My colleagues and I have been warning about the Department of Defense’s (DoD's) looming enforcement of DFARS clause 252.204-7012 for a while now, as many Tripwire customers handle government CUI. Inevitably, we are asked how long we think it will be until enforcement takes place. Our response is that enforcement will take place when compliance oversight is driven from the top down. Based on DoD’s May 23rd announcement, that’s exactly what’s happening. The good news is that the initial solution appears to be palatable. In January of this year, Under Secretary for Defense Ellen M. Lord communicated her intent to audit the DoD supply chain for compliance to DFARS clause 252.204-7012. Later that month, during a hearing of the Senate Armed Services Committee, DoD CIO Dana Deasy suggested that compliance enforcement would be modeled after industry and could include a combination of validating certification of supplier systems, helping subcontractors strengthen their cyber hygiene and applying AI to identify areas of the greatest vulnerability. Last month’s announcement of the Cyber Security Maturity Model Certification (CMMC) is the result. What makes this so interesting (and hopeful) for those of us at Tripwire is that, with the CMMC, DoD appears to be addressing our customers’ core compliance pain points:
- Varying standards – It’s not always easy to read and/or interpret the DFARS standards. Under the new CMMC compliance, there will be ONE unified DoD cybersecurity standard that combines NIST SP 800-171, NIST SP 800-53, AIA MAS 9933, FIPS and others. In other words—one standard, one maturity model.
- Varying levels of security – CMMC requirements will not be “all or nothing.” There will be a range of CMMC compliance. RFPs will reflect what level is needed by DoD for each contract.
- Affordability – Security will now be an allowable cost on DoD contracts.
- Supply chain verification – CMMC third-party certifiers will have the tools able to conduct audits and collect metrics and risk management information for the entire supply chain.
The CMMC appears to be a strategic and well-thought-out solution to prioritizing DFARS enforcement, while at the same time, helping small businesses improve cyber hygiene and slowing the progress of those adversaries responsible for $600B of the government’s IT and R&D losses. A bite-sized approach to compliance will give our customers hope that they can in fact comply and continue winning the government’s business. In the meantime, we will be awaiting DoD’s release of CMMC’s first draft this June and will be providing our feedback as requested by the Office of the Assistant Secretary of Defense for Acquisition for Cyber across A&S.