Only 100 approved assessors are available to certify that 300,000 US DoD providers are in compliance with the Cybersecurity Maturity Model Certification by the 2023 deadline. Credit: Thinkstock If you do business with the Department of Defense (DoD), then the Cybersecurity Maturity Model Certification (CMMC) is known to you. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) approved the first company to become a certified assessor in May 2021. Since then, three additional companies have been approved. That’s it. Four companies have been approved to be a Certified Third-Party Assessment Organization (C3PAO) and assessed DoD contractor cybersecurity compliance with the CMMC.Approximately 300,000 suppliers to the DoD will be impacted by the implementation of the CMMC.Only 100 CMMC assessors available–5,000 neededIn an interview with Federal News Network, Chris Goldman, a founding member of the CMMC accreditation body and director of infosec at Horizon Blue Cross Blue Shield of New Jersey opined how CMMC had some shortcomings. He detailed how the DoD is planning to invoke the process with 500 pilot contracts requiring the assessments. This equates to five assessments per provisional assessor, given there are currently 100 provisional assessors. Goldman noted, “we’re certainly going to need to scale to over 5,000 assessors in the ecosystem to do more than 100,000 assessments per year.”One potential downside to the DoD’s CMMC effort affects the SMBs. The cost of adhering to the CMMC process may cause many entities to self-select out as, according to Goldman, “Its too expensive, I can’t participate in the ecosystem anymore.” Thus, companies providing goods and services the DoD needs are no longer available, as these companies look for more profitable customers. What this means, according to Don Kulp, director of business development at Saalex, is that the government is using the CMMC process to push good cyber hygiene into the ecosystems of the private sector, including educational institutions. The DoD will have the “maturity level of bidders contained in the actual bid and include the entire supply chain associated with the contract.” He continues how the implementation will include waivers, with the ultimate goal of ensuring “the level of maturity that all bidders must be certified to as well the entire supply chain associated with those contracts.” That isn’t to say it will be smooth sailing, he notes that those contracting communities may make execution of contracts difficult for those doing business with the government.Navy Submarines not audited due to lack of auditorsOne needs only look to the US Navy to see the potential effect of not having timely audits of cybersecurity postures. The Navy Times obtained an internal audit of the submarines in the US Naval Submarine Force Pacific that revealed the 41 submarines and their support ships didn’t have their required “internal and external cybersecurity inspections” conducted from 2016 to 2018. The checks and balances built into a system to ensure known vulnerabilities are mitigated wasn’t taking place. The Navy Times continued how the Navy lacked the personnel and bandwidth to conduct the inspections. The publication obtained via an FOIA request a more precise answer, “Personnel informed us that they do not have enough staff to meet the triennial inspection requirement for all information systems, so they excluded Navy submarine networks.”The rational: “The boats disconnect from the network” while at sea, the risk to the DoD’s information network? The auditors opined, “Excluding submarine networks from inspection workload may expose the Department of Defense Information Network to an unacceptable level of risk.”The submarine example demonstrates what occurs when triage occurs due to lack of resources. The US Navy cyber auditors had only so many cycles in their days and thus had to choose between two bad choices, audit all entities quickly (perhaps superficially) or not inspect one entity and ensure the security of the other entities are the best they can be.With thousands of companies needing certification and approximately 100 provisional assessors approved to conduct C3PAO, one can do the math. A shortage of auditing companies is a reality, which makes 2023 deadline look a bit like the Sword of Damocles hanging over DoD contracting processes. There is going to be constipation. The CMMC accreditation body DIBCAC will need to double-down and invest heavily in efficient training of assessors, in a world where cybersecurity savvy personnel at all levels are a much sought after commodity. Related content news Top cybersecurity product news of the week New product and service announcements from Coro, Descope, Genetec, Varonis, Cloudbrink, Databarracks, and Security Journey By CSO staff Dec 07, 2023 22 mins Generative AI Security news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe