Malicious cyber actors increasingly target the defense industrial base for both economic and security gains. For example, in 2018, the Chinese government hacked a U.S. defense contractor and stole 614 gigabytes of sensitive material from the Navy’s Sea Dragon program. The Department of Defense (DOD) has since acknowledged that industrial base cybersecurity is insufficient and has suggested a new approach—the Cybersecurity Maturity Model Certification (CMMC)—to address future cyber threats. However, in its present instantiation, CMMC may create more problems than it solves. Problems with Defense Industrial Base Cybersecurity CMMC aims to address longstanding problems with DOD’s approach to industrial base cybersecurity. Presently, the Defense Federal Acquisition Regulation Supplement (DFARS) requires contractors to implement the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171 standards. DOD, however, rarely enforces these standards using audits and instead relies on companies to self-report their compliance.
Many companies—especially small businesses—struggle to implement NIST standards. DFARS allows these businesses to self-report that particular NIST requirements are not applicable and to propose alternative means to meet DOD’s cybersecurity objectives. DOD also allows companies to report their plans to comply with DFARS in the future. Unfortunately, hackers usually target the weak links in DOD’s supply chains, where future plans are no substitute for cybersecurity today.
CMMC addresses these problems by creating a new cybersecurity standard with five levels and a third-party accreditation body to perform audits. CMMC level one corresponds to basic cyber hygiene, level three corresponds approximately to NIST SP 800-171 standards, and levels four and above include protections against advanced threats. CMMC’s third-party accreditation body will assess all 300,000+ defense industrial base companies, assigning them a level—one through five—according to their cybersecurity posture. To compete for DOD contracts, companies must meet the CMMC level that DOD will specify in requests for proposals (RFP). Finally, rather than following a traditional process to update the DFARS, DOD plans to mandate CMMC soon by issuing a department-wide policy.
Unfortunately, DOD’s rush to implement CMMC may itself cause problems. DOD first announced that it was developing CMMC in March 2019, and it plans to mandate CMMC starting in fall 2020. Although numerous industry associations have urged DOD to slow down and follow a standard rulemaking process, DOD leadership demurred, warning that “our adversaries won’t wait.” While this may be true, DOD should also recognize that rushing to an incorrect solution will not solve any problems.
Instead, DOD should pause and first evaluate whether CMMC actually solves industrial base cybersecurity problems. Next, DOD should ensure that its plan to implement CMMC avoids creating new problems, where possible, and mitigates those that remain. Finally, if DOD decides to move forward with CMMC, it should consider alternative approaches that incrementally roll-out and augment its current CMMC plan.
Problems CMMC May Not Solve In its current instantiation, it is not clear that CMMC solves industrial base cybersecurity problems. First, DOD developed CMMC so that all companies, including small businesses, could be certified to at least level one. Some basic cyber hygiene is certainly better than none; however, if small businesses meet lower CMMC standards than big companies, they will remain the weakest links in DOD’s supply chain. Therefore, CMMC may perpetuate the status quo, where small companies are tempting and lucrative targets for hackers.
Furthermore, cyberattacks on small businesses are often most harmful when those businesses are subcontractors to larger primes. Prime contractors often provide unnecessary system-level information to their subcontractors. Small subcontractors—the kind that are of interest to hackers—often do not require this information to do their jobs.
Unnecessarily sharing information can have major consequences, as in 2017, when hackers obtained detailed F-35 information by attacking an Australia-based subcontractor. Although CMMC’s technical standards may make it harder to attack subcontractors, CMMC’s current process standards do not explicitly address unnecessary information sharing—the very problem that makes small businesses enticing targets in the first place. Information security standards are particularly important in light of the new digital twin and digital thread acquisition concepts. Securely applying these concepts—which integrate data across the entire supply chain—will not only require increased cybersecurity but careful information security as well.
Second, CMMC focuses on process rather than outcome. This means that CMMC’s auditors will check whether companies have security policies and capabilities in place but not whether those things actually work. It is also unclear whether there will be consequences for the business or accreditation body if a CMMC-certified company is hacked.
Finally, even with its third-party accreditation body, CMMC standards may be less enforceable than DOD’s current approach. Today’s approach—which levies cybersecurity requirements through the DFARS—is already enforceable; DOD just chooses not to enforce it. Furthermore, contractors are unlikely to challenge DFARS requirements, since they are standardized across programs and developed through established public processes. In contrast, CMMC requirements may be harder to enforce both inside and outside the Pentagon.
