In a recent letter addressed to President Biden, James Goepel, Mark Berman, and Ben Tchoubineh share their expert opinions on the recent changes made to CMMC. They highlight all the ways in which this new roll out of CMMC 2.0 undermines not only its predecessor, CMMC 1.x, but also directly contradicts promises made by President Biden in the goals he set out in Executive Order 14028. The changes made by the DoD are, according to the very founders of the assessment program, detrimental to our nation and will ultimately hurt its security in the long run. The headlines for their reasons are as follows:
Self-Assessments Do Not Work
If we are trying to make CMMC more affordable we are
Taking the Wrong Approach
Sending the Wrong Message
CMMC 2.0 Cannot Operate at Scale
CMMC 2.0 Relegates CMMC to a DoD-only Standard
Time is Not on our Side
So what does all of this mean for those of us in the security industry? The overall gist is that the government is trying to make it easier for the independent third parties it hires by cutting red tape, but in doing so has removed all guidelines that keep contractors up to code. It puts the power of oversight back into the hands of those doing the work, allowing them to cut corners if they wish to, as mentioned in section 2 of the open letter to the president. There is a lack of checks and balances within the new order of things, which is only a good thing if we feel 100% confident that contractors will check themselves. History tells us that as humans we tend to need the former.
In addition, many of those who have received intense training and gone through the classes needed to become an official assessor will no longer be needed. This then puts more pressure on small business owners needing to ensure their cybersecurity is meeting requirements by forcing them to rely on self assessed contractors who have virtually no oversight. Where once there was faith in the overall supply chain and its legitimacy, there becomes an underlying fear that work is not being done properly. In addition, the overall lack of defined requirements or direction can be frustrating for contractors who may not know what they need to self-assess for, as CMMC 2.0 seems to continuously contradict itself. In a “leak” on November 4th, the DoD briefly released two documents outlining a few of the major changes to come with the overhaul of CMMC 1.x. Ironically enough, this accidental posting of these documents violates AC.1.004, having to do with controlling information posted or processed on publicly accessible information systems. It begs the question whether those implementing these changes entirely understand what they are doing.
At the end of October and beginning of November, I personally taught a couple of CMMC courses via zoom. I had a wonderful time with my students, and overall I think we all learned from one another throughout the length of the course. While the material may tend to be a little dry at times, I tried to make it as understandable and as interesting as possible. Having concerned and interactive students really made my job so much easier. A few of my students left reviews on the entirety of the course. A few of my favorites are as follows:
I found the material provided by Mr. Silvers to be very good. When he wasn't sure about questions asked by the class or questions that came up regarding the material, he would come back later in the day or the next day with updated information.
Chris was an excellent instructor. He did very well with managing time in the virtual platform. He is very knowledgeable in the subject presented. The most impressive observation is his ability to manage the spectrum of competency in attendees.
He obviously has sound knowledge of the course content, his approach of making the course very interactive was excellent for me as it allowed me to learn from the material as well as learn from other participants. He kept us all engaged in the domain topic areas.
Chris was great. He kept the class informative and interactive even though the material (CMMC) changed on Thursday and threw a wrench into everything. He handled it all like a true pro and I would gladly take another class being taught by him.
This is one of my favorite courses to teach, and knowing that I might not get as many opportunities to do so because of the changes being made to CMMC saddens me. I had really hoped to rely on the demand represented by the original CMMC ecosystem both as an assessor and an instructor. Most estimates I’ve seen predict that the market for assessments, and hence assessors, will shrink by more than 90%. Further, with the elimination of independent assessments for level 1, this eliminates the need for the separate level one assessor training. This further reduces the number of training courses, and therefore, the need for instructors.
What do you think about the recent changes being implemented to the CMMC? Let us know on twitter or linkedin, or just shoot us an email here. As always, feel free to contact us with any questions. I look forward to hearing some other perspectives from the security community.