There is a buzz around the DoD’s reported review of the Cybersecurity Maturity Model Certification (CMMC) program. It is unclear what (if anything) may be changed going forward. The outspoken Undercover CISO has been doing his own internal review of the program exclusively for the Security Economics blog. The Undercover CISO is ready and willing to testify in front of Congress to present his findings, which are transcribed here, but will demand his identity be protected to assure his safety. The views below belong solely to the Undercover CISO, so please direct all comments and/or complaints to him.
Mr. Chairman, thank you for the opportunity to testify this morning. And thank you for allowing me to testify behind this curtain and disguising my voice to protect me from the CMMC cabal. As you know, I have conducted an independent review of the CMMC program, and have found it lacking. We all realize that our country has a tremendous challenge dealing with cybersecurity, but the CMMC program, as it currently stands, is not the solution.
First, as you would be able to see if I was not behind this curtain, I am not sporting a mullet. I did have a fine mullet in the 1990s, which is around the same time that policy and procedure-based frameworks like CMMC became obsolete. I am all for robust policies and procedures, but CMMC takes this to an absurd level. The CMMC Level 3 Assessment Guide weighs in at 430 pages and by one estimate creates a requirement for 180 policies and procedures to be developed. CMMC will improve security for most companies, but at what cost?
In Herman Wouk’s classic novel The Caine Mutiny, a disgruntled character says, “The Navy is a master plan designed by geniuses for execution by idiots.” This is a jarring and unfair statement – particularly for our friends in the Navy, but the general lesson is important. Large initiatives have generally been undertaken with well defined processes that are easily digestible and can be rolled out to persons with varying levels of expertise. CMMC is a master plan that must be implemented by over 300,000 companies that wish to do business with the DoD. CMMC practices must also be assessed by hundreds of other companies that help DoD contractors and subcontractors become compliant. CMMC was designed to be objective and understandable by persons with even a moderate understanding of security…but that is one of its main weaknesses.
Unfortunately, CMMC dumbs down the assessment process from being a risk-based approach to being a laundry list of controls that are easy to evaluate. Follow the requirements and check the boxes. Is it any wonder that we have a shortfall of cybersecurity professionals? Who wants to be in an industry that is relegated to checklists? But that is another issue for another time…
All the CMMC controls, without exception, need to be fully implemented in order to “pass.” This builds a compliance mindset instead of a security mindset. And make no mistake, the goal becomes to pass the audit. The problem with certifications is that they become the destination. It’s a pass/fail exam.
I have heard the example of HIPAA thrown out there as being analogous to CMMC. But CMMC is nothing like HIPAA. Yes, your dentist and your mega health insurer are both subject to HIPAA. But at least HIPAA was written to take into account the fact that controls should be commensurate with inherent risk. Specifically, for HIPAA, organizations can take into account “their size, complexity, and capabilities; … the costs of security measures; and the likelihood and possible impact of potential risks….What is appropriate for a particular covered entity will depend on the nature of the entity’s business, as well as the entity’s size and resources.“ CMMC has almost no provisions for factors such as these. CMMC Level 3 controls are essentially the same whether your are a five-person machine shop or Lockheed Martin. Can we really afford to have our best, most innovative small companies locked out of the government contracting space due to the high compliance costs?
Mr. Chairman, I have outlined some of the key problems with CMMC. Now let me provide some solutions.
First, make CMMC a risk-based framework. Yes, there needs to be a defined set of controls, but they should be generalized. The rigor associated with the control standards should be flexible based on the scope of the organization. For example, companies that process a small amount of Controlled Unclassified Information (CUI) can have less robust controls than larger companies. Since most companies will be using external advisory services, the advisors can guide the companies in their security design decisions, technology solutions, and key processes. This will also allow companies to take more modern, cost effective approaches, like using cloud services and zero trust applications, which are hardly mentioned at all in the CMMC documentation.
Second, have certified advisors and assessors that are experienced in real security processes and have the ability to assess security risks. No more “box checkers.” Remove the strict pass/fail requirement. Foster a collaborative approach. We all have the same goal, which is to improve security. Allow companies to come up with reasonable and appropriate – and independently approved – plans to constantly improve their security over time. And then hold them strictly accountable for doing so. If they slack off, have real penalties. Consider fining them or removing them from government contracts. Have no-notice audits and “name and shame” the companies that don’t pass.
Mr. Chairman, with the changes I am proposing, we can significantly improve the security of our defense industrial base, allow flexible security designs that take into account actual risks, and thereby enable cost-effective solutions. I thank you again for the opportunity to testify with my recommendations for improving CMMC. I have every confidence my explosive testimony today will someday be compared with the Valachi Hearings. I will now take leave of the building escorted by my security detail to protect me from the CMMC Cosa Nostra.