Everything That Is Wrong With CMMC 2.0

This month’s release of the much-anticipated CMMC 2.0 left many of us in the world of cybersecurity shaking our heads.  We have been working diligently with the defense industrial base for several years now, even before the CMMC was created, to stop the bleeding of our defense secrets to our adversaries.  As a veteran and a Patriot, I, along with many other Americans, take this very serious problem personally. 

They say that pictures speak a thousand words, so here are just a few to illustrate my point.  These are American weapons systems, vs. their Chinese and Russian copies.

American Humvee vs. China’s “Hanma”.  There are at least three companies in China known to be building Humvee clones.

American F-22 Raptor, vs. Russian T-50:

Look familiar?  It’s not our venerated B2 Bomber or the RQ 170 Sentinel.  This is China’s “Skyhawk Drone”:

The blatant theft of American IP (Intellectual Property) isn’t limited to just military tech, either.  Here are Chinese copies of the Ford F-150 and the Chevrolet Colorado:

Even worse than these shameless copies, is the outright counterfeiting of American products.  Some of these counterfeits are so good that they are nearly indistinguishable, even to the company that designed them.  A cursory Internet search speaks volumes:

These are just a few examples of stolen/copied American technology – there are dozens and dozens more.  All of those weapon’s systems above were designed and developed at the toil and treasure of U.S. taxpayers, only to save our strategic competitors years of time and BILLONS of dollars in R&D.  There are about 300,000 total companies who participate in the DIB (Defense Industrial Base), and MOST of them are smaller companies that have very poor or even no cybersecurity.  I know this because I have personally assessed many dozens of them.  I even worked with some VERY large, international and/or publicly traded companies who do not take cybersecurity seriously and will not spend money on it.

300,000 companies make for one very large cybersecurity problem, so a little background is in order here.  After all, this is a massive problem – imagine the Marshall Plan of IT.  The first brick in the foundation for solving the DIB’s cybersecurity issue was laid via Executive Order 13556 – Controlled Unclassified Information, signed by President Obama November 4^th, 2010 – over 11 years ago now. 

It was this EO that laid down the tracks for NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”  As of December 2015, DFARS 225.204-7012 required DoD contractors to implement NIST 800-171 “as soon as practical, but no later than December 31, 2017” – nearly 4 years ago as of this writing.  While this was a step in the right direction and many of the large prime contractors complied willfully, there was no enforcement mechanism at all, and contractors were permitted to “self-certify”.  Also, DFAR’s is a supplement to the FAR (Federal Acquisition Regulation) which consists of 37 chapters, with Chapter 1 alone having over 2,000 pages.  Many contractors were not even aware of EO 13446 or NIST 800-171, so they made no attempt to comply.  Like safety, cybersecurity is a cost center with no direct ROI so cost-conscious companies are simply not going to comply without enforcement.

That is where the CMMC (Cybersecurity Maturity Model Certification) came in.  Version 1.0 of the CMMC was released less than a year ago – January 31^st, 2020, with the hard-charging, take no prisoners Katie Arrington at the helm as CISO.  In June of 2021, Arrington was placed “on leave in connection with a suspected unauthorized disclosure of classified information from a military intelligence agency.”  Stringing someone up for unauthorized disclosure is like ticketing someone for jaywalking – literally anyone can be accused of this, and many including myself suspected an ulterior motive.  After dismissing Arrington, the CMMC was placed on hold pending an internal Pentagon review, and the results were a CMMC that now looked less like Mr. T. and more like Pee-wee Herman.

Snarkiness aside, let’s talk about why the CMMC 2.0 is such a major step backward over CMMC 1.0.  In an open letter to President Biden, the CMMC Information Institute has already covered 2.0’s failings very succinctly, so I am going to just summarize their five-page letter here.

