Only 100 approved assessors are available to certify that 300,000 US DoD providers are in compliance with the Cybersecurity Maturity Model Certification by the 2023 deadline. Credit: Thinkstock If you do business with the Department of Defense (DoD), then the Cybersecurity Maturity Model Certification (CMMC) is known to you. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) approved the first company to become a certified assessor in May 2021. Since then, three additional companies have been approved. That’s it. Four companies have been approved to be a Certified Third-Party Assessment Organization (C3PAO) and assessed DoD contractor cybersecurity compliance with the CMMC.Approximately 300,000 suppliers to the DoD will be impacted by the implementation of the CMMC.Only 100 CMMC assessors available–5,000 neededIn an interview with Federal News Network, Chris Goldman, a founding member of the CMMC accreditation body and director of infosec at Horizon Blue Cross Blue Shield of New Jersey opined how CMMC had some shortcomings. He detailed how the DoD is planning to invoke the process with 500 pilot contracts requiring the assessments. This equates to five assessments per provisional assessor, given there are currently 100 provisional assessors. Goldman noted, “we’re certainly going to need to scale to over 5,000 assessors in the ecosystem to do more than 100,000 assessments per year.” One potential downside to the DoD’s CMMC effort affects the SMBs. The cost of adhering to the CMMC process may cause many entities to self-select out as, according to Goldman, “Its too expensive, I can’t participate in the ecosystem anymore.” Thus, companies providing goods and services the DoD needs are no longer available, as these companies look for more profitable customers. What this means, according to Don Kulp, director of business development at Saalex, is that the government is using the CMMC process to push good cyber hygiene into the ecosystems of the private sector, including educational institutions. The DoD will have the “maturity level of bidders contained in the actual bid and include the entire supply chain associated with the contract.” He continues how the implementation will include waivers, with the ultimate goal of ensuring “the level of maturity that all bidders must be certified to as well the entire supply chain associated with those contracts.” That isn’t to say it will be smooth sailing, he notes that those contracting communities may make execution of contracts difficult for those doing business with the government.Navy Submarines not audited due to lack of auditorsOne needs only look to the US Navy to see the potential effect of not having timely audits of cybersecurity postures. The Navy Times obtained an internal audit of the submarines in the US Naval Submarine Force Pacific that revealed the 41 submarines and their support ships didn’t have their required “internal and external cybersecurity inspections” conducted from 2016 to 2018. The checks and balances built into a system to ensure known vulnerabilities are mitigated wasn’t taking place. The Navy Times continued how the Navy lacked the personnel and bandwidth to conduct the inspections. The publication obtained via an FOIA request a more precise answer, “Personnel informed us that they do not have enough staff to meet the triennial inspection requirement for all information systems, so they excluded Navy submarine networks.”The rational: “The boats disconnect from the network” while at sea, the risk to the DoD’s information network? The auditors opined, “Excluding submarine networks from inspection workload may expose the Department of Defense Information Network to an unacceptable level of risk.”The submarine example demonstrates what occurs when triage occurs due to lack of resources. The US Navy cyber auditors had only so many cycles in their days and thus had to choose between two bad choices, audit all entities quickly (perhaps superficially) or not inspect one entity and ensure the security of the other entities are the best they can be.With thousands of companies needing certification and approximately 100 provisional assessors approved to conduct C3PAO, one can do the math. A shortage of auditing companies is a reality, which makes 2023 deadline look a bit like the Sword of Damocles hanging over DoD contracting processes. There is going to be constipation. The CMMC accreditation body DIBCAC will need to double-down and invest heavily in efficient training of assessors, in a world where cybersecurity savvy personnel at all levels are a much sought after commodity. Related content news FBI warns Black Basta ransomware impacted over 500 organizations worldwide CISA advisory includes indicators of compromise and TTPs that can be used for threat hunting. By Lucian Constantin May 14, 2024 6 mins Ransomware Phishing Healthcare Industry news Australian federal budget outlines investment in cybersecurity The Australian government announced its 2024-25 federal budget and CSO has selected highlights that indicate how much will go towards cybersecurity and in what areas. By Samira Sarraf May 14, 2024 5 mins Fraud Protection and Detection Software Data and Information Security brandpost Sponsored by Microsoft Security New threat trends emerge out of East Asia With total vigilance concerning the latest East Asian developments in the threat landscape, security leaders can enhance their readiness to safeguard against the most imminent dangers. By Microsoft Security May 14, 2024 5 mins Security news Equipped with AI tools, hackers make apps riskier than ever The odds of attacks are growing as attackers can now easily access code modification and reverse engineering tools. By Shweta Sharma May 14, 2024 4 mins Application Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe