CMMC's 'father' warns companies not to wait for final rule

Robert Metzger is considered by many to be the father of the Cybersecurity Maturity Model Certification, a standard being implemented by the Defense Department to ensure its industrial base has secured information systems and supply chains.

Metzger has that distinction mainly because he co-authored "Deliver Uncompromised," a report from the nonprofit research firm Mitre that describes many of the principles behind CMMC.

He is now co-chair of the cybersecurity practice at the law firm Rogers Joseph O’Donnell and continues to be a consultant to Mitre.

As the opening keynote at Washington Technology’s CMMC Summit on Nov. 9, Metzger set the tone for the event with a sense of urgency around CMMC and the cyber threats organizations face. The final rule for CMMC is expected in March, but no one should wait to act.

Below is an edited transcript of the conversation between Metzger and GovExec360 President Troy Schneider. Washington Technology is owned by GovExec Media.

SCHNEIDER: One of the key points of "Deliver Uncompromised" is that self-attestation is not sufficient for contractor cybersecurity and CMMC took a lot of its inspiration from that. Is there anything you wish you could have framed differently?

METZGER: The "Deliver Uncompromised" report started from the threat perspective and it wasn’t pretty. We were looking at asymmetric campaigns or blended operations by national adversaries who combined cyber IT attacks with cyber (operational technology) attacks as well as a variety of supply chain attacks.

We thought we needed something to establish what we called a security integrity score.

And we didn’t even think about ransomware, which has become a pervasive threat and arguably presents a greater urgency for companies.

SCHNEIDER: Are there building blocks that companies can put in place now regardless of what the final CMMC rule is?

METZGER: We start with NIST Standard 801-171, but we need to take a risk-informed approach to the 171 controls. (There are 110 security controls described in 801-171.) It is possible for organizations to assess their risk and determine the customers that are the most important, and where the continuity of service or protection of their information is the most impactful. (Standard 801-171 is a framework of controls from the National Institute of Standards and Technology to protect sensitive information inside federal contractors' IT systems and networks.)

What are the controls that will have the biggest bang for the buck now and will improve their security?

It’s not about getting everything done instantly, although you’ll need to eventually. It’s about getting the right things done promptly.

But we also have to look beyond 171 because it is just a baseline. It came out in 2015. We see forms of attack now that were barely imagined then.

SCHNEIDER: You touched on ransomware and that NIST Standard 801-171 doesn’t fully anticipate that threat. Are you saying that CMMC standards need to expand?

METZGER: 171 is not the only a frame of reference but it is the one we have to apply. I’ve been interested in the conduct of insurance companies as they make it much more difficult to qualify for and afford cyber insurance.

There are murmurs among the big insurers that that there are 10-to-12 key items that they expect to be done.

In the commercial world, we are seeing people gravitate towards a certain set of requirements and expect those to be done for you to be a trustworthy partner to get loan or for you to be in a (merger-and-acquisition) transaction or to get cyber insurance.

SCHNEIDER: There are complaints that CMMC can be too hard, too expensive and too complex for small businesses that are part of the defense industrial base. How do you strike a balance between not creating a barrier to entry and providing the security that’s needed?

METZGER: That’s a very difficult question. We know that adversaries will seek the so-called low hanging fruit and mount attacks against companies that are less well defended.

The problem is that for smaller businesses: 171 can be daunting, intimidating, frustrating, confusing and expensive.

But we cannot decide that security is unimportant for small businesses. We cannot give them a waiver. But we must facilitate a means by which small businesses can accomplish security economically. That takes us away from on premise measures and towards external service providers.

But we haven’t yet established a means by which a smaller company can look at a managed service provider, a managed security as a service provider, or some other external resource and say -- "If I do my part and they do their part, then I’m going accomplish some percentage of the CMMC requirements."

We need that.

SCHNIEDER: The final rule is expected in March. What date would you pick for when we’ll see a requirement in contracts?

METZGER: It doesn’t really matter. The smart move is to protect yourself. Now. Not because you have to comply but because you want your enterprise to stay in business.

Don’t let yourself think that it matters what day you happen to get a (request for information) or (request for proposals) that requires an assessment. Be secure beforehand for the sake of your employees, your lenders, your clients, your customers, your investors.

And then also your regulator.