How to shift CMMC for the future

While the goal of Cybersecurity Maturity Model Certification is to establish a unified standard for cybersecurity practices across the DOD, it does not directly address specific control expectations or risks associated with organization-specific threat actors.

Information sharing
 

As the security of IT systems and intellectual property move closer to the center of American economic strategy, they deserve more investment and better defense. While critics from the legacy defense industrial base have questioned the value of the Department of Defense's Cybersecurity Maturity Model Certification (CMMC), it enables three key strategies: collecting actionable metrics and enabling risk scoring, balancing prevention and response capabilities and investments and augmenting dedicated funds with cyber insurance and risk transfer via public-private partnerships and capital pooling.

Actionable metrics and risk scoring are needed to complement maturity-based benchmarking efforts. While the goal of CMMC is to establish a unified standard for cybersecurity practices across the DOD, it does not directly address specific control expectations or risks associated with organization-specific threat actors.

While contractors remain responsible for their security programs and practices, CMMC requires third-party assessments of contractors' compliance with the program's mandatory procedures based on vendors' maturity levels. These levels or tiers are statically defined and do not link to risk modeling. CMMC maturity data would be much more useful if data breach and incursion reporting requirements were strengthened and additional operational data was used to help enrich understanding of which types of exposures, threat actors, and breach events are linked.

If the public is ultimately expected to foot the bill for companies' compliance and the more expensive and onerous third-party assessor process, CMMC should include the breach and exposure data sets ultimately required to judge program efficacy in real terms.

Without breach and exposure data sets, learning will remain localized and collective improvements will be harder to come by and more opaque. Further, those who refuse to produce consistent, objective, and sufficient data to the DOD and Congress should be publicly named. Disclosure is a necessary step towards accountability. Our interdependence across the DIB and the integrated supply chain is far too strong to fail to enforce standards here.

The second way to improve CMMC is to help organizations attain a balance between prevention and response capabilities. Investing in a response system that extends across multiple supply chain entry points would increase resilience and help protect the public and private sectors' shared intellectual property and their common interest in innovation and security. In designing for more resilience and investing in preparedness, contractors must understand their relative level of exposure to common mode failures. If better incident disclosure requirements were enforced, then tracking measures like mean-time-to-respond (MTTR) and mean-time-between-failures (MTBF) over a certain severity threshold is a good start. As we've just seen with global health, properly investing in prevention can preclude the spread of a crippling outbreak that can damage systems and whole economies.

Finally, CMMC participants attaining higher certification levels should be able to access some pool of dedicated funds designed as a stop loss to make cyber insurance and risk finance efforts more cost-effective and improve coverage. Improving consistency and overall maturity of defense industrial base cybersecurity programs via CMMC is a good and fundamental first step, but ultimately private firms react to financial incentives.

CMMC could be made more powerful by providing caps on liability for firms that meet and exceed higher CMMC readiness levels. Let's be clear that the CMMC standard as written is not yet appropriate for this -- but a future version may be appropriately extended and linked to quantitative measures of security. The government will ultimately bear part of the financial risks associated with cyber, especially in the defense industrial base, but managing those risks and transferring them correctly is best left to the insurance industry. There are recent precedents for government intervention cases where private balance sheets are insufficient; first, the Terrorism Risk Insurance, passed in the wake of the 9/11 attacks; second, the Pandemic Risk Insurance Act, as part of the broader response to COVID-19.

In the first case, the pricing and availability of terrorism insurance in the aftermath of the attacks became both chaotic and expensive, leaving the federal government as an insurer of last resort. The TRIA created a government reinsurance facility to provide insurance companies with reinsurance coverage following a declared terrorism event. This helped the insurance markets recover after 9/11 and gave them space to create correctly priced risk insurance. In the second case, the seismic impact of COVID-19 on businesses worldwide has once again made the government the insurer of last resort. The draft legislation would allow for the purchase of both TRIA and PRIA at an enhanced premium. It is easy to imagine that this should be the future trajectory of CMMC, given the rising risk that cyber incidents pose to contractors and the government, and the rate at which the world continues to become both more interconnected and interdependent. The inevitable associated complexity that comes with such a program should not be ignored or avoided but rather actively embraced, priced, and managed via appropriate collaboration between public and private entities.

CMMC's time has come. The current steps forward can provide incremental pressure to aid in compliance-driven modernization of the DIB, which remains far behind sectors such as financial services where regulatory oversight has had an overall positive effect on readiness. Instead of viewing CMMC from the perspective of defense contractors and the special interest groups that surround the sector, we should focus on emulating effective, innovative strategies from other sectors of the American economy -- preparing the DOD and the broader federal government for the future is too important to ignore our broader societal learnings. A future powered by data with a deep and determined demand for data sharing in the interest of our collective defensive and readiness efforts. Let's make sure it pays to be a part of the solution, and let's ensure that an economically driven approach to CMMC is the ultimate end state.