Security practitioners across the US spent most of Thursday, May 13, reading over, hashing, rehashing, and then re-rehashing the “Executive Order on Improving the Nation’s Cybersecurity” (the Executive Order). Between the mandate for agencies to adopt zero trust, short timelines, and the “Software Bill of Materials,” the Executive Order seems to be far reaching and possibly overly hopeful. However, for those working in the Cybersecurity Maturity Model Certification (CMMC) space, the Order validates much of what they have been saying all along, CMMC is poised to be the One Standard to Rule Them All.
Filtering Out the Noise
The Executive Order is a lengthy document, clocking in at around 8,000 words. Like a good book, it contains a little something for everyone. For those who spent the last twelve months of their professional lives steeped in CMMC, some language in the Executive Order jumps out right away.
Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement
The Executive Order starts incorporating bring in FAR for any acquisition requirements. However, by Section 2, it specifically notes that DFARS contract requirements will reviewed:
Section 2(b) specifically states:
the Director of National Intelligence, shall review the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement contract requirements and language for contracting with IT and OT service providers and recommend updates to such requirements and language to the FAR Council and other appropriate agencies.
Of note here, while other agencies will be involved, the only contract language discussed in the body of the Executive Order is that falling under FAR and DFARS supplements.
Next, the Section 2(j) of the Executive Order adds that within 60 days, the collections of agencies involved:
shall review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract and recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements.
Finally, within that same 60 day time frame, the FAR Council will recommend contract language and publish it for public notice and comment. Then, Section (k) drops another crumb:
agencies shall update their agency-specific cybersecurity requirements to remove any requirements that are duplicative of such FAR updates.
However, the hints and implications continue further. Hidden within Section (3)(e)(iv), the Executive Order requires that within 90 days, every Federal Civilian Executive Branch (FCEB) agency shall:
shall evaluate the types and sensitivity of their respective agency’s unclassified data…The evaluation shall prioritize identification of the unclassified data considered by the agency to be the most sensitive and under the greatest threat, and appropriate processing and storage solutions for those data.
These hints and crumbs lead down a fairly logical path. The only agency specific FAR language mentioned in the Executive Order seems to be DFARS, and all FCEB agencies need to identify sensitive “unclassified data.” Under DFARS, controlled unclassified information (CUI) is any data generated under a Department of Defense contract (DoD) for a product or service that organizations need to secure “consistent with application laws, regulations, and government-wide policies.” The logical language jump here is that sensitive “unclassified data” will ultimately be considered CUI.
DFARS directly links to CMMC and CUI. CMMC contract language already exists, and has existed, for over a year. The DoD has invested a lot of resources in developing CMMC.
In other words, if a cybersecurity requirement already exists, remaking the wheel from scratch seems inefficient. Additionally, with all of these tight 60 and 90 day timelines, creating entirely new standards from scratch would never happen. CMMC took several years to build and get approved. If the Executive Order is going to stay on track, the federal government is going to need to use pre-existing standards and language.
What does this mean for most organizations?
CMMC has been discussed nearly everywhere in the federal space for the last 16-18 months, if not longer. Most contractors in the Defense Industrial Base (DIB) know the drill at this point.
Most other organizations, at least the larger ones, have been keeping CMMC in the backs of their minds. The DoD expanded CMMC’s use case beyond its supply chain to address contracts with other agencies, including the Department of Homeland Security. The vendors for those agencies started looking into CMMC.
CMMC offers a path to supply chain maturity. Over the last year, conversations have included:
- What qualifies as CUI?
- How much will compliance cost?
- How do prime contractors manage their vendors?
- Where is the line between CMMC Level 3 and CMMC Level 4?
Rehashing the answers to these questions provides little value. Security professionals and pundits have been discussing them since the release of CMMC. The answers remain vague.
At a fundamental level, nearly every company in the agency supply chain will have to be CMMC Level 1 certified, proving that they perform best practices. Moderately involved federal supply chain vendors will need to be CMMC Level 3 certified, proving that they have the documentation needed.
