rational: “The boats disconnect from the network” while at sea, the risk to the DoD’s information network? The auditors opined, “Excluding submarine networks from inspection workload may expose the Department of Defense Information Network to an unacceptable level of risk.”

The submarine example demonstrates what occurs when triage occurs due to lack of resources. The US Navy cyber auditors had only so many cycles in their days and thus had to choose between two bad choices, audit all entities quickly (perhaps superficially) or not inspect one entity and ensure the security of the other entities are the best they can be.

With thousands of companies needing certification and approximately 100 provisional assessors approved to conduct C3PAO, one can do the math. A shortage of auditing companies is a reality, which makes 2023 deadline look a bit like the Sword of Damocles hanging over DoD contracting processes. There is going to be constipation. The CMMC accreditation body DIBCAC will need to double-down and invest heavily in efficient training of assessors, in a world where cybersecurity savvy personnel at all levels are a much sought after commodity.

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline