Let’s Go DoD, There is Still Time to Fix CMMC.
Thank you, DoD, for showing us that you listen. In 2019 you listened and quickly created CMMC from the ether to answer a monumental need to secure our country’s supply chain. You showed you were listening again last week when you changed CMMC to address the concerns from contractors who felt CMMC 1.x was overly burdensome.
We hope that you are still listening.
In the 2 weeks or so since CMMC 2.0 was introduced, an army of industry experts have raised concerns that reducing the requirements on the bulk of the DoD supply chain is in direct contrast to President Biden’s Executive Order directive for a bold, all-of-government response to cybersecurity threats. Their concerns are real.
There is also the large cadre of our fellow Americans who, at your request, have invested time and treasure in building up the CMMC program. They have built RPOs, C3PAOs, LPPs, and LTPs to answer the CMMC call for action. Many understood the chicken-and-egg problem that faced the CMMC Accreditation Body (“CMMC-AB”) yet were willing to join the CMMC-AB’s ecosystem because they believed that you had analyzed the risks and created CMMC to address them. Government asked industry. Industry responded. Not with words. But with action and investment.
Net. Net. Net. In removing the mandatory third-party assessment requirement from CMMC, you have significantly weakened the CMMC program and hurt the very organizations that rose to your challenge at a time when our President is asking us to push and push hard in the opposite direction.
What if there is a fix? And a simple one at that.
Let’s start with the absolute basics. We all know that it isn’t the same to do your school homework and say that you did it vs. showing up the next day to be tested on the reading. Dropping the 3rd party certification requirement is EXACTLY the same thing. The cybersecurity posture of 300,000+ contractors will be better if they know they are prepping for a test.
Where CMMC certification is not mandatory, give extra “credit” to those contractors who invest in preparedness and get “tested.” Allocate a small, but non-trivial (e.g., 5%), portion of the acquisition score to whether the organization has an optional CMMC certification. If there are two companies bidding on a contract, pick the one with the good cybersecurity. The one that has had their cyber-readiness checked out. Use that SPRS system not just to validate contractors but to differentiate amongst them.
If you’re looking for precedents, we already have well-established preferences in procurement driven by a number of societal priorities. Small business set-asides, for example. How about a preference that answers the President’s call to action and encourages businesses across our nation to improve their cybersecurity? Let’s add one for contractors who have had their cybersecurity validated by a trained and approved C3PAO, even when they didn’t need to.
If an outright preference waters down the other set-asides and programs too much, there is another option. Make good and validated cyber a tiebreaker in procurement close calls.
Whatever the mechanism, make it more profitable to be secure than insecure. That simple market dynamic is all that matters.