You can hardly swing a cat these days and not hit somebody talking about the Cybersecurity Maturity Model Certification program. That’s the Defense Department’s strategy for buttoning up the defense industrial base. Chris Golden said the CMMC approach is good in theory, but lacks anywhere near the resources it needs to get it done. He’s not only director of Information Security at Horizon Blue Cross Blue Shield of New Jersey, but also a founding member of the CMMC accreditation body. He joined Federal Drive with Tom Temin for more discussion.
Tom Temin: Mr. Golden, good to have you on.
Chris Golden: Hey, good morning. Thanks for having me.
Tom Temin: And you’ve written a white paper detailing some of what you feel are the shortcomings of the CMMC program. And let’s talk about that resourcing, especially with the fact that even minimally to get every company just on the defense side accredited in their CMMC and having the controls in place, it would take 5,000 third-party assessors. There’s nowhere near that number. And we go from there. Tell us your thinking there.
Chris Golden: Yeah. So when I was with the accreditation body, I created and trained all the provisional assessors that are out in the ecosystem right now. And there’s about 100 of them or so. And we also trained a number of folks from DCMA’s DIBCAC area that does assessments for 171 currently, so they’re going to do some CMMC level three assessments. I actually saw in the news lately that they finally completed their first one on a C3PAO. So the first C3PO completed their CMMC level three assessment,
Tom Temin: Just define find some of those acronyms.
Chris Golden: Sorry, DCMA is the Defense Contract Management Agency, so they’re the ones that actually make sure people that have contracts are sort of doing what they’re supposed to do. And DIBCAC is the Defense Industrial Base Cybersecurity Assessment Center is what the acronym stands for. Again, they normally go out and do a NIST 171 assessment of a company to make sure they’re following that clause in their contract. And this is the first CMMC assessment even though very, very close, subtley different between those two things. But they did the first C3PAO because that’s a C3PO requirement to have a level three assessment done before they can go out and start doing their own assessments on the DIB.
Tom Temin: Yeah, you almost need a whiteboard to keep track of all of the elements of the CMMC program –
Chris Golden: Multiple Venn diagrams.
Tom Temin: Right. So still, after two-and-a-half years or so just the first few assessments are starting to trickle out. So what about the scaling needed? There’s, I think you right, that there’s a good 300-, 350,000 entities that would need to be accredited here.
Chris Golden: The plan was that DoD would release only a few pilot contracts. And we’ve certainly seen a number of fits and starts from the DoD as to which ones they want to do and when they want to start, etc. And so when we use that number of pilot contracts, and we sort of did some back of the napkin math, how many people would be bidding on these contracts, how many subs would be involved, we came up with a number of about 500 assessments between sort of when the contract was RFI’d, and when the contract was awarded, that would need to be completed. That’s where the 100 assessors came from. It was to do just that 500 assessments. But yeah, over time, we’re certainly going to have to scale to over 5,000 probably assessors in the ecosystem to do more than 100,000 of these assessments per year, because right now, the assessments going to be good for once every three years. So again, back in the napkin math, you’re doing about 100-, 120,000 assessments per year. So we thought the 5,000 number would be a number that would be in that range to do that, especially if you consider that probably the vast majority of companies in the defense industrial base will only ever be CMMC level one. It’s going to be a much smaller percentage that will be CMMC level three, which is going to take more people and more time to do a level three, but frankly, a level one, an individual assessor about a day probably, on average, okay, when we started doing that math, we come up with a 5,000 number that we need to sort of handle the ecosystem.
Tom Temin: And then there’s also hints that the CMMC program could spread to the civilian agencies, and therefore some unknown number of additional or marginal numbers of companies added into the mix. So then you’ve got more scaling issues.
Chris Golden: You’ve already seen Department of Homeland Security and the General Services Administration (GSA) put in what I would call contingency CMMC clauses in their contracts, they basically say, “Hey, we may change this contract to include a CMMC requirement. We’ll let you know after you sign” – it kind of thing. So these other government agencies are leaning in that direction, I think it’s probably going to be pretty obvious that most of them will go there. And eventually, it’ll be a whole of government approach. And then I think you’ll start seeing it go to people that don’t do any contracting with the government, right? Once the regulators start looking at and going, hey, in healthcare let’s say – that’s the area I work in – maybe a regulator says, “Well, maybe I’ll take a SOC 2 type 2 audit this year, but next year, maybe the CMMC thing is what I really need? Maybe that’s a better approach to managing risk?” And so once you see that happen, you’ll see sort of grow and balloon, and then we haven’t even talked internationally as our international partners, who do participate in the supply chain and will have to be CMMC-assessed but how do they fit into this sort of big puzzle as it sort of goes global? So yeah, there’s a potential here for a huge ballooning of this thing.
Tom Temin: We’re speaking with Chris Golden, director of Information Security at Horizon Blue Cross Blue Shield of New Jersey, and a founding member of the CMMC accreditation body. And the other point or one of the other big points in your white paper is that for small companies, this is expensive, and they may not have the resources. Even if they can get to the point of getting that level one, you’ve got to keep up with this stuff because it’s a fast-moving target keeping up with cybersecurity threats. And so you’re suggesting some sort of possible shared service offered by the government, where these companies could simply shift their IT resources to be in a safe zone. Tell us more about that idea.
