“If you see hackers, you see Usi,” someone once suggested I use this line to introduce myself. Perhaps they presumed that people who do not know me would easily remember how to pronounce my name and possibly remember who I am.
Throughout my life; teachers, teammates, college professors, coworkers, and leaders frequently mentioned that my name was confusing to pronounce. For years I rarely put thought into why, until I started my career building internet backbones in a world of tech acronyms.
A colleague of mine once said: “You are lucky. The spelling of your name is easy to remember because it has three letters, much like many of the acronyms in the tech world”, he further posited: “things in threes are way easier to remember.”
So, now that my name is embedded in your memory, I am encouraged, delighted, and relieved that the CMMC 2.0 changes included a simplification from five levels to three. I also strongly believe that the psychology associated with “The Magic of Threes” benefits the new tiering model as I strongly believe non-technical leaders can easily understand anything in threes. In the spirit of the glass being half-full, I confidently propose that we should celebrate the new CMMC 2.0 in spite of the aches, pains, and grumblings in arrears of the change.
Benevolently, in the spirit of simplified reading of my article, I tried to organize my writing in threes as well.
The Good, The Bad, and The Unpleasant of CMMC 1.0, 1.0 Challenges, and 2.0 Justification
CMMC 2.0, now a 3-Level model, was redesigned and released late last year to what we might suggest as the “raised eyebrows” of about 2,000 registered practitioners, more than 100,000 Defense Industrial Base Companies and their base of sub-contractors, and a frustrated supply chain of vendors who invested into CMMC due to cascading requirements originating out primes or DIB Companies cascading down CMMC 1.0 to them.
Notably, the veterans who work for Omnistruct often described the hard deadlines for ML3 in the midst of a pandemic for the entire ecosystem as “untenable.”
First, we want to cover the “why, what, and how” of CMMC 1.0 – The Good
- Why – Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) must be Safeguarded
- What – Setting an enforceable standard for cybersecurity regulatory, policy, and contracting for Department of Defense (DoD) Industrial Base Companies using an acquisition strategy
- How – Using the tiered CMMC model implemented through Federal contracts that can be audited by certified assessors trained and accredited by a governing body (CMMC-AB)
Second, CMMC 1.0 Major Problems – The Bad
- Why – CMMC 1.0 was a slog, complicated, and is exacerbated by the pandemic
- What – Scaling back the program was needed to go fast
- How – Foretelling contractual data classifications caused confusion of CMMC maturity level preparation
Third, let us cover the CMMC 1.0 change justification to CMMC 2.0 – The Unpleasant
- Why – CMMC 1.0 assessment system had issues, DIB and CMMC-AB progress overall was off schedule, and small businesses were hurting from the intensive resource load of CMMC compliance
- What – The five-tier levels and assessment system need streamlining, POA&Ms need allowances, and small businesses compliance needs to be affordable and reasonable
- How – Levels 2 and 4 were removed for simplification, POA&Ms were allowed, and self-assessment qualifications were expanded for small businesses with enhanced assessment ecosystem oversight
Why CMMC 2.0 Is the Right Direction
Simplification of Tiers
CMMC 1.0 was designed with the right intent and mindset but as most v1.0 of just about any launch, everyone discovered that it lacked practicality. After a number of engagements, the confusion on timelines, scopes, and the assessment ecosystem was creating more questions instead of answering them.
The original five-tier system had many of our practitioners looking at Level 2 as transient and needless. The virtual watercooler chats in our engineering channels frequently included comments about why Level 2 exists when Level 1 and Level 3 seemed to cover what reasonably mattered.
Additionally, Level 4 seemed like it was suffering from an identity crisis, in that many of our Practitioners and Customers were questioning if the mystery box that was Level 4 had been added simply to make sure there were a total of five levels (the second most appealing odd number behind 3), instead of the esthetically unappealing four.
