The clock is ticking for an untold number of private contractors doing business with the Department of Defense (DoD). Despite ample warning, only a handful of these organizations have prepared for a regulatory time bomb set to go off in early 2020. Noncompliance not only threatens these enterprises’ ability to retain lucrative government contracts, it also stands to affect the DoD’s ability to conduct normal operations.
Faced with recent and growing concerns over security and cyber threats, the DoD has increasingly focused its attention on cybersecurity. Planning to roll out security requirements as early as January 2020, many contractors may find themselves scrambling to achieve the proper Risk Management Framework and NIST technical controls.
In 2019, the DoD announced that it will implement the Cybersecurity Maturity Model Certification (CMMC), which ranks contractors based on their cyber hygiene, ranging on a scale from 1 (“Basic”) to 5 (“State-of-the-Art”). In the summer, the DoD held sessions to solicit feedback from the industry. The planned timeline to begin certifying auditors kicks off in January 2020 followed with the requirements appearing in RFIs (Request for Information) in June 2020 and certification to bid on RFPs (Request for Proposals) in September 2020.
A Fourth Leg to the Proposal Stool
Cost plus contracts are now going to have a fourth leg on the stool – cost, schedule, performance and now cybersecurity. The DoD will be basing accreditation specifically on NIST 800-171 cybersecurity standards for protecting controlled unclassified information (CUI) stored, transmitted or processed on any non-federal computer systems or network.
Achieving NIST 800-171 compliance requires diving deep into networks and procedures to address appropriate security policies. If companies are not able to provide evidence of security protections and compliance, they risk the loss of contract awards and the ability to compete for future awards.
By making compliance part of the biding process, contractors will now have to submit to an audit and be able to write to their NIST 800-171 compliance demonstrating how they will secure their information using measures outlined in CMMC. Those who don’t measure up won’t be able to do business with a list of federal clients that include the DoD, NASA and the various branches of the military, among others.
The Five Levels of Cybersecurity Maturity
- Level 1 – Basic Cyber Hygiene: Includes basic cybersecurity best practices appropriate for small companies and covers implementation of 35 NIST 800-171 security controls.
- Level 2 – Intermediate Cyber Hygiene: Calls for implementing accepted cybersecurity best practices that would be documented, and requires multi-factor authentication for access to CUI data. Adds 115 security controls.
- Level 3 – Good Cyber Hygiene: Covers all NIST SP 800-171 Rev. 1 controls and additional practices beyond the scope of current CUI protection. Also requires a comprehensive knowledge of cyber assets as well as an additional 91 security controls beyond those of Levels 1 and 2.
- Level 4 – Proactive: Includes advanced and sophisticated cybersecurity practices. Processes are reviewed, resourced, and improved regularly across the enterprise. In addition, defensive responses operate at machine speed and there is a comprehensive knowledge of all cyber assets. Adds 95 controls beyond Levels 1–3.
- Level 5 – Advanced / Progressive: Includes highly advanced cybersecurity practices. Processes include continuous improvement across the enterprise and defensive responses performed at machine speed. Requires an additional 34 controls beyond those of Levels 1–4.
Slow March to Compliance
Implementation of CMMC has fallen to Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition (ASD[A]) for Cyber. According to Arrington’s office, only about one percent out of the more than 300,000 DoD contractors are currently compliant under the CMMC.
For her part, Arrington has tried to soften the blow by assuring vendors that the government will, in some cases, cover the costs for cybersecurity. Still, many contractors appear to be taking a wait-and-see approach to becoming compliant. While the NIST 800-171 guidelines were created in 2015, there may be an incredulity over the enforcement – and especially so soon. With firm deadlines for auditing and enforcement just around the corner (and by making it part of the bid process), these companies risk finding themselves shut out of federal contracts altogether.
Future RFPs will require that contractors have to state their CMMC certification level. If they don’t measure up, they simply can’t bid. For some companies, even the most fundamental pieces may not be in place. Concerns include companies transitioning operations to the cloud, and proving even the most basic compliance may present a challenge for some.
How bad is the current state of cyber readiness? At a recent industry event in California, I spoke with a representative from a major defense contractor that provides sensitive technology for attack submarines. He didn’t have encryption on his laptop because, in his own words, “The office IT guy said I didn’t need it.” That should provide some picture of how far the industry has to go meet these standards.
The Flow-Down Effect
For larger enterprises, keeping one’s own house in order may not be enough. Many large defense and airspace companies subcontract to small manufacturers for items like landing gear parts. There is a flow-down effect – subcontractors are going to be held to the same standards as primes. So, not only are the industry’s Boeings and Northrop Grummans going to have to show compliance, but also the little guys making landing gear assemblies and all the other widgets down the supply chain.
Rather than fighting the inevitable, smart enterprises are looking for cover in the form of IT consultants with a strong background in NIST 800-171 compliance to guide them toward implementing the necessary cybersecurity practices. But with major aspects of CMMC going into effect early this year, it may be too late to defuse this regulatory time bomb.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected]. Our editorial guidelines can be found here.