Implementing NIST 800-171’s 110 cybersecurity controls is required now; no matter what may come of CMMC
The planned Cybersecurity Maturity Model Certification (CMMC)(link is external) requirements for defense contractors are encountering significant delays, higher costs, and resistance. While these may just be growing pains, there are also alleged improprieties involving Department of Defense (DoD) and CMMC Accreditation Body (CMMC-AB)(link is external) officials.
CMMC is a multilevel cybersecurity model that is supposed to be included in all defense contracts by 2025. All defense contractors, large and small, will be required to implement cybersecurity controls and be independently assessed. A perfect 100% assessment score of the implementation of the appropriate CMMC level controls will be required for certification by the CMMC-AB, meaning that contractors will not be able to delay the implementation of controls, as they can now.
In the meantime, all defense contractors that access, store, or process Controlled Unclassified Information (CUI)(link is external) are now required to implement the 110 cybersecurity controls defined in NIST Special Publication 800-171(link is external), self-assess their implementation(link is external), and post a score in a federal database to qualify for new defense contracts or renewals of existing contracts.
The Defense Industrial Base (DIB) is made up of 300,000 businesses. A small percentage are prime federal contractors that bid on large projects like fighter jets, ships, military bases, and weapons systems. Because the DoD requires that a percentage of each contract must be completed by smaller businesses that subcontract to the large primes for components and services, many subcontractors are small and have fewer than 50 employees. Defense-related projects make up the majority of the revenue with some subcontractors, but many subcontractors rely more on commercial business, and defense contracting is just a small percentage of their revenue.
When CMMC was introduced in 2020, it was announced that assessor training and certification would take place by the summer of 2021. Now the goal is to have training in place by the end of 2021.
Also in 2020, the CMMC-AB announced that it expected hundreds of organizations to become Certified Third-Party Assessor Organizations (C3PAO) by the end of 2021. To date, only three companies have been certified. However, those certifications are provisional because the CMMC-AB has not yet been officially certified as an accreditation body, which will require organizational changes including spinning off its training program into a separate corporation.
An interim rule(link is external) was published in the Federal Register that included several new requirements: the NIST 800-171 self-assessment, the ability for DoD auditors to validate the self-assessments, and in federal fiscal year 2026, which begins in October 2025, CMMC will be required in contracts.
It was expected that the interim rule would become a final rule by May 2021. Instead, the DoD announced(link is external) that its Inspector General is conducting an “internal review” of CMMC and the current cybersecurity requirements, based on complaints about the program and alleged crimes and improprieties within the DoD and the CMMC-AB.
The requirement to implement the 110 cybersecurity controls in NIST SP 800-171 has been in place since the end of 2017. Because the DoD wasn’t aggressive in enforcing it, most contractors need to catch up to where they should have already been by 2017, plus the additional requirements that have been added to CMMC. There is no leeway in CMMC—a perfect assessment result is required for certification.
When CMMC was published in the Federal Register(link is external), it was stated that organizations that process CUI and are therefore required to pass a CMMC Level 3 assessment, would pay $51,095.60 in TOTAL costs to cover BOTH the CMMC assessment AND the anticipated remediations. This amount was reached based on the assumption that “Contractors pursuing a Level 3 Certification should have already implemented the 110 existing NIST SP 800-171 security requirements” as was required, meaning that the incremental steps to CMMC would not cost much. That ignored the 2019 DoD Inspector General audit(link is external) of defense contractors showing that a whopping 90% of the contractors that had self-assessed their NIST 800-171 implementation failed the audit.
Recent proposals for CMMC Level 3 assessments(link is external) for two small companies, with fewer than 50 employees each, have averaged $155,000, not counting the costs of any remediation. At a recent IT security conference where I spoke, IT company owners said they were seeing the need for over $100,000 in remediation costs alone for small clients to comply with CMMC.
One reason for higher assessment costs may be the CMMC-AB’s position that CMMC assessments will include home inspections for any employees working remotely, which the DoD subsequently said had not yet been decided.
CMMC board member Regan Edens(link is external) said in a CMMC Town Hall that “[You] should be prepared for some sort of sampling of an organization that is doing distributed workforce for remote reasons will also have to be inspected in their work environment, whether that’s home or a rented office or any other facility.” This was soon countered by the head of the DoD’s Project Management Office, Stacy Bostjanick, who said, “We are in the process of clarifying the requirements for telework through the CIO’s office and will publish the clarification through the DoD website. The DoD is the responsible authority for setting cybersecurity requirements for the DIB sector and responsible for providing clarification and responses.”
