CMMC and The Market for Lemons (E03a)
There are systemic challenges to achieving cybersecurity and CMMC compliance. These are due to market dynamics based on low unemployment and the rapid adoption of and migration to cloud and managed services providers. This has created an environment where many firms have been forced to outsource their IT technical sophistication resulting in information asymmetry between IT Service providers and the companies buying these services. The presentation reviews the initial Market for Lemons paper by American Economist George Akerlof in 1970 that first identified and defined the dynamic and provides a summary of Akerlof’s initial exploration of the used car market. The conditions that create a Market for Lemons is then discussed with a discussion of the impact of information asymmetries between buyers and sellers of technical products. An example is then presented of this dynamic playing out across two ISPs and how this forces cybersecurity out of the market. With the understanding of the Market for Lemons fully developed, the talk then turns to how CMMC, at its core, is a tool that the DoD is utilizing to combat this dynamic. C3PAOs will ensure that companies who have outsourced their IT sophistication through External Service Providers have not unintentionally undermined the security of the CUI in their possession. It may not be the average Defense Contractor’s fault that they have been forced into the situation, but it is their responsibility to navigate it. Finally, the presentation outlines the purpose of Registered Provider Organizations (RPO) as the DoD’s lifeline provided to DIB contractors to enable success. The RPO is the only CMMC Ecosystem member that is on the DIB contractors’ team and they are analogous to outsourced accounting or legal counsel. With the importance of the RPO’s role defined, the presentation finishes by outlining how to successfully outsource CMMC compliance and provides some MSP Red Flags for the DIB contractors to watch out for from the perspective of certified CMMC assessors.