I was pretty excited as I drove onto the sprawling and meticulously landscaped campus. I was heading to a meeting with the Undercover CISO. The UC had always been a curmudgeon and a pain to deal with, but to my surprise he wanted to use my company for a CMMC pre-assessment project.
I saw his expensive sports car in a reserved parking space so I knew I was in the right place. I signed in at the front desk and was escorted to his large office, appointed with expensive paintings and mahogany furniture. He was on the phone, so I settled into a chair, enveloped by the feel and scent of the rich Corinthian leather. Ah, the pampered life of a CISO.
I had just started to pull out my laptop with the slide deck to describe how we would help him get ready for CMMC when he interrupted me. “Never mind, the project is cancelled,” he said as he hung up the phone.
I was taken aback. “What do you mean? Don’t you do business with the DoD? You need to start getting ready now. CMMC compliance is a very long process. You can’t put it off…”
He held up a hand and said, “CMMC 2.0 is dead.”
“What are you talking about?” I was wondering if there was some recent news I hadn’t heard about.
“Oh yeah, it’s dead. They just don’t know it yet.” He clarified, “Something like CMMC 2.0 will happen, but it will be streamlined from what we now see. Also probably ‘phased in.’ The DoD loves to use the term ‘phased in’ to avoid saying ‘delayed.'”
I thought I was pretty plugged in to CMMC. Through my shock I could only muster a brief question. “Where did you hear this?”
He continued. “Here’s the deal. We have about $5M in DoD subcontracts through a big defense contractor. The prime contractor said we need to be CMMC compliant. Fair enough. Then we did an analysis and found that it could cost us almost $2M to become compliant. That is even though our security is among the best in our industry. It is an administrative hassle. For example, we need our encryption to be FIPS 140-2 compliant. Not only a major pain, but it is totally unnecessary, and it could break things. Even Microsoft is not recommending FIPS 140-2.
“So the boss (the CEO) tells me to inform the prime contractor we need to increase our price by at least $2M. Plus, we use three subcontractors ourselves, and they will no doubt be asking for price increases as well. The prime said no. Told us we should already be compliant so the cost will be negligible. What a joke. The boss says if they don’t pay we should walk away from the business.
Our Federal work is a small part of our revenues and if we increase our security budget that much our other businesses will be less competitive. Plus, we know there are only about four other companies who could supply these parts to the prime contractor, and two are foreign companies. Good luck spinning up a new subcontractor. Didn’t you see the testimony by Ellen Lord?”
I certainly had. It was pretty dire:
Testifying before the Senate Armed Service Committee, Ellen Lord, who served as the Defense Department’s top acquisition official, said Stingers cannot be replaced “within the next couple of years” because its production line has been shut down. Even simple items, such as diodes, used to regulate voltage for these systems could be difficult to obtain.
“Even with Javelin, we are probably five years” away from replenishing that stock despite its manufacturing line remaining open, she added….
On the overall health of the industrial base, Lord reminded the committee that “it is a choice for a company to do business with DoD,” whether it is large or small, a start-up or an investment group with all the government’s rules, regulations, policies and laws covering how it does business.
But what is most critically important to those businesses now is the impact of inflation on contracts. Lord said there needs to be “equitable adjustment … to the ’22 budget right now” by Congress.USNI News
I saw his point. With the defense industrial base being stressed by inflation and supply chain pressures, new, expensive regulations do not help at all. It is regulatory capture. I had previously written essentially the same thoughts.
He continued, “Look, we want to supply these parts to the DoD. They are needed. But there are multiple issues we as a company need to consider. Yes, ransomware is a threat. But there are others. Our assembly lines could go down due to lack of parts from our supply chain, workers quitting or striking due to low pay, a fire or natural disaster, and a bunch of other issues. You security guys think the world rotates around your security checklists, but it doesn’t.
My head was spinning. I said, “You make a lot of sense, but the CMMC train is running. How do you stop a steaming locomotive?”
“The boss told me he would call our senators and get this CMMC thing worked out, whatever that means. He said other CEOs were saying the same things. Said that’s why we pay our congressmen – to fix things like this. So, let’s see how things shake out. Do you really think some egghead in DoD is going to pull the trigger on CMMC and break the already fragile defense supply chain? It would blow out the Defense Industrial Base. The Last Supper multiplied by ten-thousand. Not gonna happen. As I said, CMMC 2.0 is dead, they just don’t know it yet. It will be resurrected in some streamlined form. We’ll just wait and see.”
I put my laptop away and tried look at the bright side. “Well, I guess we won’t be working together after all, which will at least save me a lot of aggravation.”
He smiled and said, “Yeah, I was going to make your life miserable. Well, how about I buy you a power lunch? We’ll ride together in my Ferrari. I can tell you about the security companies I have been shorting.”
I had forgotten he held court at his private booth at Durant’s, where he fancied himself a Mafia boss as security vendors lined up to kiss his ring. Ah, the pampered life of a CISO.