• Self-Assessments Do Not Work. Prior to CMMC 1.0, contractors were permitted to self-assess and self-attest of their compliance.  Awareness of the requirements was weak.  CMMC 1.0 fixed this problem, where under CMMC 2.0 most contracts go back to self-assessments.  This is about as smart as allowing businesses to self-attest compliance with OSHA, the EPA, or the IRS.  I know from my own personal direct experience that the cybersecurity defenses of most DoD contractors are weak and easy to penetrate.

• CMMC 2.0 Creates the Wrong Incentives.  Self-assessments incentivize contractors to NOT report data and cybersecurity breaches because a breach will open an investigation that could lead to False Claims Act liability.

• CMMC 2.0 Claims to Make Compliance Affordable.  Contractors have been claiming for years that their cybersecurity programs already meet the DFAR’s requirements that CMMC 1.0 was intended to enforce.  If that was the case, there should be few new costs associated with CMMC apart from the assessments themselves.  Further, at a national level, getting the DIB CMMC compliant would be far cheaper (and less dangerous) than allowing the continued theft of our defense technology.

• CMMC 2.0 is the WRONG Approach.  Cost is not the sole basis upon which the decision to go back to self-assessments should be made, and there are many avenues through which the DoD can make grant monies available to small businesses.  This was already being done through the MEPs (Manufacturing Extension Partners) who I personally worked with, and even referred some of my clients to, in order to assist them with the costs of cybersecurity.

• CMMC 2.0 Sends the WRONG Message.  History has shown that contractors will only do the minimum required under their contracts and will try to save money by ducking requirements where they can.  This is exactly why multiple federal agencies such as the DSS (Defense Security Service), DCMA (Defense Contract Management Agency), and the DCAA (Defense Contract Audit Agency) exist.  Contractors are not going to comply with the CMMC if they think they can get away with not doing so.

• CMMC 2.0 Will Not Scale.    The CMMC 1.0 was designed by the CMMC-AB (Accreditation Body) specifically to meet the needs of the nearly 300,000 organizations in the Defense Supply Chain, by fostering competition within thousands of independent assessor companies all over the U.S.  This was accomplished SPECIFICALLY by mandating a third-party assessment.  Since the introduction of CMMC 2.0, there has already been a lot of talk by existing CMMC RPO’s (Registered Provider Organizations) who say they will not renew their $5,000/yr CMMC-AB membership.

• CMMC 2.0 Relegates CMMC to a DoD-only Standard.  Cybersecurity is more than just a defense problem, it is a national civic problem that affects literally all Americans daily lives.  As the DoD was the catalyst for the creation of the Internet itself, many cybersecurity professionals felt great hope that the CMMC would evolve along the lines of the National Electric Code, and in time become universally adopted.  The CMMC 1.0 was designed to be useful to not only the DoD but the entire federal government, the state governments, businesses, and the rest of the world, too.  CMMC 1.0 does NONE of this.

In simple terms, the CMMC 1.0 would do for Cybersecurity what OSHA does for safety – give it teeth.  CMMC 2.0 is like getting rid of OSHA’s inspectors to save money and expecting worker safety to improve.  Cybersecurity is expensive, but like safety programs, it is simply the cost of doing business.  Unless we want to continue getting robbed blind or get our warfighters killed using our own technology, CMMC 2.0 needs to be rethought.

 Jason McNew  

Senior Engineer, Cybersecurity Risk and Compliance, Appalachia Technologies 

Jason McNew is a CISSP and a CMMC RP (Registered Practitioner).  Jason, a United States Air Force veteran, holds a Master’s degree from Penn State University in Information Sciences, Cyber Security and Information Assurance, in addition to a Bachelor of Science and two Associate of Science degrees. Penn State’s Cyber Security program has been reviewed and endorsed by the National Security Agency (NSA) and the Department of Homeland Security (DHS).  He also worked for the White House Communications Agency from 2003 until 2015.  In 2017 he founded Stronghold Cyber Security, which was acquired by Appalachia Technologies in 2020.