CMMC: What Are We Missing?
Posted on December 20, 2019 by Christian Doud
Unanswered Questions and Potential Pitfalls
As details of the new CMMC proposal trickle out from the Department of Defense and begin to coalesce into a real framework, industry insiders from the Defense Industrial Base and experts contributing to the recently-formed Accreditation Body (AB) have attempted to shed light on the morass.
This won’t be another 800-171. New terminology, new rules and an urgency unseen at the DoD outside of kinetic actions and humanitarian responses. There’s a raw pragmatism about the development of CMMC that has engendered both the expected commercial opportunism and a surprising amount of complaints, as evidenced by a quick perusal of Twitter, Reddit and other social media. These run the gamut from “this will NOT work” to “how will my microbusiness afford this?”. While the recent release of Model v0.7 revealed additional details for CMMC – particularly levels 4 & 5 – many questions remain.
I spent a few minutes talking with our General Counsel Chris Bukowski, Senior Engineer Pete Goyette and Project Manager Brig Slocum, to see how deep we could go down the proverbial rabbit hole. These three have been working in the DoD compliance space since the DIACAP days…
So, we know the benefit to the government is, in theory, a more secure supply chain. Is there an upside to industry?
CB: It’s going to be painful but the upside to industry is they’re going to curb liability. If there are breaches…. there will be more breaches now than there are going to be when this is implemented. Those breaches become a liability. So, it’s going to be an upside like going in for checkups to the doctor.
BS: Along those lines, initially there might be a cost factor, but then, down the road, it would hopefully save costs and reduce breaches. So, it’s economical in the long run, not just a better cybersecurity posture.
CB: Rule of thumb: when you’re spending, those costs should save on liabilities/costs down the road.
Speaking of costs, Nick Bukowski [Blue Mantle’s Controller] recently wrote, “being an ‘allowable cost’ doesn’t equate to being free”. Can you explain this further?
PG: That would simply mean, for example, with a cost-type contract, where you can pass on allowable costs to the government, this could be rolled into Overhead or G&A expenses and be covered by the government. But it’s not free. If you didn’t have these controls to implement, you’d have lower G&A and overhead costs which might make your rates lower and might make you more competitive when bidding on follow-on government procurements. That is the difference. It’s not coming out of profit.
BS: And theoretically, the competitive aspect would be equal across the board since everyone has to do it. In a sense, everyone’s costs are going up.
PG: This is going to be applicable to all DoD vendors initially, presumably applied evenly to the playing field. Everybody will pay the same bill and it shouldn’t negatively affect rates too much. However, it could negatively impact a smaller business more than a larger business. If the cost to implement is uniform – say if you’re a 10-person company vs a 50-person company – you’re spreading those costs across the indirect rates of less people so it’s a greater proportion than a larger company.
In theory, that smaller business – or any business – would need to front this money because it needs to be done prior to bidding so a small company could be out 1000’s or even 10’s of 1000’s of dollars and then take years to recoup that money over the course of a contract.
BS: Not even just the size, but the level to which a company has already implemented certain Cybersecurity policies/procedures etc. Someone who hasn’t really done anything and now has to do this, their costs will be higher versus someone who’s already tried to implement something.
PG: It’s also going to be dependent upon the type of contract a small business has – if you’re a small business, and maybe you have a Fixed Firm Price (FFP), the fact that it’s an allowable cost, that’s irrelevant to you. You’ve got a firm fixed price! The fact that it’s an allowable cost, well you’re only getting your FFP even though you’ve incurred additional expenses. Or if you have a Time and Materials (T&M) contract – a lot of small businesses don’t have a DCAA approved accounting system and the prime gives them a T&M contract – it being an allowable cost isn’t really relevant in that case either because they’re set rates. However, they might be able to go back to the prime and argue they want to increase their rates because I have additional costs the government is forcing me to do. They may be able to negotiate that, but it wouldn’t be a guarantee.
Have you seen that before? Has regulation changed mid-contract that prompted a sub to…?
CB: So initially it’s going to be implemented in June for RFIs – September for RFPs and RFQs. So the next few years it will only be implemented on new contracts. After 3-5 years…
BS: According to Arrington, I don’t think it will ever be implemented on options. I think she stated that it will only be part of new efforts/proposals/RFQs. I don’t know if that would apply. They would need to go back and update their rates.
PG: But it is the whole chicken and egg thing. You’ll have the situation where you’re incurring costs now to satisfy contracts in the future. So, if you currently have cost-type contracts and it’s presumably allowable, it would be able to be funded on that contract. If you had FFP or T&M, you’d have to go back to the prime or government or whoever and say, “I need additional money to implement these controls for CMMC that’s coming in the future”, and the government might say that’s fine. But you’d have to negotiate that…it’s up in the air.
The time frame seems to be a topic of conversation that keeps coming up – the general theme is this can’t be done by January or “there’s no way we see these RFIs in June”. There’s a lot of that chatter. We’ve already seen the release pushed to the end of January. Is there any chance this unfolds on schedule?
CB: My understanding is they’re trying to expedite it and that’s why they’re making it a contract requirement rather than a regulatory requirement which takes forever to implement. So I think they’re going to push for it. if it’s not June, it’s July.
BS: Especially if it’s just RFIs in the beginning. It’s like “we can put it in stuff and get a feel for things” – it’s not actually a proposal. It’s just a request for information and from what I’ve heard only some of the more advanced stuff… there’s at least a reasonable chance that we’ll see it in the RFIs. It’s going to be a slow-roll to implementation – I don’t think anyone’s hidden that.
