Supply chain security has long been an issue at the Defense Department, and later this month, rules will go into effect to help make the department’s contractors more secure.
The full framework, known as the Cybersecurity Maturity Model Certification, is expected to be released this month.
As Security Boulevard notes, the CMMC “contains five levels ranging from basic hygiene controls to state-of-the-art controls.” Every contractor that wants to do business with the DOD “will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime,” the site reports.
The DOD expects contractor CMMC assessments to begin in June 2020. By then, according to the DOD, “the IT community and others in industry will see cybersecurity requirements included as part of new requests for information, which typically serve as one of the first steps in the awarding of new defense contracts.”
Although the cybersecurity requirements will be another hurdle that DOD contractors need to work through, Pentagon officials say that the new controls are imperative.
“We need to lower the barriers. We need to speed up acquisition. But we also need to secure the [defense industrial base],” Katie Arrington, CISO for the assistant secretary for defense acquisition, said during a talk at the Charleston Defense Contractors Association 2019 summit last month, according to Nextgov. “With 70 percent to 80 percent of our data living on my contractors’ networks, I don’t have a choice but to worry about how they’re doing it.”
DOD Aims to Make Cybersecurity Certification Easy for Small Firms
The CMMC will require all defense contractors and subcontractors to have a third party assess their internal cybersecurity technical practices and process maturity against published standards. According to Mondaq, a firm that provides legal, financial and regulatory information, DOD will “determine the appropriate level of certification on a case-by-case basis, but a minimum of Level 3 will be mandatory” for contractors that access Controlled Unclassified Information or generate Covered Defense Information.
CUI includes export-controlled information, “for official use only” information, and other information created or possessed by a contractor that is subject to government-mandated safeguarding or dissemination controls, according to the National Law Review.
“We have rolled out a five-tier set of standards,” Ellen Lord, the undersecretary of defense for acquisition and sustainment, said in December at the Ronald Reagan National Defense Forum in Simi Valley, Calif., according to a DOD news release. “The challenge is that we know our most vulnerable links are not the first, second or third tier in the supply chain. It’s four, five, six and seven.”
Smaller firms that may provide products and services to larger contractors may find it difficult to meet the new certification requirements, and DOD wants to help them.
“So, what we look to is our primes to help those small companies,” Lord said in California, according to the DOD. “We also look at the department as having resources to help bring those companies into compliance.”
The DOD understands that CMMC represents a challenge and the department does not want to lose those small companies, according to Lord. “We actually have a couple of very innovative concepts that have just recently been put out to us about how to deal with this in terms of broader certifications that are easier for small companies,” she said. “So, I think in the next three months you'll hear more about that.”
The accreditation body that will govern the program is being finalized, and later this month it is expected to start to accredit third-party assessment organizations, or C3PAOs.
Those organizations will conduct the actual certifications and continuous monitoring work. According to Nextgov, in South Carolina, Arrington said the C3PAOs will be limited to auditing work and will not be companies that provide cybersecurity solutions.
For vendors that think the cost of compliance will be too high, the DOD says they should look for work elsewhere.
“Companies that say, ‘I’ll never get certified, I don’t want to, this is too high of a bar to reach to work with the Department of Defense. It’s already cumbersome enough to work there.’ Here’s my thing: I love ya, but good riddance,” she said, according to Nextgov. “We don’t want to lose you. … The companies that don’t want to acquiesce — I don’t want them to go, but they have a business decision to make.”
The CMMC is not designed to be too costly for smaller companies, though. “If it costs you more than a few thousand dollars to get certified at CMMC Level 1, I have failed,” Arrington said.