In April of this year, the CMMC advisory board issued an interesting RFP that caught a few off guard and raised a lot of questions among the defense industrial base (DIB). That RFP involved the creation of a continuous monitoring portal – an online portal where government agencies looking to see how secure their vendors and contractors are could log-in and see continuously collected cybersecurity performance data.
This RFP seemed rushed to some, and raised concern among others. Some cybersecurity experts and government contracting companies questioned if issuing this RFP was premature since other tasks – such as the certification of assessors – was still not complete. While others felt that the idea had merit and should proceed forward.
To learn more about this RFP, why the Department of Defense (DoD) and the CMMC Accreditation Body would require continuous monitoring, and what this could mean for the military and its contractors, we recently sat down with Jake Olcott of BitSight and Don Maclean of DLT Solutions.
Here is what they had to say:
GovCyberHub (GCH): For the sake of our readers who may not know, can you tell us what the CMMC Accreditation Body is and what role it’s playing in the CMMC certification process?
Jake Olcott: The CMMC Accreditation Body is comprised of a group of volunteer subject matter experts who are members of the CMMC Advisory Board and who have been tasked with implementing the CMMC across the more than 300,000 defense contractors that make up the DIB.
GCH: The CMMC Accreditation Body recently released an RFP for the construction of a dashboard that will continuously monitor the cybersecurity of contractors. What do you think they’re looking to accomplish with this dashboard? Why is it important?
Jake Olcott: This is an important recognition that continuously collecting information about an organization’s cyber performance is an important complement to the on-site assessment work that will be done by the certified assessors.
One of the historical challenges we’ve had in cybersecurity has been irregular, infrequent qualitative data collection. By including a requirement for continuous monitoring to be part of this approach, the CMMC Accreditation Body is saying that data collected through on-site assessments – in addition to continuous monitoring – is necessary to get a detailed, full look at an organization’s cyber posture.
GCH: Is a dashboard like this possible? Is it legal?
Jake Olcott: Yes to both. Over the last few years, there have been a number of commercial sectors and industries that have recognized the importance of gathering cybersecurity performance information about third parties. It’s a relatively widespread practice in industries like financial services and the energy sector.
Getting more and better data to assess risk is important in the commercial sector, which is why organizations like BitSight have emerged to help address and fill those gaps. The way that BitSight collects its security performance data is from entirely outside of the organization. We’re continuously gathering more than 200 billion events involving the security performance of organizations all over the globe.
That data has significant use in the commercial sector – in investments, insurance underwriting, and other processes and operations.
Applying this commercial best practice within the DoD would give our military a better, more detailed look into the security performance of its security contractors.
Don Maclean: The risk management piece of this is something that I’ve heard mentioned repeatedly. I previously ran cybersecurity programs for a number of government agencies and have maintained contact with many people that I worked with. Many of them went on to become agency CISOs.
One of their biggest concerns is hygiene and patching. The other is risk management – the risk that they incur when they do business with any other organization. That’s very top of mind for those CISOs right now – especially in the DoD.
GCH: What impact do you think a dashboard like this could have on contractors? Cybersecurity companies?
Jake Olcott: The dashboard is designed to blend data collected during an onsite assessment by an assessor, along with data that is continuously collected through an organization like BitSight. The purpose is to put those views together to enable and empower a decision-maker to make a more informed choice.
What you’re seeing more broadly is that dashboards are becoming effective ways to merge multiple data points together to aid in decision-making processes. This vision that the CMMC Accreditation Body has in blending these together is to highlight areas of concern, areas of focus, areas worth following-up on for an organization – but also to aid a decision-maker that is considering whether or not to do business with a contractor. They want to put this information at their fingertips.
Don Maclean: One issue that might arise – suppose agencies using this tool or dashboard were to find that companies weren’t consistently up to snuff despite being accredited – that could also hold the assessors to account. It could have a secondary use in that it could help assess the assessors.
Jake Olcott: That’s a great idea. It’s the certification body’s responsibility to ensure that the assessors have been trained appropriately, and that dashboard could be a valuable tool for ensuring that the process is going correctly.
GCH: What is your personal take on this RFP? Is it a good idea? Is it something the CMMC-AB should be focusing on now?
Jake Olcott: I think that it’s important for the CMMC Accreditation Body to combine or leverage continuous monitoring data alongside the assessments that are being performed by the assessors. That makes a lot of sense. It’s within their purview. But the DoD is very focused on this issue, as well, and would almost certainly want to continuously monitor the DIB for their own visibility – it’s critical for them to understand the security posture of the companies that they’re doing business with.
Don Maclean: My take is that, historically, assessments of organizations are “point-in-times” or snapshots. Then, assessments don’t happen for another three years or so. This CMMC effort will be taken less seriously if it’s just a point in time. Companies will take it more seriously if they have to maintain their security posture.
They’ll also want to keep their cybersecurity posture strong. It’s a positive incentive to keep a leg up on their competition. This will make cybersecurity a competitive advantage over other contractors.
GCH: Is there any way that this CMMC dashboard could create some kind of hit list for malicious actors? A list of poorly defended networks that they could attack?
Jake Olcott: I don’t see it that way. It would be one thing if these were being published and disclosed, but they’ll only be accessible to the government. Also, the reality is, the adversary is well familiar with organizations that are doing business with the DoD at this point. They know who the critical suppliers are. Their names aren’t secret, and neither are their vulnerabilities.
Don Maclean: I agree with Jake. There are far easier and more effective ways to attack a company rather than try to find them in a dashboard and then attack them. Today’s adversaries don’t need a dashboard to tell you who to attack.