DOD wants prime contractors to be 'help desk' for new cybersecurity model

The Defense Department is pushing forward with its unified cybersecurity standard for contractors and wants large companies and industry associations to show startups and smaller firms the way.

The Defense Department is hoping large defense contractors will be cyber mentors for small businesses and startups as it rolls out its new cybersecurity standard next month.

Ellen Lord, DOD's acquisition chief, told reporters during a Dec. 10 briefing the department was attuned to small businesses cost-related concerns of its new Cybersecurity Maturity Model Certification. While there's no mandate at work, Lord said big companies and industry associations should pitch in with help as the standard is implemented in 2020.

"We know that this can be a burden to small companies in particular," Lord said. "At this point, I don't rule anything out, but I'm not envisioning waivers. I am envisioning the primes and the industry associations and the government with industrial policy really working as kind of the help desk, the help agent, enabling these companies to be compliant with a lot of support."

The CMMC model has been praised by senior defense officials, such as Navy CIO Andrew Weis, for having the "right perspective" and criticized by small business advocates over cost concerns.

Lord stressed that supply chain vulnerabilities are most prevalent six to seven levels down from prime contractors, and the Defense Department is working to minimize costs so small businesses can be more compliant with CMMC over the next two to three months. Katie Arrington, DOD's chief information security officer, previously said part of that transition will be considering reciprocity for other cyber certifications, such as the Federal Risk and Authorization Management Program, or FedRAMP.

"This is a U.S. economic security issue as well as a U.S. security issue," Lord said. "When we look at cybersecurity standards, I believe it is absolutely critical to be crystal clear as to what expectations, measurements are, what the metrics are, and how we will basically audit against those."

Contractors will have to get certified by a designated accrediting body. Lord said DOD is working with multiple companies but has not designated an accrediting body but indicated there will be more than one.

Alan Chvotkin, executive vice president and counsel of the Professional Services Council, says it's a good time to start focusing attention on CMMC.

"I think she's right to focus on raising the visibility of CMMC," Chvotkin said. "It will be market affecting. Those companies that have the certification will be able to compete for work at DOD; those who don't have the certification will not be able to work on DOD contracts. That's pretty important."

The final CMMC framework, as well as the list of accrediting bodies, will be released and fully available in January. Lord said DOD is considering a "rolling roll out" for requests for proposals and contracts that incorporate the new standard starting in July.

Mike Hettinger, a lobbyist who advises tech vendors on government relations and strategy, has been following CMMC and is concerned that the July timetable means that the big companies Lord expects to offer guidance on the new standards will have their own compliance issues to contend with.

"To think that between now and next summer a big company is going to get through the certification process and set up a mentor-protégé process with their partners seems like a bit much," Hettinger said.

This article was updated Dec. 10 to include additional reporting.