Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
As part of its still evolving Cybersecurity Maturity Model Certification program, the Pentagon wants proof that its vendors are safeguarding sensitive information. A lot of vendors think the CMMC requirements are pretty onerous. As part of the 2021 Defense Authorization Bill, Congress asked DoD to show some evidence that the Pentagon is meeting the same cybersecurity standards it’s demanding from contractors. The short answer is no. For the longer answer, Joseph Kirschbaum, director for Defense Capability and Management Issues at the Government Accountability Office, spoke with Federal News Network’s Jared Serbu on the Federal Drive with Tom Temin.
Joseph Kirschbaum: The Code of Federal Regulations requires that federal systems and those systems that support federal information and especially information, that controlled unclassified information category, right, it’s not classified, but it is still sensitive in some way, shape, or form. It requires systems to be protected in terms of their confidentiality information, who has access to it. And then along with that, to implement those things, there are the National Institute for Standards and Technology (NIST) has developed their own outlines and sets of standards for security controls for systems that manage the CUI. And for example, the Department of Defence has set up a framework, that’s the Cybersecurity Maturity Model Certification framework, the CMMC, specifically for companies that handle CUI information for the Department of Defense contractors, what not. And this was a way for them to better protect their own systems that handle CUI. So that mature CMMC basically took the NIST standards and set up things, standards that they would have to follow in order for those systems to be certified to handle information. So for example, the cmmc has 110 security control requirements that come from NIST that are required for systems. Then the DoD set up a way for companies to basically self certify using third party assessors and things of that nature. And one of the things that the Congress was interested in was, they’ve heard a lot of pushback from contractors about the way CMMC has been rolled out, the requirements for certification the way it was being handled. And at a fundamental level, the Congress was concerned about whether or not DoD themselves could meet the same security control standards as the cmmc. The first thing that the department did was determined that they were not going to use the cmmc as their standard for that report. They used the department’s risk management framework not to make any qualitative judgments about which is better, because frankly, they’re different. The department chose to use risk management framework because it is different. It’s a risk-based, versus compliance-based, which is what the CMMC is. The CMMC has a strict set of guidelines and companies must adhere to each one of those as a checklist in order to be certified. Risk Management Framework is based on just that, an assessment of risk for different parts, which controls apply, which don’t, and when systems aren’t in compliance, a way to get them into compliance, which requires time, a plan of action, and efforts and termination. So that’s what the Department of Defense did, they rated themselves against that risk management framework to provide that picture to Congress about how they’re doing on cybersecurity.
Jared Serbu: That’s a really good setup. And let’s start with the CMMC piece, I almost think it makes sense to break that apart from the rest of DoD cybersecurity requirements since that was sort of a new addition, Congress added fairly recently, and this sort of what’s good for the goose is good for the gander, sort of question. Can we start with cmmc? And what’s the basic answer to that question, the extent to which DoD components are meeting the CMMC requirements?
Joseph Kirschbaum: So when we did our review of this report, we understood that’s what the department did, they use risk management framework. We however, were still looking at the original intent, which was to use CMMC. So we did, we took DoD’s data, and we went back to compare it to CMMC standards to see if they would have indeed met them. The answer, in short is no, they would not have been in compliance with the same CMMC standards as any other companies. And that’s primarily because, not because they were many any worse off in a lot of ways. But it’s because, for example, the department couldn’t fully meet those 110 absolutely required standards. And the reason is because DoD does not always apply those same standards. They apply on a much broader set of standards. But depending on the risk of the individual system, they may not apply all at the same time. So essentially, DoD would have not been able to meet all the standards. And because they wouldn’t have been able to meet all of those standards, they would not have been held in compliance. That’s the way it works for CMMC. And the way it works for DoD is if you have a system that’s not in compliance, you have to develop a plan to get it in compliance. And that plan is built into your, whatever you want to call it, a waiver, or a way to get yourself into compliance, a bridge to compliance – whatever it is, that’s a standard practice. That is not considered CMMC. Now I say “not,” I mean before but right now they’re undergoing a look at CMMC and how to rule making the changes and they’re probably going to include such things as these plans of action. But DoD at the time didn’t have that and so they would not have been in compliance, which is one of the reasons they probably chose to not necessarily ignore CMMC but to use the risk management framework for a probably a more holistic assessment of how they’re doing.
Jared Serbu: Right. And then moving on from CMMC, I think the other part of the answer here is, even if that CMMC standard were not applied to DoD, they’re also not up to snuff, even under the more traditional RMF requirements that have been in place for quite some time now, including things as basic as getting all your systems ATO’d on the network.
