The U.S. Army Research Laboratory uses the “Shaker” to conduct experiments in multi-axial vibrations and develop technology to mitigate the danger it could cause to vehicles and structures. (U.S. Army photo by David McNally)

DOD Will Help Smaller Companies in the Supply Chain Meet Cybersecurity Requirements

As the Defense Department moves forward in implementation of its cybersecurity maturity model certification (CMMC), the undersecretary of defense for acquisition and sustainment said small suppliers to the department won’t be left behind.

“The cybersecurity maturity model certification is generically what ISO standards are for quality,” Ellen Lord said at the Ronald Reagan National Defense Forum in Simi Valley, California on December 7. “Right now we know that we have incredible vulnerabilities due to cyber threats. We really are at a cyberwar to some extent. So it is not practicable to not have some level of standards that have to be met.”

When it comes to working on defense contracts, she said, cybersecurity standards are non-negotiable and can’t be traded as part of contract negotiation, as are things like cost, quality or schedule.

“We have rolled out a five-tier set of standards,” Lord said. “The challenge is that we know our most vulnerable links are not the first, second or third tier in the supply chain. It’s four, five, six, and seven.”

Those lower tiers in a supply chain — typically smaller companies that are just one of many providing products or services as part of a larger contract — might not be able to afford to meet the department’s increasingly demanding cybersecurity requirements.

“So what we look to is our primes to help those small companies,” she said, referring to the primary company on a contract. “We also look at the department as having resources to help bring those companies into compliance.”

Lord said the department has been working closely with industry associations, and holding listening sessions to understand the challenges small companies might have coming into compliance.

“We understand there is a challenge and we don’t want to lose those small companies,” she said. “We actually have a couple of very innovative concepts that have just recently been put out to us about how to deal with this in terms of broader certifications that are easier for small companies. So I think in the next three months you’ll hear more about that.”

The Defense Department, through CMMC, is looking to ensure that every company that works on a contract — no matter the size of their contribution — meets at least a basic level of cybersecurity that fulfills the security requirements of the contract. While companies aren’t all now able to meet those requirements, Lord said the department won’t leave them behind.

“Cybersecurity is critical,” Lord said. “We understand the challenge to small companies. We are not going to put small companies out of business. We need them. We will find innovative ways to help make them cyber secure with the help of our large primes as well.”

Read more at the Defense Department

(Visited 168 times, 1 visits today)

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply

Latest from Cybersecurity

Go to Top