CMMC in the Age of COVID-19

Last year, the Department of Defense began structuring the Cybersecurity Maturity Model Certification program.   The CMMC program does a number of things right.

·       It draws from state-of-the-art standards promulgated by the National Institute of Standards and Technology (NIST), DoD itself, and the international security community.

·       It requires third-party assessments in lieu of self-certification, which closes a potential loophole in current cybersecurity requirements.

·       It includes the entire DoD industrial base – approximately 300,000 contractors and subcontractors.

·       It recognizes that one size does not fit all – different levels of security are necessary, depending on the costs and benefits and specific contracts and sensitivity of the data that will be involved.

·       It incorporates systems thinking that includes training of third-party assessors and an extended rollout of contracts to which CMMC will apply.

But any program that is as comprehensive as CMMC presents questions that can only be answered over time.  So, in the spirit of the Jewish Seder, in which the youngest child recites the “Four Questions,” we identify four questions about CMMC.  But unlike the child’s questions, which are answered during the Seder, the answers to these CMMC questions may not be known for months or even years.

Question 1 – Will speed impair effectiveness?  In Top Gun, Tom Cruise famously “feels the need for speed.”  But speed can kill.  DoD’s timetable is ambitious.   The program projects the establishment of certified third-party assessment organizations and the training, testing and licensing of 10,000 assessors, who will ultimately be assessing (and no doubt periodically reassessing) 300,000 companies.  DoD plans to release Requests for Proposals that include CMMC requirements in November. Even in the best of times DoD’s timetable might be overly difficult to achieve.  In the age of the coronavirus the difficult may have become impossible.  Yet the cybersecurity threats that CMMC will address will not be slowed by the virus.  How will DoD reconcile the “need for speed” with the need for effectiveness?  In Louise Penny’s mystery series, Chief Inspector Gamache is known to caution, “Take your time.  I’d rather have a thoughtful answer than a fast one.” Is that good advice for the CMMC team?  Or is the perfect the enemy of the good?

Question 2 – Will the level of detail included in the CMMC capabilities, processes, and practices lend itself to box-checking rather than a more holistic evaluation?  Professor Tribe has pointed out that in trials and other forms of decision-making, “hard variables tend to swamp the soft.”[1]  Can DoD steer clear of the “tyranny” of the hard variable?  There can be a temptation to conduct an assessment in an algorithmic way, looking at the trees but sometimes missing the forest.  The lure of this temptation is likely to be proportional to the level of detail and number of items that must be reviewed in an assessment.  And that lure will grow – even exponentially – when an assessment must be applied to 300,000 companies.  Effective cybersecurity protection will be enhanced if auditors can go beyond he boxes and provide a holistic, even if somewhat subjective, review.

Question 3 – Is the novel coronavirus itself a threat that should be incorporated into the CMMC program?  Security experts will tell you that the greatest security weakness in a system is not its hardware or even its software, but its liveware.  People – often for all the wrong reasons – are the most vulnerable part of the system.  How much more will this be true if the people whose experience and expertise is most needed to protect a system are themselves subject to a highly contagious disease that to date has no effective cure or vaccine?  The best system in the world – security or otherwise – will be next to useless if the critical “liveware” needed to manage and operate it are absent, or have to telework from remote locations that lack effective cybersecurity protection.  Should this risk be explicitly incorporated into CMMC?

Question 4 – Will CMMC become a ceiling rather than a floor?  CMMC is a huge undertaking, but it is not the only game in town.  Will CMMC “suck the oxygen out of the cybersecurity space” and become the de facto cybersecurity standard, leaving no room for other NIST, civilian agency, or other initiatives?  And is that, in turn, a good thing or a bad thing – will it streamline our protections, or will it limit them?

So there we have our Four Questions for the CMMC program.  As Nobel laureate physicist Neils Bohr (and later Yogi Berra) famously said, “prediction is difficult, especially about the future.” 

DISCLAIMER: This blog expresses the views of the author and is not intended to represent the views of the Steptoe law firm or any of its clients.

————

Fred Geldon advises clients in connection with government contracts and compliance matters.

Prior to joining Steptoe, Fred was counsel for EDS US Government Solutions, the business unit of Electronic Data Systems Corporation (subsequently HP Enterprise Services) that performs contracts with agencies of the US government. In this role, he handled and supervised legal matters involving EDS’ federal government customers. Fred regularly represented, counseled, and trained EDS contract administrators and business units concerning all aspects of government contracts including bid preparation, bid protests, contract and subcontract negotiation, contract and regulatory interpretation, claims, terminations, compliance, organizational conflicts of interest, and disputes.

Prior to joining EDS, Fred was a partner in private practice, where he focused on government contracts, energy and commercial litigation. From 1983-1985, he served as Assistant Director of the Environmental and Occupational Disease Litigation section of the Torts Branch, Civil Division of the Department of Justice, where he supported the management of the nationwide asbestos litigation involving the United States. Fred began his legal career in 1973 as a law clerk to the Honorable William B. Bryant, Judge of the United States District Court for the District of Columbia. 

Fred is currently an Adjunct Professor of Computer Science at George Mason University, and conducts frequent training sessions for the Public Contracting Institute in Compliance, Organizational Conflicts of Interest, Fundamentals of Government Contracting, the Federal Acquisition Regulation, and a variety of other government contracts topics. Fred has lectured and participated in government contracts programs at the George Washington University National Law Center (Government Contracts Program), ESI International, the American Bar Association, the District of Columbia Bar, the National Contract Management Association, the American Corporate Counsel Association, Federal Systems Summit, GSA Trail Boss Program, Centre Consulting, Federal Publications, and Grant Thornton Government Contractor Roundtable. Fred also sings with the Fairfax Jubil-Aires barbershop chorus and Men In Stripes barbershop quartet.


[1] L. Tribe, “Trial by Mathematics,” 84 Harvard Law Review 1329, 1366 (1971)