Joseph Kirschbaum: Yeah, exactly. The first thing, we found a few things in their data, as DoD was uncovering, they did the report to Congress. And as we were doing our work is they had some systems that were just from the get go, were incorrectly categorized whether or not they were supposed to be at the moderate level, which is for moderate impact for potential loss of information. That’s what they’re all supposed to be is that moderate level, and they had some 13% of their systems incorrectly categorized lower than that. So they recognize that right off the bat when they started unpacking. When you look at the controls, they’re about about 82%, we found like roughly 82, I headed there because it’s changed since then, they’ve gotten better. About 82% and compliance with the security controls required for moderate impact for just their own RMF standards. So there’s a good 18% or so room for improvement there. And then, as you mentioned, the fact that they’re supposed to really, over and above any of these controls, they’re supposed to proactively authorize systems to operate the network, looking at the system itself, assessing its confidentiality and integrity, and then affirmatively authorizing that. It can be on the network, there were some 7% of DoD systems overall that didn’t have those valid authorizations for whatever reason. And so the department during this whole process, they uncovered this themselves, because they hadn’t been necessarily tracking that before. And now it became readily apparent to them.
Jared Serbu: And you mentioned in the report that the department had a March deadline to come into compliance on several of these things. And I don’t know if that was a statutory deadline or a DoD CIO deadline. But I think it’s probably a safe assumption that they did not meet that March deadline. Can we tell what the kind of trajectory is and how long it might take for real progress to be made here?
Joseph Kirschbaum: Absolutely. So this is actually, from our perspective, I think this is a pretty good news story. Because to be honest, when we were doing this work we found some of these gaps, these differences that the department themselves had found, and then we had kind of validated. And the concern was, it’s something we had seen in the past that they’ve, that the department’s really good about strategizing, setting up goals, but really doesn’t follow through as well, sometimes on implementation. So we had seen that pattern again. And that’s kind of how we were proceeding. But as we were really undergoing this work, the CIO’s office, they had really started to put together a lot of these systems to get themselves on a better trajectory. And so that was what you’re referring to, the March deadline to do some of these things, was established in October 2021, was a memo by the CIO that set up requirements for applying baseline controls for CUI. It really reiterated all the things they hadn’t been following as much, they hadn’t been tracking. So that, for example, requires those information systems to be categorized correctly. And then also to kind of catch up with where they were. It also requires the things like supply chain controls, things that are really a concern for terms of information systems and acquisition strategies, and how to do things for like, looking at suppliers before you write contracts. So it requires things like that, it requires the need to reiterate validation, authorization, and really catch up on where they are and they’re closing the gap on those things. And then the most important kind of, second-most important [was] that timeline for compliance. Yes, it requires March 2022 for full compliance. And yes, the department did not meet that. However, what it does do it requires that for each of those instances where you don’t meet it, before those plans of action and milestones, right, they’re so important. It’s an actual acronym in DoD and it’s even more important that you actually pronounce it as a word, POAM. And it requires those things which have corrective action plans so that you can get the compliance. And then an oversight mechanism, which is one of the things that also the CIO is set up to keep track of all these things. If you pair up an oversight, a good oversight mechanism with those corrective action plans, you really can get on a better trajectory to make sure you’re closing whatever gaps you found. And then in the meantime, you’re using the risk management framework for what it was intended, right? You have systems that are operating on the network, but they’re doing so with a really clear understanding of what the risks are and how to correct them.
Jared Serbu: And I guess to continue on your good news theme, even though DoD didn’t completely take seriously the congressional direction to apply CMMC to itself, it sounds like this legislation at least gave the department a bit of a kick in the pants to go on a journey of self discovery here and start to pull apart some of the security deficiencies that have probably been around for a long time, right?
Joseph Kirschbaum: I really agree with that. I agree with that characterization, that you just used, that self discovery, that’s exactly what it looked like to us. There was a lot of concern from external parties and from us and others, we’ve been pushing DoD for years and the fact that they’ve got this gap between strategy and implementation. And we hit them pretty hard a few years ago on the fact that a lot of the cyber issues that we’re talking about, implementation, are cultural issues rather than technical issues. And they don’t follow through as well in those. And so this really, as they started to unpack some of the data themselves, realizing the gaps they had, they looked like they really kind of did some self reflection and kind of narrowed down what they needed to do in the short term to really get some things going. So that was really refreshing.