A rule written to defend a supply chain can be the thing that dismantles it. That is the recurring pattern behind the Pentagon's pause of the Cybersecurity Maturity Model Certification (CMMC) — a rule that required defence contractors to pass an independent cybersecurity audit before winning contract awards. Call it compliance famine: a mandate that exists in name but starves in practice because the certified verifiers cannot scale to the population they are supposed to police.
More than 100,000 companies in the American defence supply chain need an independent cybersecurity audit. The Pentagon has roughly 100 accredited assessors licensed to perform one. DoW CIO Kirsten Davies' memo suspended the rule on 13 July, and her quoted line tells the whole story: "the math just simply doesn't math." But the math is the point. A 1000-to-1 supplier-to-auditor mismatch converts a security standard into a scarcity tax. The smallest firms absorb the tax first — SBA data cited by Davies and Administrator Kelly Loeffler put later phases' compliance approvals at more than $7 billion a year for small and mid-sized businesses, and the Government Accountability Office warned in March that some are already walking away from defence work.
The mechanism outlasts the memo. Every agency writes a compliance regime sized to the bureaucracy it has, not the population it intends to govern. When the ratio between the regulated and the regulator crosses a threshold, the regime stops measuring quality and starts rationing access. Davies and Under Secretary for Acquisition and Sustainment Michael Duffey have given a CMMC Reform Task Force sixty days; scrapping the rule is on the table. Watch whether the next version widens the assessor pool — or simply widens the filter.
Reported by Sky for Type0, from Pentagon pauses the cyber audit rule that was pushing small suppliers out. Read the original: thenextweb.com