For the most part, organizations should already have some protections in place. Most of them are general best practices. However, every audit costs money. Every CMMC certification will cost organizations. Federal supply chains run deep.
Why companies need to understand the Christian Doctrine
During the CMMC Accreditation Board (CMMC AB) Registered Practitioner training, one of the sections struck a chord. The Christian Doctrine was mentioned several times during one lesson. As far as hints go, it felt less like a hint and more like an anvil dropping on someone’s head. However, little discussion of this exists in the conversations.
What is the Christian Doctrine?
Fundamentally, the Christian Doctrine is unique within contract law. Fundamentally, contract law consists of a promise by one party to perform a service or product in return for compensation by the other party. The contract specifies what both parties should do. They come to “a meeting of the mind.”
The traditional contract law hypothetical is the cow example. Two farmers made a deal that Farmer A will provide a spotted milking cow to Farmer B. Farmer B has inspected spotted milking cow, Bessie. Farmer B assumes that because Farmer A offered Bessie up for inspection, she is the spotted milking cow he will be paying for. However, Farmer A substitutes a different spotted milking cow, Jessie. Jessie does not produce as much milk. Farmer B realizes this after having provided the payment. Under contract law, since Farmer B could reasonably have assumed from Farmer A’s actions that Bessie was the cow he was purchasing, this substitution for a less productive cow means that “no meeting of the minds” existed. The contract gets nullified, and Farmer B gets his money back.
Now, contracts exist specifically to create written consensus and document “meeting of the minds.” So, traditionally, under contract law, the written terms and conditions define both parties’ roles and responsibilities.
The Christian Doctrine throws a wrench in this for organizations in the federal procurement space. Under the Christian Doctrine, even if a federal agency and contractor agree to the terms written into the contract, the terms may not be the only guiding factor. If the agency or contractor knows that a clause should be written into the contract, even if they both agree to remove it, the court may still read that clause into the contract.
In other words, even if the DoD and a vendor both agree to remove a cybersecurity requirement from their contract, the courts can say that because other rules exist, the contractor and DoD knew or should have known that they would need to apply the requirement.
In short, this poses a lot of problems for vendors in the DIB, already. One question yet to be resolved for DIB and CMMC is: “if the contract doesn’t specify the inclusion of CUI, but something that could conceivably be defined as CUI is involved, will CMMC Level 3 compliance still be required?”
Back to the Executive Order
Despite what looks like a little detour, all of this directly relates to the Executive Order. The current definitions of CUI are numerous and varied. For example, the CUI Registry includes everything from technical and legal information to archaeological resources and pesticide producer survey data.
The likelihood that CMMC, or some version of it, will become the national cybersecurity standard and contractual language means that CUI across non-military industries is going to need to be clearly defined.
Additionally, all vendors – from the largest technology and security companies to the smallest widget makers – are going to need to understand where the data they create, store, transmit, and process fits into the definition of CUI.
The Executive Order’s requirement that agencies clearly define and designate sensitive unclassified data within the next 90 days is a first step. However, organizations will need to start looking at the data they manage and where they sit in the supply chain.
In the end, if the courts determine that the Christian Doctrine applies to cybersecurity clauses in contracts, the burden will be on the contractors, not the agencies.
CMMC: The Cybersecurity Mandate to Rule Them All
The Executive Order’s tight timelines, DFARS discussion, and unclassified data identification requirement all point to CMMC becoming the new cybersecurity mandate across federal agencies and their supply chains. Even if they choose to rewrite CMMC for a more general approach, they will likely include many of the same practices and processes.
For the next three to five years, organizations will need to figure out their cybersecurity programs and determine whether their current contracts offer enough benefit to undertake the costs of cybersecurity compliance.
While federal cybersecurity maturity and modernization is important to the nation’s security, the agencies in charge of implementing the Executive Order will need to work to create more purposeful definitions so that everyone knows their role.
Protecting federal systems from espionage and cyberattacks is a necessary evil. The question that remains to be seen, at least for the next 90 days, is how the implementation will take place and the impact that it has on smaller vendors throughout the supply chain.