I think it’s safe to say we are all listening at this point, however, we are no closer to a final outcome for cyber standards today than we were 2 years ago. And given the volatility of our information sharing processes, it’s difficult to see a workable solution to the problem. The CMMC process has been a little bit like doing the hokey pokey: they put a deadline in, they take a standard out, they change their mind again and then you shake it all about.
There is no denying that cyber regulation is necessary. But I think it’s time we find a standardization for protecting data share in federal contracting across the board. We can’t keep changing leaders and reinventing the wheel every time.
New leader, new ideas
I’ve been following CMMC since the rollout almost 2 years ago and we are still no closer to solidifying standards than we were before COVID gave a valid excuse for the stall yet created more vulnerabilities across the board. And now with the new DOD CIO, John Sherman, we are circling back to square one again. While I don’t necessarily disagree with a “cybersecurity as a service approach,” as referenced in a recent article, there is still no talk of creating consistency across all agencies for this purpose.
So it seems the problem still lies in the fact that government agencies and military leaders are still not communicating in a process that is uniformed and connected. Everyone needs to come to the same table and make some decisions…together.
Time to work together
The lack of cooperation among agencies for the same purpose of protecting our data makes the whole process even more convoluted. As the need for more innovation rises, there is a greater than ever need for new, small business participants. Some of which are brand new to federal contracting. Now we are ushering in a higher number of potentially vulnerable businesses into an extremely sensitive and volatile environment where breaches are imminent.
In a statement, Sen. Tommy Tuberville noted, “It is self-defeating to spend billions a year on cutting edge technologies and critical research and then let China and Russia sneak through the back door. We cannot expect our DOD contractors, especially our small businesses, to fend for themselves.”
Agreed. So let’s get to work establishing a plan of how we standardize something for the whole DIB as opposed to piecemealing solutions together breach after breach.
What’s next?
Where are we going from here? Nobody knows for sure. The only thing we all agree on is that the Chinese and Russians know we are ill-prepared, and we will likely see breaches in excess until something gets sorted out.
Small businesses will also likely take a hit because any precautionary safeguards they put in place will not be able to fend off the growing and ever present danger from our foes. MFAs and frequent password changes are not fail safe, first-line defense any longer, and going more in depth without knowing how far is enough is costly and without any clear objective, superfluous at best. Time just keeps ticking away, and we still have no answers from those who control this process. New suggestions are unhelpful at this point. We need action and clarity, and we need it now.