With CMMC 2.0 now scaled back to three levels and the numbering system deemphasized by the newly rebranded descriptors of “Foundational (old Level 1), Advanced (old Level 3 now aligned to NIST 800-171), and Expert (old Level 5 now based on NIST 800-172),” the magic of threes now presides. Notably, even the audits are triennial!
Sadly, the satisfaction of threes ended when the assessment ecosystem split the “Advanced (the new Level 3)” assessment in two with an annual self-assessment for most entities and a triennial audit for DIB Companies stewarding critical national security information. We have some opinions on this, that we will voice in our conclusion as I imagine this decision will be a curveball of confusion for many.
Streamlined So We All Go Faster
We already know that hackers are winning the ground war of cybersecurity, especially when bad cyber hygiene practices prevail and cyber posture is poor. Considering the pace of the CMMC 1.0 progress amongst the DIB was slow, coupled with the CMMC-AB assessment ecosystem crawling along, a “Keep It Simple Simon” (KISS) streamlining approach was needed for the CMMC 2.0 update.
We all like to make wise investments and the allowance of a POA&M to make a plan that improves cyber posture reasonably over time is welcome. Practitioners and experienced DIB Companies can also benefit from an already familiar process and framework on a committed schedule with predictable budgets. The concession is that we will have to give up ground grudgingly to hackers who attack DIB Company gaps outlined as less critical. Through POA&M allowances and NIST 800-171 guardrails at the Foundational and Advanced levels, the DIB Companies can have a long-term acquisition strategy that spreads out and prioritizes the financial burden of compliance over time.
Our team of RPs and CPs were fully expecting an increased oversight of the assessment ecosystem in version 2.0. All of them were relieved by how the change commits to increased oversight of professional and ethical standards. Some of our key leaders of CMMC practitioners also recognized that self-attestation expansion will produce an immediate reduction in the sheer number of companies that need to be audited which allows everyone to go faster in patching the critical gaps.
Small Business Have Better Footing to Compete
Anyone who has been in Federal or SLED markets will recognize that leveraged procurement prerequisites like CMMC are incredibly time consuming and difficult for small business to integrate. The difficulty is at its highest when the “price ticket to entry” originates out of tiering systems where larger competitors often achieve the highest level of attainment in procurement compliance as a competitive edge, and especially when cash poor small business competitors can be easily eliminated.
These tactics tend to rule out small businesses that were unable to afford equivalent compliance status to meet a contract requirement at even the lowest level of CMMC.
Since the CMMC 2.0 allowed and expanded self-attestation for the first two levels, small businesses can breathe a small sigh of relief that realigns and expands the contracts they will be able to bid on, without requiring an auditor.
How Else Can CMMC Improve and Simplify?
The use of NIST CSF & NIST PF for Service Providers of DIB Companies. One of my Stanford professors once lectured that scaling up requires rigid and malleable methods. Rigid methods require rules and processes that are prescriptive when things are repeatable, methodical, and predictable so you can build operational flywheels and produce quickly. Alternatively, malleable methods suggest the use of guardrails for business situations that are unpredictable or less frequent. NIST 800-171 is rigid and more prescriptive whereas NIST CSF is malleable and entrenched with guidelines (like guardrails).
They may also offer a path to micro-business served dominantly by service providers allowing for CMMC attestation at scale, if delivered and regulated through an attestor service or the service providers of DIB Companies themselves.
Moreover, with over three million small businesses hiring outsourced IT and security help (MSP or MSSP), regulation in the MSP markets with NIST CSF and NIST PF as a standard could be an alternative to NIST 800-171 for microbusinesses and subcontractors of DIB Companies. We must concede that for this to work effectively, either a regulatory body or third-party administrator of cyber risk from the private sector would have to evolve so they could be utilized to audit and attest the DIB Company’s Service Provider.
Impartially, the NIST CSF and NIST PF are volunteer and guideline focused and although the use of such a framework in a security program can be easily cross walked to the NIST 800-171, privacy laws that offer safe harbor to businesses who use NIST PF, would be highly suggested, regardless of your CMMC level.
