Not again! CMMC's comprehensive review is déjà vu all over again

Gettyimages.com/Just_Super

Find opportunities — and win them.

Eight years, multiple pauses, and still no cyber protection to show for it — maybe it's time to move past CMMC, not review it again, writes former PSC President David Berteau.

On Monday the Pentagon announced that it was suspending Phase II requirements for the Cybersecurity Maturity Model Certification (CMMC) program.  Phase I, self-assessments, will continue.  Phase II is paused for “a comprehensive review of CMMC.” 

My reaction to this was “Oh, no, not again!”

CMMC has been in the works for eight years now, and it seems to me that all we really have to show for it is companies self-assessing their cybersecurity against a NIST standard and reporting the results of that assessment to the government.

That doesn’t sound too bad until you realize that’s been the requirement for more than a decade now, before CMMC became an acronym.

CMMC was intended from the beginning to be a path first to ensuring basic cyber hygiene across defense contractors. That was supposed to be the easier part. Then we would get to the harder part of better cyber protection.

But we never even got the easy part done.

CMMC’s Problems

What has that self-assessment decade seen?  Here is my perspective.

1. The cyber threat continues to increase. 

Every single day. 

For 10-plus years.

2. Our start-and-stop response has had trouble keeping pace with that threat. Both the federal government and its contractors remain vulnerable, as does nearly everyone else in America and around the world.

3. CMMC was delayed in 2019 (when the Pentagon changed its initial approach, leading to the creation of the CMMC Accreditation Body), delayed again in 2020 (halting use of the new CMMC regulation), delayed again in 2021 (halting the entire process to conduct a comprehensive review of CMMC), and delayed yet again in 2023-24 (when the Pentagon staggered the release for comment of two separate rules, issuing the first rule on the SAME DAY as comments were due on the second rule), and now in 2026 for (you guessed it) ANOTHER comprehensive review.

4. CMMC is supposed to address Controlled Unclassified Information, or CUI.  The federal government has yet to articulate what constitutes CUI, and a recent proposed rule from GSA perpetuates that shortcoming.

Two More Big Issues

in addition, throughout CMMC’s eight years there have been two overriding issues that have not been addressed.

The first issue is that CMMC focuses heavily on technical data at the program level. There is at least as much risk associated with operational data. 

Deployed forces are supported by commercial contractors for everything from food and fuel to transportation and storage.  Once an invoice is filled with data on what will be delivered, where, when, and in what quantity, that invoice borders on CUI. 

Yet many commercial vendors around the world are unlikely ever to be CMMC certified.  No one has addressed this issue.  It is barely even acknowledged.

The second issue is that the threat is not just for defense contractors.  Cyber threats are government wide.  Many of the most significant failures have been in non-defense agencies.  Yet, CMMC was only for defense. 

We need a government-wide system.

What Next?

What does all this mean?

Since my days in “computer security” in the mid-1990s, cyber defense has been playing catch-up to cyber offense.  It’s time for a new playbook.

I am no expert, but it seems to me that the never-ending start-and-stop of CMMC is not enough.

If all we’ve had for a decade are self-assessments against a NIST standard, maybe that’s all we are going to get from CMMC.  Standards change more slowly than the threat, so perhaps what we need are faster ways to update the standards against which self-assessment is conducted.

Or maybe it’s time to declare CMMC done, retain self-assessment, and move on to updated approaches to cyber security, including

  • Better threat detection and response
  • Increased incident visibility
  • More robust public reporting
  • Improved technical means of protection

I hope that the Pentagon’s “comprehensive review” casts a broader net, gets us out of this decade-long cycle, and focuses on system-wide actions that actually respond to the threats of today and tomorrow.