Will Defense Contractors Be Ready for CMMC?

 In Defense, Cyber/ICT, Industrial, Space, Information


Will defense contractors be ready for CMMC?

Shutterstock image By Pasko Maksim Stock vector ID: 591206291

Defense con­trac­tors will face big changes and tight time­lines over the next year as the Department of Defense rolls out its new Cybersecurity Maturity Model Certification frame­work, experts say.

The frame­work, which aims to cer­ti­fy a com­pa­ny’s com­pli­ance with fed­er­al cyber­se­cu­ri­ty reg­u­la­tions around con­trolled unclas­si­fied infor­ma­tion (CUI), was announced by DOD offi­cials in June. It will be used to eval­u­ate and rate con­trac­tors’ abil­i­ty to pro­tect sen­si­tive data on a 1 – 5 scale start­ing next year. 

The ini­tial ver­sion of the frame­work is sched­uled to go public in January 2020. By June 2020, its require­ments will start appear­ing in requests for infor­ma­tion, and will become a reg­u­lar fea­ture of defense pro­cure­ment by September 2020. That means defense con­trac­tors will have less than eight months to imple­ment changes for com­pli­ance with the Defense Federal Acquisition Regulation Supplement and National Institute of Standards and Technology guidance on pro­tect­ing CUI. 

“Any time­line would seem ambi­tious. One that looks to have this in oper­a­tion by 2020, it’s going to be dif­fi­cult,” said Robert Metzger, a lawyer spe­cial­iz­ing in gov­ern­ment con­tracts and com­mer­cial lit­i­ga­tion and a con­sul­tant for MITRE focusing on supply chain secu­ri­ty issues. “Naturally indus­try has a lot of ques­tions about the mechan­ics.… Companies are under­stand­ably uncer­tain as to how these changes will affect what they’re doing, how they will demon­strate eli­gi­bil­i­ty for con­tracts and what the costs might be upon their oper­a­tions.”

High costs, con­fus­ing guid­ance and low return on invest­ment have all been cited as rea­sons for com­pli­ance chal­lenges among defense con­trac­tors. Traditionally, DOD has declined to cover the costs asso­ci­at­ed with imple­ment­ing acqui­si­tion reg­u­la­tions relat­ed to cyber­se­cu­ri­ty for CUI, but that has slowly changed over the past 12 months as mil­i­tary con­trac­tors have faced unprece­dent­ed attacks from for­eign-spon­sored hack­ers.

Last year, then-Deputy Secretary of Defense Patrick Shanahan expressed reluctance of the part of DOD to help con­trac­tors cover added costs for cyber­se­cu­ri­ty, saying secu­ri­ty should be a base­line expec­ta­tion in con­tracts. However, at a Professional Services Council event ear­li­er this month, Katie Arrington, spe­cial assis­tant to the assis­tant sec­re­tary of defense for acqui­si­tion, announced that the depart­ment would allow con­trac­tors to write off a por­tion of their cyber­se­cu­ri­ty spend­ing for gov­ern­ment con­tracts, includ­ing imple­ment­ing NIST guid­ance.

Alan Chvotkin, exec­u­tive vice pres­i­dent and coun­sel for the Professional Services Council, wel­comed the shift, telling FCW that it would be con­tra­dic­to­ry for DOD to refuse to pro­vide finan­cial incen­tives around cyber­se­cu­ri­ty at the same time it has expressed a desire to expand the number busi­ness­es that make up the defense indus­tri­al base.

Allowing con­trac­tors to write off a por­tion of their cyber­se­cu­ri­ty com­pli­ance activ­i­ty is “an acknowl­edge­ment by the depart­ment that cyber­se­cu­ri­ty is not free,” he said.

“To be a smart busi­ness­man, let alone a con­trac­tor, you ought to under­take this [level of secu­ri­ty], because our adver­saries are steal­ing every­thing,” Chvotkin said. “On the other hand, [DOD] is trying to entice non­tra­di­tion­al com­pa­nies and small com­pa­nies who oth­er­wise … might not see the need to incur such sig­nif­i­cant costs to reach the level that is expect­ed as a con­trac­tor or sub­con­trac­tor.”

Still, it’s not clear how DOD’s reim­burse­ment policy will work, which con­tracts it would apply to or what per­cent­age of a com­pa­ny’s costs would be cov­ered. DOD is using the summer to con­duct “road­show” out­reach ses­sions, sending officials across the coun­try to meet with con­trac­tors, explain the new matu­ri­ty model and take feed­back from indus­try on the best way to struc­ture the frame­work.

James Goepel, CEO and gen­er­al coun­sel for the cyber­se­cu­ri­ty con­sult­ing firm Fathom Cyber, told FCW he has seri­ous doubts as to whether many defense con­trac­tors will be ready by September 2020. For most com­pa­nies, the asso­ci­at­ed costs are less about assets and tech­nol­o­gy and more about human resources, train­ing employ­ees and allo­cat­ing the per­son­nel to map out and for­mal­ize inter­nal IT poli­cies. Still, the poten­tial for an ini­tial shock to the fed­er­al con­tract­ing system is real.

“I do think that it’s going to hurt us in the short term from a prod­uct-avail­abil­i­ty per­spec­tive,” said Goepel, who also teach­es cyber­se­cu­ri­ty at Drexel University’s Law and Business schools. “The gov­ern­ment is going to miss out on stuff, and there are going to be com­pa­nies that go out of busi­ness because of this. But in the end, I think that it may actu­al­ly be a better thing for coun­try, unfor­tu­nate­ly.”

Metzger does­n’t go that far, but said he does believe one short-term effect of the frame­work could be that a cer­tain per­cent­age of com­pa­nies end up exit­ing the fed­er­al con­tract­ing space. In par­tic­u­lar, the impact might be hard­est on small and medium-sized busi­ness­es — both sub­con­trac­tors and primes — with fewer finan­cial resources that have tra­di­tion­al­ly evaded the same level of scruti­ny direct­ed towards prime con­trac­tors. Still, Metzger said he expects most com­pa­nies will shoot for a middle ground that bal­ances cost with busi­ness oppor­tu­ni­ty.

“I think the short-term impact is that com­pa­nies of all sizes are going to be look­ing at afford­able, effec­tive ways to improve their cyber­se­cu­ri­ty. Nobody knows exact­ly today what you will need to do to get a secu­ri­ty rating score of [1 – 5],” Metzger said. “Very few com­pa­nies are going to strive for a 5 … but very few are going to want to have only a 1. I’m think­ing that many com­pa­nies will be tar­get­ing their invest­ments and actions to be sure that when the scor­ing method comes into place that they will get at least a 3.”

About the Author

Derek B. Johnson is a senior staff writer at FCW, cov­er­ing gov­ern­men­twide IT policy, cyber­se­cu­ri­ty and a range of other fed­er­al tech­nol­o­gy issues.

Prior to join­ing FCW, Johnson was a free­lance tech­nol­o­gy jour­nal­ist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor’s degree in jour­nal­ism from Hofstra University and a Master’s degree in public policy from George Mason University. He can be con­tact­ed at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for pre­vi­ous arti­cles by Johnson.

Source: FCW

Recommended Posts

Start typing and press Enter to search