GAO warns DOD’s CMMC fix could become the program’s biggest threat

The Defense Department has made a lot of progress building out the Cybersecurity Maturity Model Certification program, but a Government Accountability Office report found there are still risks that could undermine the effort.

DOD has not done enough to address several external risks to CMMC and the department is leaning too heavily on one particular tool to address those external risks.

That’s the assessment of Joseph Kirschbaum, one of the authors of the report, “DOD Should Address External Factors That Could Impede Program Implementation.” He spoke at Washington Technology’s April 3 Power Breakfast on securing the supply chain.

GAO looked at ecosystem capacity and questions around whether there will be enough assessors and assessor organizations to independently certify that contractors are complying with the NIST 800-171 standard, which describes how to protect controlled unclassified information.

CMMC relies on NIST 800-171 revision 2, but revision 3 has already been released. GAO questioned how DOD plans to incorporate revisions going forward.

GAO also raised concerns about how contractors and DOD will manage different security frameworks. For example, how classified data is protected as well as physical requirements.

But Kirschbaum's sharpest warning was about DOD's default answer to all of these factors: waivers.

“Thus far the department’s response has been to offer waivers of assessments in certain circumstances,” he said. “Those assessments are the bedrock of the entire program.”

While waivers are a legitimate risk management tool, an over-reliance on them can undercut CMMC’s core premise.

"You're really setting up a house of cards," Kirschbaum said.

Waivers also set up an issue around fairness. Companies who went through the time and expense of earning their CMMC certifications could find themselves competing against contractors who received waivers, he said.

While GAO did not recommend alternatives to waivers, it has asked DOD to look deeper into available risk management tools and the goals of the program. A risk management plan needs to circle back to the goals of the program, Kirschbaum said.

DOD also needs to work on how it incorporates future revisions to the NIST standard that CMMC is built on. DOD should already be mapping how CMMC will move from Revision 2 to Revision 3.

But cyber threats are constantly evolving, so more revisions are expected.

"There will be threats that come up," he said. "They've got to already have that structure in place so they can respond quickly."

Right now, that structure does not exist. A longer-term issue facing DOD and industry involves overlapping security requirements.

CMMC covers controlled unclassified information. The National Industrial Security Program covers classified work, physical security standards and other requirements.

There is a lot of redundancy among these programs, for which GAO said there should be efforts to rationalize and harmonize the different standards.

One suggestion by Kirschbaum is to use CMMC as a baseline toward meeting other requirements, rather than forcing contractors to manage multiple compliance tracks.

"That's the kind of thing that's going to be more important going forward," he said.