When the CMMC-AB announced its participation levels, I signed up and sent $1,000 to get in line to become a C3PAO, plus an additional fee to become a CMMC-AB Registered Practitioner. I had budgeted the costs of training and certification for me, along with the fees and costs for our small organization to become accredited. The CMMC-AB said in its most recent Town Hall that the DoD is now likely to require that C3PAOs employ at least four assessors to qualify for the program. Talk about moving the goalposts! There was no mention of returning application fees for smaller organizations that cannot meet that new requirement.
How many small businesses can afford a quarter-million dollars for an assessment and remediation to qualify themselves for defense contracts? Small business owners may simply decide it is not worth the expense based on the revenue they earn from defense contracts, meaning that the defense industry will lose critical suppliers.
The CMMC: Not the Right Way to Fix the DIB Security Crisis(link is external), a white paper co-authored by Chris Golden, a founding board member of the CMMC-AB, wrote, “The current course of action is not only unsustainable but also not cost effective for the DIB. And if not quickly given other alternatives and/or support, many thousands of smaller companies will be forced to leave the DIB because they will be unable to comply with CMMC requirements.” The authors recommend that a more effective and cheaper solution would be a secure centralized cloud environment to house all CUI, rather than requiring over 300,000 defense contractors to individually implement separate secure environments.
I am currently working with a defense contractor that is very frustrated with the amount he is investing to implement NIST 800-171 to qualify for new contracts, even though he is just catching up to where he was supposed to be in 2017. He has been surprised to learn that the cloud services and security tools he has been using must be replaced with more expensive solutions that meet federal government standards.
Katie Arrington, the main Department of Defense official who has been in charge of CMMC since its inception, has been placed on leave based on allegations(link is external) she disclosed classified information. Previously, there have been allegations that Arrington had committed ethics violations(link is external) related to the CMMC-AB, which was supposed to be independently managed by an accreditation body that was disconnected from the DoD.
Allegations have been presented to the DoD Inspector General that the CMMC Accreditation Body itself has lied about its tax-exempt status(link is external) on official documents (a felony), and board member Edens abruptly resigned(link is external) after a CMMC-AB Advisory Council member alleged that Edens had unjustly enriched himself through his position with the CMMC-AB, a violation of the CMMC-AB Code of Professional Conduct(link is external). The board member in charge of training while the CMMC-AB looked to hire full-time staff abruptly resigned(link is external) when a director of training was hired. Other ethical improprieties have been alleged(link is external) in a formal complaint to the CMMC-AB.
I think the entire program will be revamped.
CMMC is currently too expensive and difficult for smaller contractors to pass an assessment with a perfect score, after years of non-enforcement by the DoD of its current cybersecurity requirements.
The CMMC-AB has not been able to scale up to deliver training materials, certify trainers, and train hundreds of assessors. Imagine what will happen once 300,000 assessments back up in the certification process.
The delays with the final rule, the allegations of criminal activity with key CMMC figures in the DoD and CMMC-AB, and the “internal review” by the DoD Inspector General, all indicate that the new DoD leadership is very concerned about CMMC. The politicians that fund and oversee the DoD, and also represent large and small defense contractors, are also likely to weigh in.
I believe that the DoD will delay CMMC and revisit the requirements to make them less costly for smaller contractors. They may even find a different organization to manage the program, or move to a centralized cloud-based solution, which will take years to develop.
But don’t give up! The current requirements for the implementation of NIST 800-171’s 110 cybersecurity controls are required now, no matter what might come of CMMC.
I might be wrong, but there is so much smoke right now that there has to be a fire someplace.
About Mike Semel
Mike Semel is a recognized cybersecurity and compliance thought leader and expert. He is a CMMC Registered Practitioner, authored the Certified HIPAA Security Professional (CHSP) training course, and the best-selling author of How to Avoid HIPAA Headaches. Semel Consulting specializes in helping organizations meet their cybersecurity and compliance requirements, including helping to ensure your cyber insurance will pay if you need it. www.semelconsulting.com