Chris Golden: Yeah, I’m not sure it’s going to be offered by the government. But it’s certainly going to be heavily partnered with the government. And so yeah, so as we’re building the system out, trying to figure out A) How do you make this cost effective for the small business, right? So if you’ve got three or four people in a garage with a dog, and they’re providing whatever service it is to DoD how do you make it easy for them to A) not only be compliant, but B) What you said – how do you maintain that compliancy, right, over time in that three-year window, where nobody’s looking at you? And there wasn’t a great answer. And so a lot of these companies have zero IT staff, right, they don’t have a single person that is responsible for IT, they have zero security staff. And they frankly, don’t want to do that. They want to focus on their business, whatever their core business is they want to focus on that. They do not want to worry about all this kind of stuff. So the thought was that you create an environment that is shared amongst all the DIB – the defense industrial base – that is partnered highly with the government. So we’re getting decent threat intelligence from them to be able to modify things. And now it’s sort of a one stop shop, where you can just say, hey, I want you to either A) Store my sensitive data, so I don’t have to worry about it because I’m not capable, probably, of storing it correctly, or B) Hey, can you take care of all my IT infrastructure stuff, because I don’t want to do it, and I have no idea how to do it? And there’s a pendulum there that will swing across that spectrum and, and a lot of different things will fall in between. But that’s sort of the two ends of – the bookends there that will allow companies to be compliant with CMMC and still stay and do what they want to do, without it being super cost effective. And so you’re talking about basically a cloud instance, where you sign up for like a subscription fee, and we have no idea what that’s going to be but it’s not going to be onerous, it’s not going to be, ending to the business line, basically. And then we do the rest, right, we just take over. We’ll make sure everything’s CMMC level three, four, or five compliant over time. We’ll make sure you’re getting the data you want, and it’s safe and secure. And all those kind of things are now taken for you done, as sort of a service and we can enable all these small businesses to stay within the defense industrial base, because obviously, we don’t want a lot of them leaving the defense industrial base. That changes the security risk equation significantly, when you have a significant movement away from these companies to say, hey, it’s too expensive, I can’t participate in ecosystem anymore. I’m gonna go do contracting for hospitals or something instead, because I can make money there, I can’t make money with DoD. And so when you wrap all that stuff together, this was the best way we thought to do it. And leveraging sort of a one stop shop, you can really lock this stuff down, right? All the cybersecurity stuff, I do all the new stuff coming out, let’s talk about quantum, holographic memory, all that kind of stuff, you can – machine learning, artificial intelligence – you can really leverage all that stuff almost in real time to get the best thing for right now, where if you tried to roll it out to 350,000 companies, it would take years, just to do an incremental change. So that’s why we thought it was a good idea.
Tom Temin: I would think to that, if I’m a ransomware hacker, what I would do is target companies that say, just got their certification under CMMC, wait a couple of months, and knowing that the search light won’t come around for three years, that’s the time to hit them.
Chris Golden: I think our adversaries, the DoD estimates that we’re losing about $600 billion – and that’s with a B – dollars of intellectual property a year to our adversaries through the supply chain. And so they’re not going to just roll over. I would certainly expect some kind of discreditation to occur. Once a company achieves their CMMC level three certification, the bad guys are going to specifically target them to show “Hey, it doesn’t work,” right? Even though it is much more onerous for them to break in now. And if they want to break in, they’re gonna break in. I mean, that’s just the nature of cybersecurity, there’s no such thing as perfect cybersecurity, just like there’s no such thing as zero risk. And to show, “Hey – put it on the dark web – hey, we broke into this company, and here’s all their stuff, even though they’re CMMC level three, so it doesn’t work,” in an attempt to discredit the program, because the level of effort to break in that company was monumentally higher than it used to be, and they don’t want to do that, right? They don’t want to invest that level of resource to break in to these companies. And so we make it harder across the board. Well, they absolutely will want to discredit that. So I anticipate that happening.
Tom Temin: And what’s your best assessment, not to use a pun, for where CMMC will be a year from now, do you think, in reality?
Chris Golden: Well, it really depends on the DoD. Right now, there’s a 30-day review that’s a couple, 30 days late. As to how the program’s going, as the new administration came in, obviously, there were questions and thoughts on possible new directions. I have not been intimately involved with those so I really can’t tell you sort of where it’s going. I’m sort of waiting with everybody else to see what the report says. But there could be a lot of changes coming. Will they cancel the contract and then go sort of pick an accreditation body that’s a little bit more mature and capable of handling this? Could be, don’t know. Could they modify the contract to do different things to maybe take training away from the accreditation body, just sort of do the ISO kind of standard? Yeah, that’s certainly a possibility as well, but again, I don’t know. So I’m not sure where it is. I’d like to think about a year from now we’re probably doing in the world of 50,000 assessments a year or something like that as we begin the scaling process, so we go from about 500 to 50,000. We’ve got another 500 or so assessors on the street certified and trained ready to go, and the program is off and running. But I really don’t know again, sort of how those conversations are going since I came off the board in February or March.
Tom Temin: Chris Golden is director of Information Security at Horizon Blue Cross Blue Shield of New Jersey, and a founding member of the CMMC accreditation body. Thanks so much for joining me.
Chris Golden: It was my pleasure. Thanks for having me.