CMMC: A Trip to Tartarus
So I normally don’t go in for the sensationalized headline. I abhor them in fact, but in this case, I think it is needed.
Put the breaks on, and as Tom from Compliance Forge says, let’s talk about this one. I am really serious that we are making this actually impossible. As a reasonable professional focused on CMMC I believe that through a combination of implementation and audit (right, I think audit not assessment now) moves we are moving into “undoable” territory.
This concerns me greatly. If we make CMMC unaccomplishable or nearly so, we will not help the DIB improve their cybersecurity. I know that hurting the DIB is far, far from the strategic intent, but by not fully understanding the impact (in the trenches, at the point where these controls have to be turned into actual work) of a number of decisions that all sound and feel “more secure,” I am firmly convinced we are doing exactly that.
I will make a prediction. None or nearly none of the C3PAO’s will be able to pass an assessment under the current assessment construct.
My bet in the “How many qualified C3PAO’s this year,” pool is 2. I may be shooting too high and that will likely include “adjustments” to the current assessment methods.
Now the first reaction I expect to this is, “My goodness, another whiner about how hard cybersecurity is? How many times do we have to say we are doing crawl, walk, run and making every accommodation for small and medium-sized business?” I would respectfully submit whining is not the case here. There has been a ton of that, and please don’t let these legitimate concerns be drowned out in the chorus of other complaints.
This is way harder than we thought
Katie, your comments at the Cortac group webinar that level 1 was what you should do at home, and John Ellis your comments that all you had to do was add MFA to your home network to be compliant at another illustrate that you really, really, really do not understand the amount of work that is required to establish a system, configure a system, document a system, and prepare 2 kinds of prof for a system meeting even the 59 assessment objectives of Level 1. Not 17 controls. 59. Not 130 controls at level 3. 705.
Through a series of decisions, we have turned CMMC from a Maturity Level framework assessment, into a controls audit, to very exacting standards, for which only a perfect score is good enough.
Where did we go wrong?
I would like to suggest to the professional community that this has gone wrong in two places. First the adoption of NIST 800-171A as the basis for the Assessment Guide, and second in deciding that every control must be fully met in order to pass. Maybe there are other places but I think those are the two main decisions that are driving the train off the tracks.
I fully admit I did not blink when I heard either decision. Both seem reasonable, and I fully concur with the problems we have seen about POAM’s. I am certain that the adoption of 171A has many more bureaucratic and regulatory good reasons than I have even thought of much less commented on. However, as I have been digging in to help clients and colleagues build compliant systems, I am becoming increasingly convinced that these two decisions have pushed us from a compliance journey into “A Journey to Tartarus; The CMMC Saga.”
Why is 171A a Bad Thing?
Well, quite simply because it adds a lot of work. No really, like 10X work. As one of our esteemed colleagues and leading voices in the community said to me a few weeks ago, “There are a lot of razor blades in there.” This is an understatement I have come to realize. I fully admit I did not appreciate it either, but it is entirely true. It significantly expands the requirements in many cases. I will take an example, and this is one I glanced up at my tracker and said “that works.” I did not have to dig for one.
SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems [a] designated locations for malicious code protection are identified;
So we have the level 1 requirement, quite reasonable, to have malware protection/anti-virus software where it makes sense. This leaves a gap for things like OT where maybe it does not make sense.
But 171A had to break it down. We have to “designate” locations as the first assessment objective. So that means we now have to decide exactly what those locations are, we have to write those locations down, and we have to keep that list of locations up to date. Now instead of spending time perhaps making sure that anti-virus is deployed and working everywhere, as it should be (a continuous battle, in reality, not fire and forget), we have added a paperwork component onto the top of that. But wait, it gets better. I have to prove that I am doing that with two forms of evidence. Again more work that feeds audits and not real security.
Now we are Auditing
From an audit (not assessment) perspective now the question is “show me where you have designated all the appropriate locations for antivirus.” Not designated? Fail all of CMMC, no cert whatsoever. This is a level one control. Instead of an assessor looking to see if they are meeting the spirit and intent of the control at a “moderate” maturity level (which is not all of everything done perfectly), we now have an auditor with a checklist, and needing 100% compliance.
In our strategy we talk about “technical debt” and that 171 implementation of the 110 controls is something that should already be done. But. 171A assessment objectives were not a part of that bargain. I was reading the implementation memo on DFARS 7012 today. Bottom of page 1, “There is no single or prescribed manner in which a contractor may choose to implement the requirements of NIST SP 800-171, or to assess their own compliance with those requirements.” So when we imposed 171A on the DIB, that was new work, and we added very significant amounts of new work to the original 110 requirements in order to meet the assessment objectives.
No, you say! This cannot be true. It is true. I know. I worked for nearly a year on the CMMC implementation, and never once cracked 171A because it did not apply with regulatory enforcement. When the assessment guides were published, BAM, I went from 181 controls (really Level 3 is not 130, but we can argue that separately) and jumped to 705. Every piece of documentation had to be updated (so 150 ish pages of documentation, in 25 documents), and in a number of cases, my technical architecture had to be modified to meet the assessment objective requirements.
Every student needs 100% to pass
Again when we said no POAM’s and all controls must be met, I was good with that. This is important stuff and we need to get it right. And then I started looking at what it takes to make that true in the context of the 705 assessment objectives. As I worked with them more and more, and dug into what was actually required to make those assessment objectives true in every case, all the time, the more worried I have become.
There are several assessment objectives, AC.1.001 assessment object [f] for example, that I think I could fail almost every company in the DIB on. It requires, after you have thought about it for a while, deployment of a fully enforced network access control architecture to make “true” in nearly all but micro-company cases. This is a capability that I have only seen really done in one Fortune 10 company, and I am not sure that deployment was sufficient to make this compliant.
Oh but deploy an enclave to make it easier you say? “But of course, if you do this for your whole company that is too hard, you foolish neophyte. There are easy answers to all of this.” OK. You build and please publish the specifics of those easier answers for the rest of us. Bottom line for most companies, separating FCI into an enclave is not practical, and in general, there are no easy answers.
Expecting straight 100’s is not workable in the real world, even with very focused and very dedicated companies. This is NOT the standard the DoD holds itself to. All that is required for DoD is for the correct operational person to “risk accept” and we move on. That option has now been closed to contractors and only full compliance is enough. This is not workable.
Enter Tartarus for your audit with Darth
This was not supposed to be a 100% perfect compliant controls audit against an exacting standard. That is not the strategy or the vision, but effectively on the ground that is what this has been turned into. That will not work. In fact, it so obviously won’t work that I have been advised to sit back, grab my popcorn, and watch more violent explosions than a Michael Bay movie. I can’t do that. I hope you have finished your cup of coffee and at the top of the CMMC pyramid, you consider, that we have some very serious challenges that require real change if we are going to fulfill the vision of CMMC raising the bar for cybersecurity across the DIB.