Internet Security Alliance: CMMC fails to account for the economics of small-business cybersecurity

February 16, 2021

The Pentagon’s Cybersecurity Maturity Model Certification program will fall short in securing the Defense Industrial Base because it fails to address underlying economic realities that limit how much small and mid-sized businesses can invest in cyber, according to the industry-based Internet Security Alliance.

“However, it is sadly predictable that the CMMC, however much an improvement, is destined to disappoint for the exact same reasons the preceding strategies disappointed. Small- and medium-sized companies simply cannot afford a sufficiently robust cyber infrastructure or find the cyber talent to become secure even with the Damocles’ Sword of Compliance hanging over their heads,” ISA president and CEO Larry Clinton said in a blog post on Thursday.

The Internet Security Alliance, a nonprofit policy advocacy group representing chief information security officers from major companies in numerous sectors, earlier this month unveiled a “fairly intensive social media campaign” and urged stakeholders to participate in a deep discussion on cybersecurity challenges and needs.

“We need to get the whole community involved,” Clinton explained at the time. “We’re going to lay out bit-by-bit what we need, what’s in the country’s best interest. We’ll put these out in digestible pieces,” probably blogging several times a week in the coming months. “Then we’ll go sector-by-sector on a real strategy. I’d like for us to have as comprehensive strategy as our Chinese adversaries have.”

In the new blog, Clinton said, “The Cybersecurity Maturity Model Certification, instead of being an all or nothing binary compliance model, establishes a tiered compliance model. It adds to that a measure of process maturity that seeks to show how institutionalized a company’s cybersecurity program actually is.”

But Clinton wrote, “The empirical evidence is that there is probably no way SMBs will ever be incentivized to invest in cyber defense the same way the large defense contractors are, therefore, we must consider a radically different strategy. The key will be to implement a system that is dirt cheap and easy to employ and distributable across a much larger base of smaller companies and spreading the costs out over the entire industry, much like co-op farms.”

He stressed what has long been the organization’s fundamental point: “Once again, it is the economics of the system as much as the technical operations that are the key to creating a sustainably secure cyber system.”

| November 20, 2020