New requirements mean contractors will have to pay to play. What does this mean for small businesses in the defense industry?
The cybersecurity posture of the Defense Industrial Base (DIB) supply chain is only as strong as its weakest contractor. When considering the DIB supply chain includes 300,000 contractors with sensitive government data, and around 290,000 of them are not subject to strict cybersecurity requirements or oversight, something needs to change.
Leading that change is the Office of the Under Secretary of Defense for Acquisition and Sustainment - OUSD(A&S) - which has developed the Cybersecurity Maturity Model Certification (CMMC), an agile set of unified cybersecurity standards to ensure the security of government data on DIB networks.
Illustration: CMMC Seal
CMMC will enable the government to verify contractors have adequate security protocols in place to protect non-public Federal Contract Information and more sensitive Controlled Unclassified Information.
The most recent draft version of the CMMC, Version 0.6, was released on November 7. A final version will be released in January 2020 and will be incorporated in Requests for Information (RFIs) by June and Requests for Proposal (RFPs) by September, eventually leading to complete implementation by 2025.
The new certification framework is not only a response to a heightened threat environment, but also to the state of DoD's existing contractor cybersecurity standards which are disparate, complex and lack a uniform enforcement mechanism. The CMMC builds and maps upon current frameworks, including NIST SP 800-171 and the Defense Federal Acquisition Regulation Supplement (DFARS).
Under these regulations, many contractors can "self-certify" that they meet cybersecurity standards, a weak link in the acquisition process the CMMC aims to fix. For all intents and purposes, the CMMC marks the first time DoD will hold all contractors accountable for meeting a set of unified cybersecurity controls based on risk and maturity - not a checklist.
The CMMC will include 5 distinct levels, each with their own practices and processes, ranging from basic cyber hygiene (Level 1) to "state-of-the-art" capabilities (Level 5). The certification levels are commensurate with the type of government information an organization will handle and the sophistication of threats it will face. An independent third-party organization, selected and accredited by DoD, will maintain the standard and conduct certification assessments.
Contractors will request certification based on their work requirements. If a company cannot meet the DoD's required CMMC level as stated in the RFP, they will be deemed ineligible to participate in the bidding process. This "go/no-go" decision is a paradigm shift in the DoD acquisition universe that will fundamentally affect how companies and the government approach the contracting process.
With the CMMC, adequate cybersecurity becomes an existential business requirement for industry, and the government will finally have the capacity to meaningfully assess the security posture of contractors when considering proposals.
Companies will have to foot the bill for certification up-front, though DoD says it aims to make the process "affordable" and "achievable", and will designate certification as an "allowable cost" in contracts and reimburse awardees.
Industry groups have offered suggestions to reduce the burden of up-front certification costs for small contractors in particular, such as federal funding support for small businesses, tax breaks, and even cyber insurance incentives.
It is important to note that protecting small businesses is ultimately the focus of the CMMC effort. Smaller companies are targets for cyber-attacks because they often lack the resources to implement countermeasures, and can serve as an entry point for attackers to move up the DoD supply chain.
For this reason, small businesses are the link in the supply chain most in need of implementing baseline cybersecurity standards that DoD can verify. But they also face the most challenges in meeting the standards because of their limited resources and, until now, their lack of incentive to invest in cybersecurity.
Small organizations can get a head start by implementing some basic cyber hygiene measures through acquiring low-cost, high-value technological capabilities (such as web isolation) or even simply changing current protocols and practices.
The CMMC is on its way to becoming the new reality for every current or hopeful DoD contractor. Pentagon officials have made clear the shift will not be easy. Katie Arrington, leading the CMMC effort for OUSD(A&S), recently told industry representatives, "this is a change of culture. It's going to take time, it's going to be painful, and it's going to cost money."
These new requirements and costs will no doubt have an impact on the participation of small business and nontraditional firms in the DIB. It's possible some of the nontraditional, innovative businesses DoD has spent the past few years courting may temporarily retreat from the marketplace.
However, given the high cost of government data loss at even the smallest contractor and the persistent threat of a crippling attack from nation-states and rogue actors alike, we have reached the point where we can no longer afford not to take action.