PG: Right, and I think initially the first contracts are going to be the key critical ones first. They’re not pushing it out to all contracts starting in September; it’s the key ones and rolling it out to others…
BS: I think she mentioned, ideally, a full 5-year implementation plan.
PG: Right, but that is based on a lot of government contractors with a base and four option years. That’ll be expiring within the next five years and then it’ll become applicable. However, it does bring up the question that there are some larger contracts greater than 5 years and the question is how does this apply to those – will it become applicable in the middle of those contracts?
BS: Maybe with enough forewarning. “Hey, year six option, you have to have this implemented”.
Speaking of prioritization of companies being accredited – is there a method the Accrediting Body should go about this that makes the most sense? I say that because won’t larger companies move to the front of the line because they’re bidding on more contracts more often, if that’s how they prioritize this?
BS: There’s a lot of unknowns.
A lot of the comments floating around are conjecture – what it will cost to be level 4 or 5? Do we know any more today than we did 3 months ago? We’ve all seen the $3-5k estimate for an actual assessment.
BS: That $3-5k is for a Level 1. If you’re talking about Levels 4 & 5, I haven’t seen anything else. Regarding getting compliant, the skies the limit.
Which steers us back to what we’re talking about earlier. If you have a sole proprietorship who does serious work and needs level 3 or 4, that’s potentially a huge up-front cost, right?
BS: My gut tells me that most companies that require a Level 3 would have some…it’s not like they’re starting from scratch. Then again, there’s a lot of firms getting calls from people that should know better but seem to not know what the DFARS requirements are or the NIST 800-171, so there may be companies that theoretically require a Level 3 but have to implement from step one which is going to be an expensive endeavor.
CB: My impression is they’re pushing this because of the ambiguity behind the DFARS and NIST requirements. I have a feeling that there’s a lot of people not compliant with 800-171 and they were supposed to be by December 2017. So they say “maybe we need to tweak this and make this less harsh on the guy mowing lawns on base”. Rather than saying to a bigger company with a SCIF, “you have to have a more senior-level sec posture”. I think this is compensating for the failure of DFARS and 800-171. That’s my impression.
PG: It’s giving it some teeth. There’s lots of stuff in the FAR and DFARS and stuff the government pushes down but that doesn’t mean people are compliant. A lot of times, especially small companies, they have these flow-down clauses from the prime or even small companies working directly with the government and they have these clauses and they just kind of sign it – they “read it” and sign it. This is a way for them to actually come in and verify they’re meeting this stuff.
CB: And proactively. This is preemptive, the DFARS with the Fraudulent Claims Act is reactive – if you did this and were found liable and you signed something that said you were 800-171 compliant, there’s going to be liability there. The CMMC is proactive.
BS: Wasn’t a contractor found guilty for exactly this?
CB: Yes, there have been a few cases where someone has self-certified and it wasn’t true.
Do we know anything more about what it will take to become a C3PAO or is it all still conjecture?
BS: I don’t think there’s anything new. There’s going to be training – that’s going to be determined by the AB. That body has been subdivided into working groups including a training group. There could be an accreditation for an entity to become a C3PAO and another certification or accreditation for an individual. We don’t know yet if a company will be certified or an individual or both. Beyond the fact that the AB will be providing the training, we don’t know much else.
Is this similar to how it worked for DIACAP or RMF? Did the government do the accreditation or training for industry?
BS: Particular program offices did this.
PG: They could subcontract the work out. You have a government system that needs to be accredited, you would need to go through the RMF process. If it’s low risk they might let you self-assess but usually involves a 3rd-party assessor to validate controls. Currently, this could be government employees or contractors.
BS: They directly pull from FIPS 200 which is where the families from NIST 800-53 and the RMF framework came from.
FCI is being thrown around – can you explain that a little further – the significance of that?
BS: It doesn’t rise to the level of CUI; FCI is information that isn’t intended for public release and is part of the contract between the government and the contractor. This could be actual language in a contract or information provided or developed during the exercise of the contract. Level 1’s may contain FCI but never touch CUI.
Is there anything the government failed to answer before they threw it to industry? The talk has been “that happened fast” – what does the AB have to scramble to figure out?
BS: That’s an entire conversation unto itself. Everything left to the AB has been left unanswered – “this is the goal. You’re governing, training, accrediting” – and they’ve been thrown in the deep end. They have to determine the training requirements for C3PAO’s and the timeline for accreditation and re-accreditation for contractors was left for them to figure out.
CB: DoD said, “industry you’re going to be on the hook for this”. But who’s going to be liable?
This brings us full circle back to the purpose of CMMC: it gives teeth to Cybersecurity compliance. But at the very highest level, the teeth don’t exist, right? The AB could say “we don’t care about xyz”?
BS: Industry – hearing what the Professional Services Council has said and given the fact that DoD dropped this in their lap – has done a phenomenal job of scrambling and throwing it together, taking responsibility and forming AB groups. People have banded together. There’s a realization that this is serious, we need to do this with the exfiltration of data and threats to national security. People realize this needs to get done.
CB: With the DoD – it was kind of like parents saying, “here’s a bunch of chores that must be done by the end of the day”, but not assigning any…pretty neat to see how industry stepped up to the plate.