Defense Contracts Will Hinge on Contractor Cybersecurity Going Forward

If you do business with the Department of Defense (DoD) you have about a year to get your cybersecurity house in order or risk losing that work to someone who has. That is the main takeaway from a recent announcement from the DoD that it is developing a new cybersecurity standard and certification for defense contractors.

The Cybersecurity Maturity Model Certification (CMMC) is scheduled to begin being implemented by January 2020. Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment at the Pentagon discussed the CMMC program at a Professional Services Council event in the Washington, DC area recently. The news was quickly picked up by Federal News Network, FedScoop, MeriTalk and others.

Motivation

The impetus behind the effort is to addresses the Pentagon’s concerns with the cybersecurity of defense contractor and sub-contractor supply chain, especially those below tier-one providers to tier-2, tier-3 and beyond. The supply chain risk has been on DoD’s radar for a while and they have been steadily putting in place greater policies to address the issue.

Program Development

The new program is being researched and developed in partnership with the Johns Hopkins Applied Physics Lab and Carnegie Mellon University Software Engineering Institute. DoD wants industry input on the program and standards, so Arrington and others on the team will be holding industry days around the country to get input and listen to the needs and concerns of their Defense Industrial Base (DIB) partners.

Timeline

• Draft standard out summer 2019, DoD listening tour
• Complete CMMC standards by January 2020, third-party assessors will begin to certify vendors
• Expect to start seeing the certification in contract requests for information (RFIs) by June 2020
• Expect to start seeing requests for evidence of certification by September 2020

Program Elements

• Established unified cybersecurity standards for defense contractors and their supply chain
  • Builds on recent DFARS rule requiring contractors to protect sensitive, unclassified DoD information
  • Incorporating many existing requirements from NIST, FedRAMP and other existing models
• Third-party private sector companies will audit contractors to certify compliance to specific levels
• 5 levels of certification are anticipated, ranging from basic cyber hygiene to “State-of-the-Art”
• A cybersecurity education and training center for firms will be available for support
• DoD contracts will require specific levels, which will be indicated on all contract solicitations
• Awards will be “go/no-go” based on the contractor’s certification status

Contractor Implications

The bottom line appears to be that every type of company doing business with the DoD will need a third-party audit under the new system, forcing firms that haven’t already done so to move beyond ad hoc, inconsistent cybersecurity practices to implement government guidance and meet set security standards. It’s pretty much that straight forward. 

The “go/no-go” aspect of the program means that firms will know plainly whether they are eligible to offer a bid on the contract based on the required certification status. If the bar is set higher than you are certified then you can save your bid and proposal efforts and costs and move on.

Where it can get more complicated is how the new certification requirements will impact companies that have established teaming partners that may get certified at different levels. Discussions so far have left the strong impression that the cert. level on a particular contract will require all suppliers on that contract to meet the standard. That’s the main point, to improve supply chain security. So whether you are a large prime or the smallest subcontractor, you’ve been put on notice.

Contract incumbents that fail to measure up to the required standard as they are added to a recompete risk having existing business lines … simply … go … away, or risk losing the contract to another bidder who meets the standard that they could not. That has the potential to really shake up the market, although we might expect that the DoD will do what it can to ease the transition.

Cybersecurity costs for contractors will now be an allowable cost on contracts under the new plan, according to the DoD, so that should help ease the pain for all the effort and expense companies will put forward. Details are still to come, but it appears the DoD appreciates the level of effort they are asking the DIB to make.