Only 100 approved assessors are available to certify that 300,000 US DoD providers are in compliance with the Cybersecurity Maturity Model Certification by the 2023 deadline. Credit: Thinkstock If you do business with the Department of Defense (DoD), then the Cybersecurity Maturity Model Certification (CMMC) is known to you. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) approved the first company to become a certified assessor in May 2021. Since then, three additional companies have been approved. That’s it. Four companies have been approved to be a Certified Third-Party Assessment Organization (C3PAO) and assessed DoD contractor cybersecurity compliance with the CMMC.Approximately 300,000 suppliers to the DoD will be impacted by the implementation of the CMMC.Only 100 CMMC assessors available–5,000 neededIn an interview with Federal News Network, Chris Goldman, a founding member of the CMMC accreditation body and director of infosec at Horizon Blue Cross Blue Shield of New Jersey opined how CMMC had some shortcomings. He detailed how the DoD is planning to invoke the process with 500 pilot contracts requiring the assessments. This equates to five assessments per provisional assessor, given there are currently 100 provisional assessors. Goldman noted, “we’re certainly going to need to scale to over 5,000 assessors in the ecosystem to do more than 100,000 assessments per year.”One potential downside to the DoD’s CMMC effort affects the SMBs. The cost of adhering to the CMMC process may cause many entities to self-select out as, according to Goldman, “Its too expensive, I can’t participate in the ecosystem anymore.” Thus, companies providing goods and services the DoD needs are no longer available, as these companies look for more profitable customers. What this means, according to Don Kulp, director of business development at Saalex, is that the government is using the CMMC process to push good cyber hygiene into the ecosystems of the private sector, including educational institutions. The DoD will have the “maturity level of bidders contained in the actual bid and include the entire supply chain associated with the contract.” He continues how the implementation will include waivers, with the ultimate goal of ensuring “the level of maturity that all bidders must be certified to as well the entire supply chain associated with those contracts.” That isn’t to say it will be smooth sailing, he notes that those contracting communities may make execution of contracts difficult for those doing business with the government.Navy Submarines not audited due to lack of auditorsOne needs only look to the US Navy to see the potential effect of not having timely audits of cybersecurity postures. The Navy Times obtained an internal audit of the submarines in the US Naval Submarine Force Pacific that revealed the 41 submarines and their support ships didn’t have their required “internal and external cybersecurity inspections” conducted from 2016 to 2018. The checks and balances built into a system to ensure known vulnerabilities are mitigated wasn’t taking place. The Navy Times continued how the Navy lacked the personnel and bandwidth to conduct the inspections. The publication obtained via an FOIA request a more precise answer, “Personnel informed us that they do not have enough staff to meet the triennial inspection requirement for all information systems, so they excluded Navy submarine networks.”The rational: “The boats disconnect from the network” while at sea, the risk to the DoD’s information network? The auditors opined, “Excluding submarine networks from inspection workload may expose the Department of Defense Information Network to an unacceptable level of risk.”The submarine example demonstrates what occurs when triage occurs due to lack of resources. The US Navy cyber auditors had only so many cycles in their days and thus had to choose between two bad choices, audit all entities quickly (perhaps superficially) or not inspect one entity and ensure the security of the other entities are the best they can be.With thousands of companies needing certification and approximately 100 provisional assessors approved to conduct C3PAO, one can do the math. A shortage of auditing companies is a reality, which makes 2023 deadline look a bit like the Sword of Damocles hanging over DoD contracting processes. There is going to be constipation. The CMMC accreditation body DIBCAC will need to double-down and invest heavily in efficient training of assessors, in a world where cybersecurity savvy personnel at all levels are a much sought after commodity. Related content news Chinese state actors behind espionage attacks on Southeast Asian government The distinct groups of activities formed three different clusters, each attributed to a specific APT group. By Shweta Sharma Sep 25, 2023 4 mins Advanced Persistent Threats Advanced Persistent Threats Cyberattacks feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Security Monitoring Software Data and Information Security feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe