CMMC's 'father' warns companies not to wait for final rule

“The smart move is to protect yourself. Now. Not because you have to comply but because you want your enterprise to stay in business,” says Robert Metzger, the "father" of CMMC.

“The smart move is to protect yourself. Now. Not because you have to comply but because you want your enterprise to stay in business,” says Robert Metzger, the "father" of CMMC. Courtesy of Rogers Joseph O’Donnell

The final rule for this new cybersecurity standard for the defense industrial base is months away, but the author of its founding principles sternly says get to work now.

Robert Metzger is considered by many to be the father of the Cybersecurity Maturity Model Certification, a standard being implemented by the Defense Department to ensure its industrial base has secured information systems and supply chains.

Metzger has that distinction mainly because he co-authored "Deliver Uncompromised," a report from the nonprofit research firm Mitre that describes many of the principles behind CMMC.

He is now co-chair of the cybersecurity practice at the law firm Rogers Joseph O’Donnell and continues to be a consultant to Mitre.

As the opening keynote at Washington Technology’s CMMC Summit on Nov. 9, Metzger set the tone for the event with a sense of urgency around CMMC and the cyber threats organizations face. The final rule for CMMC is expected in March, but no one should wait to act.

Below is an edited transcript of the conversation between Metzger and GovExec360 President Troy Schneider. Washington Technology is owned by GovExec Media.

SCHNEIDER: One of the key points of "Deliver Uncompromised" is that self-attestation is not sufficient for contractor cybersecurity and CMMC took a lot of its inspiration from that. Is there anything you wish you could have framed differently?

METZGER: The "Deliver Uncompromised" report started from the threat perspective and it wasn’t pretty. We were looking at asymmetric campaigns or blended operations by national adversaries who combined cyber IT attacks with cyber (operational technology) attacks as well as a variety of supply chain attacks.

We thought we needed something to establish what we called a security integrity score.

And we didn’t even think about ransomware, which has become a pervasive threat and arguably presents a greater urgency for companies.

SCHNEIDER: Are there building blocks that companies can put in place now regardless of what the final CMMC rule is?

METZGER: We start with NIST Standard 801-171, but we need to take a risk-informed approach to the 171 controls. (There are 110 security controls described in 801-171.) It is possible for organizations to assess their risk and determine the customers that are the most important, and where the continuity of service or protection of their information is the most impactful. (Standard 801-171 is a framework of controls from the National Institute of Standards and Technology to protect sensitive information inside federal contractors' IT systems and networks.)

What are the controls that will have the biggest bang for the buck now and will improve their security?

It’s not about getting everything done instantly, although you’ll need to eventually. It’s about getting the right things done promptly.

But we also have to look beyond 171 because it is just a baseline. It came out in 2015. We see forms of attack now that were barely imagined then.

SCHNEIDER: You touched on ransomware and that NIST Standard 801-171 doesn’t fully anticipate that threat. Are you saying that CMMC standards need to expand?

METZGER: 171 is not the only a frame of reference but it is the one we have to apply. I’ve been interested in the conduct of insurance companies as they make it much more difficult to qualify for and afford cyber insurance.

There are murmurs among the big insurers that that there are 10-to-12 key items that they expect to be done.

In the commercial world, we are seeing people gravitate towards a certain set of requirements and expect those to be done for you to be a trustworthy partner to get loan or for you to be in a (merger-and-acquisition) transaction or to get cyber insurance.

SCHNEIDER: There are complaints that CMMC can be too hard, too expensive and too complex for small businesses that are part of the defense industrial base. How do you strike a balance between not creating a barrier to entry and providing the security that’s needed?

METZGER: That’s a very difficult question. We know that adversaries will seek the so-called low hanging fruit and mount attacks against companies that are less well defended.

The problem is that for smaller businesses: 171 can be daunting, intimidating, frustrating, confusing and expensive.

But we cannot decide that security is unimportant for small businesses. We cannot give them a waiver. But we must facilitate a means by which small businesses can accomplish security economically. That takes us away from on premise measures and towards external service providers.

But we haven’t yet established a means by which a smaller company can look at a managed service provider, a managed security as a service provider, or some other external resource and say -- "If I do my part and they do their part, then I’m going accomplish some percentage of the CMMC requirements."

We need that.

SCHNIEDER: The final rule is expected in March. What date would you pick for when we’ll see a requirement in contracts?

METZGER: It doesn’t really matter. The smart move is to protect yourself. Now. Not because you have to comply but because you want your enterprise to stay in business.

Don’t let yourself think that it matters what day you happen to get a (request for information) or (request for proposals) that requires an assessment. Be secure beforehand for the sake of your employees, your lenders, your clients, your customers, your investors.

And then also your regulator.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.