A hidden risk every DoD contractor needs to know about to understand how CMMC changes will affect their businesses
At a now infamous press conference in 2002, then Secretary of Defense Donald Rumsfeld answered a reporter’s question this way: “. . . as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know.” That’s a pretty fair assessment of where we stand in relation to Cybersecurity Maturity Model Certification (CMMC) 2.0 today.
Let’s start with the known-knowns. As many if not most of you are aware, for the past few years we’ve been preparing for the implementation of CMMC 1.0. As the deadline grew closer and closer, some of the deficiencies of the model became clearer and clearer. First-getting a CMMC certification was going to be extremely difficult, not because the standards were unmeetable, but because it would have required an enormous number of Certified Third Party Assessment Organizations (C3PAO) and assessors.
In an effort to simplify and streamline the process, without compromising cybersecurity standards, the DoD did a major overhaul of the model, resulting in CMMC 2.0. On a high level, the two major changes federal contractors need to be aware of are the new tiers of security and the shift to annual self-attestation, rather than C3PAO certification.
Where the original CMMC defined five discrete levels of security, 2.0 has only three: 1. Foundational, 2. Advanced and 3. Expert. The DoD knows that the vast majority of contracts will fall into CMMC Level 1, which was likely a significant driving force behind allowing for self-attestation. The government seems to want to ramp up voluntary CMMC compliance before the final rules are set as quickly as possible.
Now for the known-unknowns, and there are a few. Let’s start with the big change for companies that will require Level 1 and the lower tier of CMMC Level 2: Self-attestation. When this change was first announced in-house IT experts and IT-savvy executives around the country probably breathed a sigh of relief. The bar for CMMC Level 1 is not set very high-as I said, it’s developing and maintaining baseline cybersecurity policies and procedures. Even so, having to audit your present state of readiness to find and fix areas of vulnerability, let alone going through a CMMC certification process will require time, effort and money. So self-attestation is better, right? At least it would keep your business in the game when, as expected, more and more government contracts will call for an affirmation of readiness well before the eventual CMMC 2.0 deadline.
Not so fast. Self-assessment and affirmation are at best a double-edged sword.
About a month before CMMC 2.0 was announced, the Department of Justice (DOJ) made an announcement of its own: a new Civil Cyber-Fraud Initiative which paves the way for civil actions against contractors who misrepresent their cybersecurity readiness. This initiative is based on the False Claims Act (FCA), which permits the government to prosecute organizations and individuals to recover 300% of their damages. FCA further allows them to share money they are awarded with whistleblowers. (Full disclosure, I am a cybersecurity expert, not an attorney, but I do know how to use Google and put two and two together. For instance, in fiscal year 2020, the DOJ took in more than $2 billion under the FCA.)
The known-unknowns here include how words like “knowingly” and “misrepresents” will be defined. It’s no accident that CMMC 2.0 now requires the annual affirmation to be signed by a senior company official. If your annual self-assessment is audited and found incorrect or incomplete, could you be liable? What if you signed an affirmation based on a self-assessment your people made-without intent to defraud-and that assessment was later deemed insufficiently detailed or rigorous?
Which takes us to the unknown-unknown. Let me be clear, my intention here is not to scare you, but it is to warn you. I’ve met with and provided services for many, many business owners, and I can tell you that very few of them were deeply familiar enough with their cybersecurity practices and policies to find any gaps.
Here’s why it pays to be proactive: CMMC 2.0 marks the third time since 2016 the DoD has announced new standards. While I and everyone in both the cybersecurity and DIB communities would like to assume CMMC 2.0 will be the final iteration, there could easily be a 3.0, 4.0 and so on. It’s more than reasonable to assume the basic security standards for the Foundational Level 1 status will stay the same because they are reasonable baselines that we should all adopt anyway, regardless of deadlines. They exist to protect you and your intellectual property and data as much as they do to protect the DoD’s.
There has been some talk of offering an optional Level 1 certification eventually, but it will take some time before that becomes available-if it does at all. Likely, the C3POAs will be busy on required CMMC Level 2 certifications first.