CMMC 2.0 - Pursuit of Perfection is NOT Risk Management

Are the Department of Defense (DoD) and the Cybersecurity Maturity Model Certification (CMMC) Program Management Office (PMO) making a mistake by steering the newly published CMMC proposed rule towards an expectation of perfection instead of residual risk management?

The Federal Register published the most recent version of the Cybersecurity Maturity Model Certification (CMMC) rule on December 26, 2023. In it, DoD continued its expectation that members of the DIB would earn either perfect scores in future assessments or have time-limited assessment-derived plans of actions and milestones (POAM) as outputs of an assessment—limited to no more than 180 days. This apparent aim for perfect scores is not aligned with their own citations of NIST 800-37 r2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, nor with other publications such as NIST 800-39 Managing Information Security Risk Organization, Mission, and Information System View and DoD Instruction 8500.01 Cybersecurity.

Practitioners of Risk Management center their efforts around the notion that organizations can rarely, if ever, reduce their multitude of risks to zero. As a consequence, those organizations must learn to manage risk and ultimately manage residual risks after efforts to avoid, spread, reduce or transfer culminate. CMMC PMO has chosen to pursue a course of action that explicitly states residual risk for unauthorized disclosure of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) is only tolerable in limited circumstances for limited periods. This is a standard the DoD does not attain for much more valuable information—there are enduring POAMs throughout DoD’s Secret and Top Secret enclaves!

As written, the CMMC rule and its accompanying guidance documents make it clear that perfect implementation of 110 controls using 320 assessment objectives is the expected outcome. The extended discussion of the POAMs (section 170.21) of the rule consistently emphasizes that organizations have 180 days from the assessment to resolve 100% of the entries in the POAM. Though well-intentioned to reduce abuse of POAMs, this timeline is arbitrary and uninformed by any specific circumstances within either the DoD or organizations seeking to prove their security. As importantly, the deadline for POAM close out, and the demand for total close out adds to the thesis that CMMC PMO has pursued perfection rather than informed risk management.

I concede the DoD Inspectors General reports and other reporting have numerous examples of contractors and DoD entities themselves claiming to perform security while having POAMs filled with entries that date back months and even years. I concede that the lack of a standard for POAM entry longevity contributes to this situation and the ease with which leaders may decide to place a deficiency on the POAM and give it no other thought— “Deficiency recorded, action complete!” I do not rise to defend such abusers of POAMS, claimants of secure computing or others who demonstrate lack of trustworthiness. I instead advocate for a middle ground between perfection and rampant abuse. Indeed, the CMMC rule itself has the beginnings of that middle ground of regulated and monitored use of POAMs as a means of communicating residual risk to decision-makers.

CMMC can easily update the newest release of the Program to authorize enduring entries in POAMs that make the POAM dual-purposed as a risk register—a collection of identified deficiencies in an environment for which the cognizant authority (the Contractor’s leadership) has accepted the residual risk (e.g., moderate or low) of continued operations. CMMC can update the rule to make it clear that the CMMC PMO retains the authority to approve high residual risk decisions and reject moderate or low residual risk acceptance decisions through its own analysis (e.g., perception of gaming a vulnerability/finding, unacceptable mitigation(s), perception of excessive ‘risk acceptance’ in-lieu of investment in security) or with input by others (e.g., DIBCAC, C3PAO, CMMC AB). CMMC PMO would need to document the expectation that yearly reviews of such ‘risk accepted’ items occur—require organizational leaders to incorporate the reviews into their annual attestation. CMMC can easily update the newest release to also incorporate language that time-limits individual entries in a POAM (e.g., an entry can stay unresolved for no more than 180 days unless risk accepted) rather than demanding a POAM cleared of all entries within 6 months of an assessment. Systems evolve, new vulnerabilities occur weekly, and findings arise continuously for a properly run IT environment—an empty POAM is a happy circumstance with an exceptionally short half-life. Continuously maintained risk registers, POAMs, and other forms of monitoring security contribute more to protecting FCI and CUI than point-in-time assessments with zero entries on a POAM.

CMMC PMO has chosen to pursue a course of action that explicitly states residual risk of unauthorized disclosure of FCI and CUI is only tolerable in limited circumstances for limited periods throughout the DIB. This contradicts DoD’s tolerance of risk in other domains of information protection, thereby violating their own citations of Executive Orders 12866 and 13563 to harmonize rules and promote flexibility. Residual Risk can rarely, if ever, be zero. Let us manage residual risks rather than pursue a policy so contrary to the remainder of the DoD’s risk management philosophy.

The postings on this site are my own and do not necessarily represent the postings, strategies or opinions of my employer.