Third-Party Administrator for Cyber Risk
The CMMC-AB has proven that we have room to grow in auditing, attesting, and accreditation oversight. The assessment split of “new level 2” into two paths of conditional self-assessment vs triennial audit might benefit from a new idea. As a TPA that administers 401(k)s, perhaps the CMMC-AB could mimic that concept by leaning on the existing base of RPOs and C3PAOs to be dedicated cyber risk administrators (a new “cyber TPA” market)? These cyber TPAs could be a requirement for all self-assessment conditions and have the potential to cascade to NIST CSF and NIST PF framework administration at scale. I would also suggest that these third-party administrators would be barred from selling security tools and services as part of their CMMC pledge. Granted, we think many professionals have recognized that hiring the same company who sold and integrated your tooling to conduct your audit and attestation could be easily called out as “the fox guarding the henhouse.”
Additional consideration of this option will be needed collaboratively as we imagine that if a hacker succeeds and an investigation is required, it may look a lot like a student grading their own final exam.
Concluding Point of View
CMMC’s vision and mission must continue. Please recognize with a sense of urgency that threat actors are attacking at a much faster pace and level of sophistication every day. Your investment in CMMC has a critical level of priority that requires dedication, experience, and perseverance to stay the course in your strategy and in the protection of our Defense Industrial Base.
Advanced Persistent Threat (APTs) actors understand that a blitz against the weak is most effective. Therefore, DIB Companies need to invest in a cyber “air war” strategy of frameworks, governance, and reasonable controls that reduce cyber risk effectively. They must also include a core framework like ISO/IEC 27001 (rigid) or NIST CSF (malleable) that can crosswalk/map to NIST 800-171 prescriptive controls. The US market certainly favors the “reasonable” concept of over-prescriptive controls as do the attorneys that represent and defend them.
In our opinion, the CMMC 2.0 changes seem like a step back. However, the CMMC will continue to morph, adapt, and improve. We are hopeful future changes will include an alternative to the self-attestation approach of DFARS 7012 which had a poor track record. Admittedly, we believe California, Colorado, and Virginia comprehensive data privacy laws reflect the inevitability of a federal privacy law that will cascade down the self-attesters. We will be watching for overlaps and gaps between CMMC and privacy laws with our network of data privacy attorneys and cyber insurance providers.
Also, recognizing that data converted by CMMC is not the same as other privacy data. We must also realize that consumer data we collect, process, or have proximal access to, is also sacred and considered privacy data. I am personally hopeful we all understand that privacy-relevant security incidents are now litigious with sanctions that will make a lost contract look like pocket change.
Poignantly, with new privacy laws popping up globally and with at least three US states (Connecticut, Ohio, and Utah) leaning into NIST CSF and NIST PF as a safe harbor option for businesses that use them, we suggest you avoid getting stuck in the mindset that CMMC will address all other requirements in privacy data protection.
Notably, every business will eventually have regulatory, contractual, and statutory requirements they must meet with pending consumer data-privacy legislation focused on holding business leaders personally accountable when they fail to keep sensitive data sacred. We are all subject to the looming checklists, regulations, and statutory requirements in this chaotic internet-delivered world we live and do business in.
Finally, CMMC was and still is, always about the need for investment to secure sensitive data from cyber threats. Your approach will require both the right mindset and footprint in approach and strategy. Also, adapting to NIST 800-171 for CMMC should be done with other regulatory and statutory requirements in mind. The train of cyber risk is coming and if you are working on the CMMC tracks, you just might be standing on the high-speed rail tracks of California’s CCPA/CPRA!
Omnistruct focuses on transferring cyber risk from service providers, and their customers, who are grappling to adopt security programs, privacy programs, and other demonstrable cyber posture illustrations so they can earn and retain business in an increasingly cyber-aware supply chain. If you are grappling with CMMC 2.0, FedRAMP, NIST SP 800-171, NIST SP 800-53, you are not alone and might need some guidance. Call us at 916.484.1111 or email firstname.lastname@example.org