The US Court of Federal Claims ruled that Capability Maturity Model Integration (CMMI) ratings can be accepted as qualification for a company’s “cyber risk management” despite that model not directly addressing cybersecurity. The ruling puts at risk the nascent CMMC cybersecurity scheme, which intends to address cybersecurity.
The case Systems Implementers v. USA was filed when the plaintiff, Systems Implementers of Utah, contested a US Air Force contract award to a competing firm, OM Group. Systems Implementers alleged that OM Group did not meet the bid requirements for cyber risk management and that the USAF award was improper, saying that OM Group’s CMMI rating was moot since CMMI does not address cybersecurity.
The court ruled against Systems Implementers, however, ruling that CMMI does satisfy the government’s requirement for “cyber risk management” controls, despite that model not addressing “cybersecurity” specifically.
In a somewhat tortured explanation, the court leaned on common dictionary definitions for the terms to distinguish between “cyber” and “cybersecurity.” The court ruling quoted definitions from the Oxford English Dictionary Online, rather than industry standards or modern industry interpretations. By doing so, the Court maintained that “cyber risk management” and “cybersecurity” are separate concepts, and pointed out that USAF only required “cyber risk management,” not “cybersecurity.” As a result, the Court then ruled that OM Group’s CMMI rating met the USAF’s requirements for “cyber risk management” even though CMMI may not address “cybersecurity” as a whole.
Importantly, Systems Implementers confuses cyber risk management with cybersecurity…. The dictionary definitions demonstrate the terms are distinct. “Cyber” is more expansive encompassing computers and technology generally, whereas “cybersecurity” is specific and directly addresses the protection of computers. This distinction is key to the reasonableness of the Air Force’s strength award.
In the same breath, however, the Court then conflated the two terms itself, writing, “As the Air Force explained, CMMI is a maturity model that can gauge cyber security risk and determine an organization’s preparedness to address threats.” (Emphasis added.) In that statement, the court merely separated the word “cybersecurity” to “cyber security” in order to justify its ruling against System Implementers.
The Court then painted Systems Implementers as hypocritical, by pointing out that Systems Implementers had quoted its own CMMI rating when bidding to the government. The Court wrote, “Systems Implementers cannot rely on one understanding of a term or phrase during the procurement and in the same breath argue that the same interpretation is unreasonable during its protest before this Court.”
The Court ruled that the USAF compellingly argued “CMMI is a maturity model that can gauge cyber security risk and determine an organization’s preparedness to address threats [and] therefore, the Air Force concluded, OM Group’s CMMI certification complies with and exceeds the minimum requirements to decrease cyber risk.”
As a result, the Court denied Systems Implementers’ claim, and ruled, “the Court finds that the Air Force reasonably awarded OM Group’s strength for cyber risk management.”
Fallout Risks to CMMC
The ruling creates fallout for the Dept. of Defense’s nascent Cybersecurity Maturity Model Certification (CMMC) scheme, which was launched in 2020 as an attempt to provide a certification scheme to validate a defense contractor’s cybersecurity maturity. The DoD has insisted that CMMC certifications will become mandatory for government contractors bidding on contracts starting in May 2023, but has consistently missed deadlines and still has no fully-accredited auditing bodies to perform the certification assessments.
Critics have argued that CMMC was an unnecessary effort, a “make-work project” for a handful of DoD officials and their private industry consulting colleagues and that existing frameworks and certifications already existed to cover this concern, such as ISO 27001 or CMMI. The ruling in Systems Implementers v USA would give this argument additional weight.
The Court’s ruling also shows that Federal Courts will defer to government procurement officials, and not attempt to overstep them. Quoting Cincom Sys. v USA, the Court in the Systems Implementers case wrote, “the Court should not substitute its judgment for that of a procuring agency.”
As a result, despite any eventual DFARS rule which may invoke CMMC, it is conceivable that contracting officials could ignore the imposition of the highly-contentious CMMC certification, and impose alternatives — such as ISO 27001 or CMMI — and not face any Federal Court interference.
CMMC attempted to take the sloped approach of CMMI and marry it with the yes-or-no certification approach of ISO 27001. That decision, critics have argued, created a clumsy model that claims to be a “maturity model” but eventually awards a binary certification decision, without addressing cybersecurity maturity at all.
The CMMC program has been rife with conflicts of interest and accusations of corruption. It has faced Congressional criticism, a GAO audit, and the departure of nearly every key individual who had worked on its launch. The scheme is now headed for at least partial oversight by foreign actors, including China and Mexico. The DoD has refused to directly oversee the certification scheme, and instead allowed it to be farmed out to bodies operating under the International Accreditation Forum (IAF). It is expected that upon launch, the CMMC scheme will be highly contested in court.