Right from the beginning, it seemed everyone was overly optimistic about how fast the Cybersecurity Maturity Model Certification (CMMC) could be rolled out across the defense industry to ensure the requirements could be included in all defense contracts starting in 2025. The only things that needed to be accomplished were to build an ecosystem of trained and certified assessors from scratch, and then, get over 300,000 companies that make up the Defense Industrial Base (DIB), to pass their cybersecurity assessments with perfect scores.
So, what could possibly go wrong? As it turned out, a lot of things.
The Department of Defense (DOD) created the CMMC requirements and signed a contract with a new organization — the CMMC Accreditation Body (CMMC-AB) — to implement the certification program. Assessments would be carried out by independent organizations that would then recommend that the CMMC-AB certify businesses that passed.
The CMMC announced a complex program that involved licensed training publishers creating licensed training materials to be taught by certified trainers in licensed training facilities. As a result, thousands of individuals would be trained as consultants and assessors, and organizations would go through a rigorous certification process and inspection to become a Certified Third-party Assessor Organization (C3PAO).
In recent months, the CMMC-AB hired its first Chief Executive Officer and a VP of Training and Development, who was the former head of training for CompTIA. Previously, the CMMC-AB was run by volunteer board members until it could generate revenue and hire full-time staff members.
Tremendous Delay in Training and Certification Processes
The training and certification for assessors stands delayed by at least six months. The training that was announced to be available in the summer of 2021 is now delayed at least until winter. Hundreds of assessor organizations were supposed to be certified in 2021. However, so far, only two companies have been certified, based on provisional requirements from the DOD until final requirements are approved.
Serious Allegations Against Senior Leaders
Allegations of crimes and impropriety have been leveled against some early leaders of CMMC, both in the DOD and the CMMC-AB. Katie Arrington, who headed the DOD department overseeing CMMC, was fired by the DOD for allegedly disclosing classified information. Simultaneously, multiple CMMC-AB board members have abruptly resigned amid allegations of fraud and self-dealing.
Indefinite Delay in Making the Interim Rule Final
An Interim Rule requiring a cybersecurity self-assessment, giving the DOD the power to audit contractors, and the requirement to implement CMMC by 2025, was supposed to be made a Final Rule in May. Instead, it has been delayed indefinitely, along with the final CMMC requirements, because the DOD Office of the Inspector General is currently conducting an “internal review” of CMMC based on complaints about crimes and ethical violations.
High Costs of Meeting CMMC Requirements
The CMMC requirements are under fire for being impossible and overly expensive for small defense contractors who, by far, make up the majority of businesses in the DIB. Since 2017, defense contractors that access, store or process Controlled Unclassified Information (CUI) have been required to implement the 110 cybersecurity controls in NIST Special Publication 800-171. But this requirement has never been aggressively enforced by the DOD. In 2019, an Inspector General audit of defense contractors showed that over 90% of them failed the audit.
For contractors that store or process CUI, it was optimistically anticipated that their total cost of a CMMC Level 3 assessment, including remediation costs, would be just over $50,000 in total. However, two small contractors, with fewer than 50 employees each, recently received CMMC Level 4 assessment proposals for over $150,000, excluding the cost of remediation. At a recent cybersecurity conference, MSPs were heard talking about their clients needing to invest over $100,000 to achieve compliance and be prepared for their audits. A big reason for these high costs is that the CMMC cost projections assumed contractors had already implemented NIST 800-171 even though the DOD knew that over 90% of them failed an audit.
One of the CMMC-AB’s original board members recently co-wrote a whitepaper suggesting that the high costs of implementing CMMC will result in thousands of small contractors deciding to stop working with the defense industry, leading to disastrous results.
A Big Opportunity Up for Grabs
While there are a lot of things going on with the CMMC, the current requirement to implement NIST 800-171’s 110 cybersecurity controls and post a self-assessment score to qualify for new and renewing defense contracts is in full effect. Whether or not CMMC is changed, the NIST 800-171 implementation requirements are a huge opportunity for MSPs to offer profitable products and services to defense contractors.
Focus on helping clients implement NIST 800-171, document their compliance and prepare them to post a self-assessment score. The self-assessment isn’t something that can be done just once and then be forgotten. At any time, the DOD can audit the contractor’s self-assessment, meaning that cybersecurity must be consistently implemented and documentation must be produced and retained in case of an audit or incident investigation. This is best done by automated tools to simplify the process and ensure the consistent implementation of cybersecurity controls.
Sign up for a free demo of Compliance Manager now to see how powerful compliance process automation and white-glove support can help you seize this lucrative opportunity.
