Back in my days as a cybersecurity consultant, I did a lot of cyber maturity assessments for large organizations. We would analyze written security policies and processes and determine how “mature” the cyber program was. The more documentation and structure an organization had, the higher its maturity score. The actual tools used, or the true effectiveness of its controls were not analyzed in much detail. Often, we would supplement our maturity assessments with Red Team exercises, where our pen testers would attempt to break in to the organization and “steal” data.
On more than one occasion, a security program would get a decent maturity score, but the Red Team would (usually within hours) hack into the organization and demonstrate that the organization had serious security vulnerabilities. This would precipitate questions from the organization’s management asking how they got a good maturity score when their security was so bad. We would have to diplomatically explain that good cyber program maturity was important, but it didn’t always correspond to good security overall. Not an easy conversation to have.
Many of today’s security audits and assessments overemphasize maturity with walls of documentation as proxies for effective security. They remind me of France’s reliance of the Maginot Line as a defense against the Nazis.
The Maginot Line, an array of defenses that France built along its border with Germany in the 1930s, was designed to prevent an invasion. Built at a cost that possibly exceeded $9 billion in today’s dollars, the 280-mile-long line included dozens of fortresses, underground bunkers, minefields, and gun batteries.
The Maginot Line was fortified with reinforced concrete and 55 million tons of steel embedded deep into the earth. It was designed to withstand heavy artillery fire, poison gas and whatever else the Germans could throw up against it.
Nevertheless, after World War II erupted, the fortified border that was supposed to serve as France’s salvation instead became a symbol of a failed strategy. Leaders had focused upon countering the tactics and technology of past wars, and failed to prepare for the new threat from fast-moving armored vehicles. Instead of being stymied by the Maginot Line, Hitler’s forces went around it, driving their tanks through a wilderness area in neighboring Belgium that the French wrongly assumed would be impenetrable.https://www.history.com/topics/world-war-ii/maginot-line
And this line sticks out:
“The Maginot Line was a technological marvel, far and away the most sophisticated and complex set of fortifications built up to that time,” as William Allcorn wrote in his 2003 book The Maginot Line 1928–45.https://www.history.com/topics/world-war-ii/maginot-line
Similarly, CMMC is far and away the most sophisticated and complex set of [cybersecurity] fortifications built up to our time. However, just as the Maginot line provided almost no defense against German aircraft and Panzers, CMMC will provide limited protection against nation-state cyber adversaries. Why? Because CMMC ensures controls are in place, but does not evaluate whether controls are effective. In fact, the CMMC bureaucracy has developed hundreds of pages of evaluation guides, but has provided little guidance to companies regarding the most important security practices. For example, we can all agree that scanning for vulnerabilities is an important part of a security program. And the CMMC framework does require these types of scans (emphasis mine):
RA.L2-3.11.2 – VULNERABILITY SCAN
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
What is the required scanning period? It is unspecified. Choose one. Yearly? Sure, why not? You just need to define the period and scan accordingly. The only way to fail is to not scan in accordance with your schedule, so don’t set the bar too high. But you need to remediate the vulnerabilities, right? Well, you need to say why you didn’t remediate them in accordance with your “risk assessment.” So you have 1000 critical vulnerabilities? No worries, the only way to fail is not to have a reason for not remediating vulnerabilities and/or not tracking the vulnerabilities. Maintain the paper trail Maginot Line. Don’t fret too much about whether you have good security.
The fundamental issue is that it is the DoD’s data that needs to be protected, not the contractors’ data. As such, DoD should just stop with the bureaucratic layers and simply specify the security standards.
For example, specify specific standards such as: perform vulnerability scans every quarter using an approved tool. Remediate all critical vulnerabilities within 14 days.
If the standard is missed, the company needs to self-report a deficiency. The DoD should just do audits of a sample of the standards versus a whole assessment. If the company doesn’t meet a standard or fails an audit, the contracting officer can determine whether the DoD wants to continue doing business with them.
This method would actually save a lot of time and money. It would also improve security more than the current method. The vast majority of companies don’t have the resources to create their own policies, procedures, and standards and would actually prefer a more prescriptive approach. Instead of doing glorified box-checking exercises, have the Certified Third Party Assessment Organizations (C3PAOs) evaluate risk for requirements that companies don’t meet. If we don’t think C3PAOs can adequately assess risk, then they shouldn’t be trusted to do assessments at all.
CMMC is becoming an expensive bureaucracy that only marginally improves security. There is still time to make substantial changes that will improve the overall security of the Defense Industrial Base, but it will take outside-the-box thinking. Let’s not build a Maginot Line waiting for the next cyberwar.