Posted by Our Defense Industrial Base (DIB) faces continual attacks that harm our national defense. As such, we need real security to protect the information we spend so much on. We need security that won’t cause companies to flee the DIB or prevent new, innovative companies from entering the DIB. Unfortunately, we have created a costly, inefficient compliance scheme. CMMC, and any other compliance initiative, is a simulacrum of security.
A simulacrum is defined as a slight, unreal, or superficial likeness or semblance. Think Disney World or Las Vegas. The Venetian hotel is a simulacrum of the real Venice – a superficial and inferior likeness to the original.
On the surface, CMMC certainly looks like a security framework, but go beyond the facade, and you will realize it is a compliance framework. The difference between compliance and security is subtle, but very important. So, before CMMC goes final, let’s at least make sure we understand a few of CMMC’s foundational weaknesses.
The difference between compliance and security is subtle, but very important.
Weakness 1: CMMC is essentially one-size-fits-all.
Have you eaten at a family-owned restaurant lately? If so, you probably paid with a credit card. How can a family-owned restaurant afford to take credit cards? Aren’t they subject to the Payment Card Industry Data Security Standard (PCI DSS)? Yes, but PCI DSS has the good sense to have different merchant levels with different compliance requirements. Your family restaurant doesn’t have the same security requirements as Amazon.
Have you visited your family dentist recently? With HIPAA, do you wonder how your dental office can stay in business? It is because HIPAA has a “reasonable and appropriate” standard. Specifically, it states, ““What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.” Your family dentist does not have the same security requirements as say, United Health Group. The risk isn’t anywhere near the same. And, by the way, your dentist office self-attests to compliance.
Can’t the restaurant and dentist just cheat and falsely say security protections are in place? Yes, they could, but both PCI DSS and HIPAA have penalties. If you lie with regard to PCI DSS you could lose your ability to accept credit cards. HIPAA has statutory penalties for non-compliance.
“All right,” you say. “NIST 800-171 has a baseline of controls, but gives wide latitude to companies regarding the specifics. They choose the controls based on risk.”
And that brings us to our second weakness.
Weakness 2: CMMC is a verification of assertions, not a verification of security.
Sure, there are hundreds of controls that need to be in place, but the company largely gets to choose the security standards.
As I wrote:
What is the required [vulnerability] scanning period? It is unspecified. Choose one. Yearly? Sure, why not? You just need to define the period and scan accordingly. The only way to fail is to not scan in accordance with your schedule, so don’t set the bar too high. But you need to remediate the vulnerabilities, right? Well, you need to say why you didn’t remediate them in accordance with your “risk assessment.” So you have 1000 critical vulnerabilities? No worries, the only way to fail is not to have a reason for not remediating vulnerabilities and/or not tracking the vulnerabilities.
The goal of compliance is to satisfy the letter of the requirements for the lowest cost and effort possible. In larger companies, compliance activities are run under the auspices of the Legal department, not the Security department. In fact, the last thing a company wants is to have an auditor talk to the company’s security team. When answering auditor questions, security folks often use pesky words like “usually” and “sort of.” Companies will go to great pains to ensure CMMC assessors don’t get within a mile of a the company’s security team.
I did a lot of work in HIPAA. Companies always wanted us to certify them as HIPAA compliant. When we told them there is no external HIPAA certification and they needed to have someone in their organization self-certify, they were not happy. External certification acts as a kind of safe harbor. Once a company is certified, the liability for a breach drops significantly. Lawyers like external certifications. Management does too, especially since CMMC is costly enough to push a lot of competitors out of the Defense Industrial Base (DIB) (which is why it won’t happen in anything close to its current form).
You may say, “Independent certification has worked well for the DoD. CMMC is just a logical extension of the federal authorization process, which certainly accounts for risk.”
True, CMMC seems to be an analog of the federal system authorization process. However, it is a simulacrum of the federal Authority to Operate (ATO) process. And that brings us to our final weakness.
Weakness 3: CMMC has no official signoff regarding risk.
Per NIST:
The official management decision given by a senior organizational official to authorize the operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. (Emphasis mine).
CMMC requires a risk analysis to be performed, but the level of risk is irrelevant to compliance. This is because third-party assessors are not government entities, nor are they contracted by the government. Therefore, they can’t assess whether the risk taken on by the company is too high, they can only assess documentation and practices.
Companies don’t really care about the government’s risk, they care about their company’s risk. After all, CUI is the government’s data, not theirs. The biggest CMMC risk for a company is not being able to afford certification.
Further, how can a small subcontractor evaluate risk? A company with a contract to machine bolts has no idea what the risk of a breach of its design specs is to the DoD. The government doesn’t publicize a specific contractor’s loss of CUI, and probably never will. Therefore, there isn’t even much reputational risk.
Putting it together
Now let’s take a concrete example to demonstrate the issues above.
NIST 800-171 has a control for passwords:
- 3.5.7. Enforce a minimum password complexity and change of characters when new passwords are created.
Let’s say a company has hundreds of systems, but one of their older legacy systems cannot accept passwords longer than five characters. The proper way to handle this from a risk perspective would be to have a strong password policy/standard (e.g., require passwords with at least ten characters) and create a Plan of Action and Milestones (POAM) to remediate or replace the legacy system. However, CMMC generally does not allow POAMs for controls.
So, if the company wants to pass the CMMC assessment and get government contracts, the most efficient means would be to create an internal policy that allows five character passwords. The assessor would test the company’s systems and find all of them in compliance. The assessor may not think the password policy is reasonable, but the assessor can’t make a risk determination. They can only test the claims made by the company. The company never needs to remediate or replace the system that can’t use long passwords.
In the above example (and there are many such examples), the requirement for external compliance certification actually causes security to be worse than it otherwise would. CMMC turns the security process on its head. It starts from the bottom up with controls, and lets risks and budgets fall where they may. True security processes start with risks which inform controls based on budgets.
External certification is great for compliance, but often not good for security. Security self-attestation against a “reasonable and appropriate” standard (with penalties for poor practices) is the best way to reduce cyber risk.
DoD is adopting a very complex compliance scheme as a simulacrum for security. Will it improve overall security for companies that are able to afford its cost? Probably, but not as much as people think, and not nearly as much as it could for the resources expended.
In subsequent posts I will discuss how some of the best companies navigate CMMC compliance in the most cost effective manner. Stay tuned.
Security Economics 