The Defense Department has an ambitious schedule for a serious overhaul of the way it monitors and enforces cybersecurity within its industrial base. If all goes as planned, vendors could start to see the new model showing up in formal solicitation documents in less than a year from now.
The Cybersecurity Maturity Model Certification (CMMC), in development since March, is the department’s attempt to create a simpler, more consistent framework for the cyber demands it imposes on companies. Rather than insisting they self-certify that they meet a long list of National Institute of Standards and Technology security controls, all contractors and subcontractors — whether they deal with sensitive information or not — will have their cyber acumen scored on a scale of 1 to 5. Likewise, every Defense contract will use the same scale to stipulate which companies are allowed to bid.
The CMMC certifications will begin to show themselves in contract documents next June, when they’ll be reflected in requests for information for upcoming contracts, said Katie Arrington, the special assistant for cyber in the Office of the Assistant Secretary of Defense for Acquisition. The first requests for proposals that will insist on only CMMC-certified vendors will most likely appear in September or October.
“We cannot afford not to do this,” she said during a teleconference organized by the Professional Services Council last week. “[The U.S. is] losing $600 billion a year to our adversaries in exfiltrations, data rights, R&D loss. If we were able to institute good cyber hygiene and we were able to reduce, let’s just say email phishing schemes by 10%, think of the amount of money that we could save to truly reinvest back into our partners in the industrial base that we need to stay on the competitive edge. And the only way that we saw fit to do this was to create this CMMC so we can ensure that we are doing everything we can do to buy down the risk of our adversaries stealing our hard work.”
DoD won’t be issuing the new cyber certifications directly. Instead, companies will have to have their IT systems and practices audited by a third-party assessor. The Pentagon wants those assessors to be independent and unbiased, so the firms doing the certifications won’t be allowed to sell other cyber services to companies. Each of them will be overseen by a single nonprofit entity that will manage the CMMC program.
Standing up that superstructure of third-party assessors also represents a time crunch. The department said it plans to pick the management nonprofit by January, about the same time it intends to publish the first draft version of the CMMC model, detailing the sorts of steps firms will need to take to achieve each level of the certification program.
Once the nonprofit is picked, DoD wants it to be able to help continually update the model while also providing alerts and warnings to the Defense industry about new cyber threats and exfiltrations.
“I need to be able to educate the community at large. I may need to dial up certain areas and make changes in the next year’s certification process to ensure that we are doing our best to protect not just the U.S. government, but our vendor community as well,” Arrington said.
As for the companies who will do the on-the-ground assessment work, the Pentagon is optimistic that there’s enough expertise in the existing pool of private sector cyber auditors to handle the task, even though the entire industrial base of 300,000 contractors — from shoemakers to IT service firms — will have to be certified in order to continue doing business with DoD. And contractors will be allowed to seek reimbursement from the government for achieving their CMMC certifications as an “allowable cost” in their contracts.
“There are a great deal of companies out there that do NIST 800-171 compliance work as a service, and they do a great deal of the healthcare and the financial sector certifications. We see that marketplace taking the CMMC on as another avenue for their businesses,” she said. “The defense sector is a little bit slow to get to this point, but we’re not unique in the U.S. marketplace.”
Get your daily dose of Mike Causey’s Federal Report delivered to your inbox. Subscribe now.
Also, the department does not plan on converting all of its contracts to CMMC overnight. Arrington said DoD is planning a “crawl, walk, run” approach to ensure a smooth rollout. Long before the first RFPs go out, it’s also planning a series of nationwide “listening sessions” with industry to help refine the plan.
But before it starts inserting the new certification demands into contract language, DoD realizes it needs to train its own acquisition workforce on the intent behind the model and how to apply it. Otherwise, Arrington said, contracting officers may have a tendency to insist on top-tier “Level 5” vendors for every RFP they release.
“If you’re on a contract for boots and you’re the subcontractor who’s sewing the eyelets for the laces, you may not need state of the art cybersecurity,” she said. “We want them to have good cyber hygiene. We want them to protect their employees, their IP, but as far as the government, we should not be sending them anything more than the instructions on how to make the eyelet, and a level-one certification would be good enough. The prime contractor may need a level three, because they’re receiving controlled unclassified data that has to do with where the boots need to be shipped. The contract will have specific areas of work that will have specific levels of maturity that will be needed. That’s why we’re doing an entire reeducation of our contracting officers and program managers. We want them to really understand what security is going to cost, and why you need it.”