Inside Cybersecurity

October 23, 2021

Daily News

Contracting lawyer says ‘rigidity’ of CMMC program requirements could make compliance difficult for companies

By Sara Friedman / June 17, 2020

Trying to meet all of the specific policies and practices outlined for each level of the Pentagon’s Cybersecurity Maturity Model Certification program could make it hard for companies to ensure that they will meet the verification requirements, according to a leading defense contracting attorney.

Attorney Robert Metzger, a co-author of the influential 2018 MITRE “Deliver Uncompromised” report addressing vulnerabilities in the Defense Department's supply chain, spoke about the future of the CMMC program and COVID-19 supply chain impacts in a recent podcast from analytics company Interos.

“CMMC has some aspects of rigidity that make sense in an idealized world but maybe won’t prove workable in the practical world,” Metzger said. “CMMC expects a company for level three to meet all 120 of the specified policies and practices, and CMMC takes a view that you should not be allowed to have a plan of action and milestones where you know of gaps and have a plan to cover them” to obtain a certification.

He said there “is an absence of flexibility, a demand for perfection that I think is going to have to bend when you get into the real world where the customer or requiring activity will be satisfied with something less than 120 and will be interested in or willing to accept a POA&M when the choice is not having a vendor at all when it’s needed.”

Metzger said the CMMC program is currently focused on “how to better defend the information technology systems of contractors,” and he hopes that CMMC will have “a big bow wave effect” where companies “are already beginning to think about what they need to do now and over time so when it’s their turn to be assessed they will get the necessary certificate.”

“Companies ought to be able to create the policies and process for effective cyber and supply chain management without a huge amount of investment,” Metzger said, which in turn will help them “be aware of what their systems can do, they need to appreciate where they have sensitive information, they need to understand the nature of their role in supporting their contractors.”

Metzger said the CMMC program “created some of its own problems” when it comes to getting small and mid-size businesses prepared. “A lot of companies look at CMMC with the presumption that it will apply to them…that they will be required to get that level 3 certificate. Maybe CMMC should be more specific in terms of where it is going, what programs, what contractors, what activities, what criteria will cause companies to be in the early group of those subject to CMMC.”

In regards to the future of CMMC, Metzger said “eventually CMMC will expand its reach to cover more of the supply chain but it isn’t starting there. Supply chain goes beyond cyber IT to include OT, and the human factor where people can be turned to become a supply chain threat either by design or inattention. It certainly doesn’t deal with hardware security or software security or a service provider security or logistics security. Those things all factor into supply chain risk mitigation and they’re really outside what CMMC is trying to do.” -- Sara Friedman (