Leadership in the United States Department of Defense (DoD) is taking a hard look at the Cybersecurity Maturity Model Certification (CMMC) program and the accreditation body tasked with implementing the model. The DoD recently announced that it is conducting an “internal assessment” of the government’s relatively new CMMC program that’s meant to improve cybersecurity practices for all organizations conducting business with the defense department.
Additionally, the CMMC’s accreditation body (CMMC-AB) has announced Matthew Travis will serve at the body’s first CEO to oversee day-to-day operation and management. Travis most recently served as the Cybersecurity and Infrastructure Security Agency’s (CISA) first deputy director.
The CMMC is an initiative meant to improve cybersecurity across the broad number of manufacturers and service providers within the defense industrial base (DIB) that contract with the U.S. DoD. Any contractor or subcontractor providing parts, products, or services for the American military or the National Aeronautics and Space Administration (NASA) will be required to become CMMC certified by fiscal year 2026 in order to maintain contracts or receive new contracts with the government, according to Katie Arrington, the Pentagon’s chief Information security officer (CISO) for acquisition and sustainment.
In an effort to protect defense projects and information from falling into the wrong hands and ensure national security, the DoD created the CMMC requirements. The program outlines cybersecurity measures to be implemented at five different levels with Level 1 being the lowest security level. An increase in cyberattacks over the years by hackers and state actors alike, including China, have increased concerns that such proprietary information could be used against the United States.
CMMC Under Review
On March 30, 2021, FedScoop was the first to break the news that DoD is launching a review of the CMMC process to look for areas of improvement.
“As is done in the early stages of many programs, the DoD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process,” said Jessica Maxwell, DoD spokeswoman, in a statement. “This assessment will be used to identify potential improvements to the implementation of the program.”
Maxwell did not clarify why the review was started or when it is expected to be completed.
The CMMC-AB was created and authorized by the U.S. DoD “to be the sole authoritative source for the operationalization of the CMMC assessments and training with the DoD contractor community.” The CMMC-AB is tasked with development, oversight, and implementation of the CMMC program. After more than a year of developmental work, the DoD is in the early stages of implementing the CMMC requirements through pilot program contracts that started late last month.
Changes in Leadership
With a change in administration following the election of President Biden, new leadership within the Pentagon is implementing the review of the CMMC, which has already seen a great deal of controversy since its inception due to concerns about cost. Many organizations within the DIB that service the U.S. DoD and NASA have expressed apprehension regarding implementation of the CMMC requirements. This is due to the expense of audits and remediation of any shortfalls on the path to certification which fall to each contractor and subcontractor conducting business with the government agencies.
“It’s not surprising that a transition of administration would bring some attention to a program that’s this large and has…received as much attention as the CMMC program has up to this point,” said Corbin Evans, principal director of strategic programs at the National Defense Industrial Association (NDIA), in an online article by National Defense. “There’s certainly been a lot of conversations, not only among industry folks that we represent, but also by government around how exactly CMMC will work.”
Due to the government’s push to implement CMMC on the backs of manufacturers and contractors and a perception of a “pay to play” mentality, two members of the initial CMMC-AB were forced out of their leadership roles in September 2020. Both Chairman Ty Schieber and Mark Berman, head of communications, were voted off of the CMMC-AB after the launch of a “Partner Program,” according to a piece by FedScoop. According to the online article, that program would have cost tens of thousands of dollars for companies to be named as “partners” and has been rescinded “pending revision.”
In addition to the cost of achieving CMMC certification, contractors have also expressed concerns regarding how CMMC will be interpreted, implemented, and assessed. Evans questioned in the aforementioned National Defense piece, “How exactly will the controls contained within the CMMC be implemented and interpreted, and then ultimately assessed by a third-party... inspector? How will that be done consistently from organization to organization, keeping in mind that no two companies have the same style or set up for internal security and… trying to impose a common set of security standards?”
Cost of CMMC
Officials within the DoD estimate the cost of implementing Level 1 of the CMMC would be a few thousand dollars and have said contractors and subcontractors could work the cost of achieving CMMC into their contracts with the government. The NDIA, which represents many manufacturers in the DIB space, has expressed concern that the DoD estimates are far too low and the cost to achieve CMMC certification will be too costly for many smaller businesses to afford. If CMMC certification turns out to be too cost-prohibitive for suppliers, it could dramatically impact the supply chain for the DoD and DIB-affiliated organizations.
The First CEO
Following a national search, the CMMC-AB board announced earlier this week, it would be getting its first CEO. Travis, the former deputy director of the Cybersecurity and Infrastructure Security Agency (CISA), took over as CEO just yesterday, April 1. Travis will be responsible for leading the day-to-day operations of the CMMC-AB, according to a piece by GovConWire. He will ensure that the CMMC-AB operations fall in line with the DoD’s cybersecurity vetting program for the DIB.
“We are extremely thrilled to have someone as respected and accomplished as Mr. Travis lead the Accreditation Body,” said CMMC-AB Chair Karlton Johnson in a piece by Businesswire. “His organizational development skills as well as in-depth understanding of security and the Federal government will enable us to continue to quickly ramp-up AB operations and execute against our mission in service of the nation’s defense.”
Travis is a graduate of the University of Notre Dame and he earned his master’s degree in National Security Studies at Georgetown University. Travis’s experience before working at CISA includes serving as the vice president for homeland security at Cadmus, a security, energy, and environmental professional services firm. He is also a former naval officer who served aboard the guided-missile frigate USS Carr (FFG 52). Travis has also worked as a White House liaison to the Secretary of the Navy.