Inside the Pentagon, authority structures may hinder CMMC implementation. Specifically, the undersecretary of defense for acquisition and sustainment (USD(A&S)) plans to mandate CMMC via a department-wide policy. The decision and budget authority necessary to implement CMMC, however, resides in the military services. If the services do not allocate sufficient resources to implement CMMC, USD(A&S) has limited recourse. Although this may seem counterintuitive, it happens all the time: although USD(A&S) has explicit authority to write policy, it has limited authority to implement or enforce it.
Outside the Pentagon, companies may challenge the specific CMMC requirements that DOD levies on individual programs. To date, DOD has not explained how programs will determine which CMMC levels to require. Absent standard requirements, companies may challenge DOD on the grounds that CMMC requirements—at least as applied to individual programs—are arbitrary and capricious. Such challenges may make it harder for DOD to implement CMMC across the defense industrial base.
Problems CMMC May Create In its current instantiation, CMMC also seems to create more problems than it solves. Today, CMMC’s biggest problem is that DOD has not addressed critical implementation details. If DOD rushes to enact CMMC, it will create confusion among the 300,000+ companies in its industrial base. It will also create additional delays, since DOD will be forced to address open questions in real time, across its entire industrial base, and when the stakes are invariably higher. To avoid a situation where CMMC creates additional problems, DOD should slow down and first address open questions related to contractor relationships, competition, and cost.
First, DOD should clarify how CMMC requirements will “flow down” from prime to subcontractors. For example, if DOD requires a prime contractor to be certified to CMMC level five, what level is required of its subcontractors? And who makes that determination, DOD or the prime? If a subcontractor fails an audit during the course of a program, what happens to the CMMC certification of the prime contractor?
Next, DOD should assess how CMMC will affect competition. For example, DOD stated that CMMC certification will be an allowable cost, meaning that companies with existing DOD contracts can charge DOD to get certified. How should companies without existing contracts or with firm fixed-price contracts pay for certification? For new companies that have never done business with DOD, will these costs be a barrier to entry? For established companies, will certification levels be public, and if so, how might this affect competition for non-DOD business? Furthermore, how will CMMC apply to companies that provide commercial goods or services to DOD or its prime contractors?
In addition to certification cost, DOD should also assess how compliance costs might affect competition—especially since CMMC standards differ from the private sector and from other government agencies. For example, will DOD approve alternative cybersecurity approaches that meet CMMC’s intent? Or will DOD waive requirements for small businesses, where compliance costs might be too high? If not, will CMMC limit DOD’s ability to work with small, non-traditional businesses and further exacerbate an already well-established problem?
Finally, DOD should estimate how much CMMC will cost. Before levying requirements on 300,000+ companies, DOD should estimate compliance and audit costs, as well as audit frequency. DOD should then use those estimates to levy cost-informed requirements on its industrial base.
In addition to levying cost-informed requirements, DOD should also develop a logical cost model. Today, DOD states that contractors will pay to be accredited, that security will be an allowable cost, and that, somehow, the accreditation body will be no cost to the government. Which one of these contradictory statements is correct? DOD should provide a feasible answer to this question before enacting CMMC.
Alternative Solutions DOD is right to prioritize industrial base cybersecurity, and it is possible that CMMC is a good solution. DOD should be wary, however, of rushing to implement CMMC, because doing so may create more problems than it solves. Until DOD develops a detailed CMMC implementation plan, it should more aggressively use the cybersecurity tools that are already available in DFARS. The Navy, for example, recently directed acquisition programs to consider levying financial penalties on contractors that do not comply with NIST SP 800-171 standards. Other military services can take a similar approach.
Before enacting CMMC across its entire industrial base, DOD should initiate a pilot program first. Through this program, DOD should work with a handful of companies and answer the implementation questions that were outlined above. Using knowledge gained from implementing CMMC on a small scale, DOD should then develop a detailed plan to incrementally scale CMMC across the defense industrial base’s 300,000+ contractors. DOD should also use the pilot program to assess CMMC’s effectiveness and to evaluate alternative approaches to industrial base cybersecurity.
In assessing alternative approaches, DOD should be cognizant of its tendency to rush toward solutions that may create more problems than they solve. Although insufficient industrial base cybersecurity is an important problem, DOD has many priorities for the defense industrial base. New cybersecurity approaches should balance across these competing priorities by considering not only effectiveness and enforceability but also clarity, competition, and cost. It is unclear—at least for now—whether CMMC strikes the right balance.
Morgan Dwyer is a fellow in the International Security Program and deputy director for policy analysis in the Defense-Industrial Initiatives Group at the Center for Strategic and International Studies in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2019 by the Center for Strategic and International Studies. All rights reserved.