Pentagon Lock Security Defense Concept Illustration (Getty images)
After much delay, the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) 2.0 is reportedly on track to be released in the first quarter of next year — just in time to preempt a potential new administration from reviewing it. However, it’s worth considering if CMMC 2.0 even needs to see the light of day.
The notion that CMMC 2.0 could simply never come to fruition seems impossible at the moment. The rise of a CMMC compliance ecosystem — including assessor organizations, consultants, explainers, articles, and tutorials, all trying to cash in on the new system — presents CMMC 2.0 as if it is on an unobstructed glide path to implementation. But, in the words of Air Force Secretary Frank Kendall before he returned to government, “Let’s kill this bureaucratic monster before it gets any bigger than it already has.”
Despite CMMC’s worthy underlying goal of better cyber hygiene, problems such as compliance costs, shifting definitions and standards, and adversarial relationships all threaten the viability of this contractor cybersecurity mechanism. Given these and other issues, it would be best for either Congress to intervene or DoD to change course and let CMMC 2.0 wither and die on the regulatory vine.
The problems with CMMC 2.0 are many. First, it seeks to impose a largely static cybersecurity architecture around a problem that is constantly evolving. Threats to contractors’ information across the defense industrial base are ever-changing, as bad actors seek to exploit holes and vulnerabilities in companies’ network security. CMMC counters these changing threats through mostly a check-the-box mentality of cybersecurity requirements, freezing methods for protecting information until a revision can be issued.
A second issue is the financial burden it will impose on industry in the form of compliance costs. CMMC’s costs are significant and equate to nearly $4 billion annually over the next two decades; Given DoD’s historic cost estimation issues, this will almost certainly be an underestimation. No, taxpayers will not be on the hook for these directly, but increased costs to industry will inevitably end up coming back to the department in the form of increased prices and what the government pays in reimbursed contractor overhead. This is not a free lunch as some in the Department seem to think it is simply because it is not directly paid for in the budget.
Major defense contractors reimbursed by the government in their overhead through cost contracts will have no problem preparing and paying for the outside assessments required under Levels 2 and 3 of CMMC 2.0. For everyone else it is a different story. For small businesses, exactly the type of company that DoD is looking to attract in its latest industrial base strategy, these costs may prove to be prohibitive as the price to pay to merely bid on a contract. DoD has noted it will cost small businesses over $100,000 to have a third-party certify their compliance with just Level 2 requirements. What’s more, the department has given no details for how much it will cost to comply with the federal cybersecurity rules that are already on the books and for which CMMC is aiming to enforce. How can businesses be expected to comply with government regulations if they don’t even have an accurate estimate of how much it will cost?
For primarily commercial companies, the issue will be whether the benefits ever justify the costs. Do these firms want to pay the likely useless and wasted costs of complying with a “government knows best” unique solution? Probably not, especially given how the government historically lags behind the commercial world on these kind of issues. The net result will be more decisions to not bid on government contracts, an even smaller and more concentrated defense industrial base, and fewer opportunities for DoD to adopt leading commercial innovation.
A third fatal flaw is that, at its core, CMMC sets up an adversarial relationship between industry and the Pentagon. Instead of bringing industry along and demonstrating to them how it’s in their own interest to safeguard information, CMMC relies on audits and a whole new layer of bureaucracy to support them. Companies that fail these audits are punished, as they then could be barred from bidding on DoD contracts. This punitive enforcement through the contracting process will surely dissuade new and innovative companies from doing business with DoD.
A better approach would be for DoD to help promulgate flexible industry-wide standards, encouraging companies to comply and offering incentives to do so rather than punishing them. The reality is that after the relentless hacking of commercial systems by China and other adversaries, the private sector understands the need to protect its intellectual property and critical information. It doesn’t need a nanny state to compel it into action, but it does need a partner to share best practices and threat information.
Finally, there’s the open question of whether the type of information CMMC seeks to protect, controlled unclassified information (CUI), needs stringent safeguards at all. These are not the crown jewels of the nation. This is not Top Secret, Secret, or even Confidential information. Often applied on an inconsistent basis, most CUI probably does not need to be controlled and is only designated as such because of an aversion to risk among those marking it. Why should DoD be spending billions of dollars to mandate protection of information that may not even need to be protected in the first place?
DoD has been criticized in the past for classifying too much information at the Top Secret, Secret, and Confidential levels that have their own unique sub-categories, systems, procedures, and practices of control. Still, can’t we just classify really important CUI material and use existing controls and systems rather than create something new? For the rest, we should just accept and encourage reasonable market-based cyber practices.
Given these issues, DoD should blaze an alternative path for contractor cybersecurity.
First, it should stop the CMMC effort and in its place develop a more holistic risk-based regime primarily focused on our most sensitive classified information. If we find it necessary to spend additional billions a year on security it should be first focused on protecting our most important information. Next, for unclassified data, DoD should continually review what leading industries such as finance and insurance are doing to protect their data to learn best practices for preventing hacking and stealing of this information. Those and other practices (with plenty of industry input) plus real time threat knowledge should be continuously shared across the defense industrial base. DoD should help shepherd adoption of these practices, acting as a partner to its suppliers. The end goal for this process should be higher walls around what really needs to be protected, starting with actual classified information, and lower walls around other information that’s much less of a priority to protect.
In the end, DoD and industry both want the same goals: cybersecurity for information that matters for business and our national defense. CMMC 2.0 is not the way to achieve these objectives and it would be best for DoD to cancel the project. If it doesn’t, Congress should act before too many resources are wasted on this effort.
William C. Greenwalt is a nonresident senior fellow at the American Enterprise Institute and a former deputy undersecretary of defense for industrial policy
Why cloud modernization is critical to multi-domain operations
JADC2 is a forcing function, driving digital transformation of network infrastructure.
DISA eyes ‘aggressive’ goal of automating 75 percent of cyber capabilities
“The only way that we can actually do our job with the pacing threat of China is to actually add that automation capability,” said Brian Hermann, cybersecurity and analytics director at DISA.
