(*CISSP = Certified Information Systems Security Professional, for those who don’t live and breathe security)
The best designed products with the most compelling features and value propositions don’t always capture the market. If the target audience does not understand the product’s intent, the relevance and importance of the problem it solves, or how to use it properly, it may never gain traction. In the consumer goods and services and IT worlds, user experience (UX) has become an essential component of product and service design, development, and delivery. Keeping end-users’ technical acumen, the depth of their subject matter expertise, and their requirements, ease-of-use, and other interests top-of-mind throughout the process allows for addressing both the academic and the practical perspectives, which in turn yields the greatest chance for product or service success.
How does UX relate to the Cybersecurity Maturity Model Certification (CMMC) created by the Department of Defense (DoD)? After all, hasn’t the DoD been diligent in soliciting input on CMMC from the Defense Industrial Base (DIB) through the conduct of listening tours and the release of multiple drafts of the standard for review and comment over the latter half of 2019?
The DoD faces a formidable challenge in its quest to educate and gather feedback from the DIB with respect to CMMC. Approximately 350,000 companies that do business either directly or indirectly with the DoD are affected. The vast majority of those organizations lie deep in the supply chain to the DoD. They reside far away from Washington, DC, and do not necessarily consider themselves DoD suppliers because they maintain a horizontal, cross-industry customer base.
As a result, despite the DoD’s best efforts, the CMMC conversations taking place at these firms today, nearly 18 months into the CMMC initiative, vastly differ from those happening within DoD, prime contractor, and tier one subcontractor circles, as well as among the academics and subject matter experts involved in building the CMMC standard and overseeing its implementation. Having closely engaged with the DoD, primes, and the Accreditation Body on CMMC for the past year, and with a user community of over 135,000 aerospace and defense suppliers worldwide, Exostar has a foot firmly planted in both camps, and has witnessed this disparity firsthand.
The dialog among those closest to the DoD tends to focus on more academic or intricate issues where cybersecurity, standards, and contracting expertise are required:
- Should there be reciprocity between CMMC and FedRAMP?
- How can our organization most efficiently and effectively address the remaining items on our Plan of Actions and Milestones we created when we performed our NIST 800-171 self-assessment?
- Why were processes removed from CMMC v1.0 that appeared in CMMC v0.7? Are they no longer relevant for demonstrating cybersecurity maturity and sustained hygiene?
On the other hand, companies further down the DoD supply chain, mostly small-to-medium sized businesses, still ask more practical, fundamental questions that reflect their need for insight and assistance in order for them to successfully adopt CMMC:
- What is controlled unclassified information (CUI)?
- If our organization does not handle or store CUI, must we still obtain a CMMC accreditation, and at what level?
- Where and how do we begin?
With pathfinder program requests for information and requests for proposal that incorporate CMMC set to be released starting as soon as next month, the DoD and its partners must immediately figure out how to build a bridge between these constituencies and merge these conversations. By doing so, the DoD can incorporate the input and user experience of all impacted parties into CMMC, ahead of the acceleration in the five-year rollout plan commencing in 2021. Otherwise, the DoD may find it has constructed a standard that works wonderfully in theory, but not very well in practice, causing suppliers to lose hope of gaining CMMC accreditation in a timely and cost-effective manner and exit the DIB – putting programs at risk as a consequence. No one wants, or can afford, that outcome.