Civilian Vendor Cybersecurity Certification Would Look Very Different From DOD


A civilian counterpart to the Pentagon’s Cybersecurity Maturity Model Certification would need to suit the varying missions across government, according to federal deputy CIO Margie Graves.

The Defense Department is working on a new policy that will require its vendors to obtain a certification confirming the contractor’s own systems have strong enough cybersecurity to protect the department’s secrets. A civilian agency counterpart to that would look very different than what the Pentagon is developing, according to the second-ranking civilian IT official.

While the government does have a method for certifying the cybersecurity of vendors’ products—through the authority to operate, or ATO, process and the Federal Risk and Authorization Management Program, or FedRAMP—it does not have a program for assessing the security of the systems used by the vendors.

The Defense Department’s Cybersecurity Maturity Model Certification, or CMMC, looks to change that with a set of 18 “key sets of capabilities for cybersecurity,” according to the draft released in September.

Defense contractors will have to go through an assessment process, at which time they will be put into one of five tiers associated with varying degrees of confidence in the company’s security posture and clearing them to work with sensitive department data at that level. At the lowest level, practices include things like abiding by Federal Acquisition Regulation requirements and having basic antivirus installed on systems. At the highest tier—level five—practices are beefed up to include customized cybersecurity software, employing 24/7 security operations centers and automated incident response, according to the draft.

A similar program would be useful in the civilian space but would require a much different framework, Margie Graves, deputy federal chief information officer, said in answer to a question at the Professional Services Council’s annual Vision conference.

“We, as a civilian community, cannot adopt DOD rubrics writ-large,” she said. “But there are some aspects of the civilian agencies—I would say, [the Homeland Security and Justice departments] and others in the law enforcement among them—that are similar. We could actually learn from the framework that’s being set up with DOD on that issue.”

Graves pointed to a similar collaboration around the Pentagon’s Defense Enterprise Office Solutions, or DEOS, contract, which looks to offer departmentwide access to Microsoft Office 365 tools. Civilian law enforcement agencies with similar security requirements will be looking to use that contract, as well, Graves said.

But the civilian government has a wide range of missions, each with varying security needs. Forcing the entire federal contracting community to abide by the strict Defense Department security standards wouldn’t be practical.

“Watching what they do, adapting it for civilian use” could be the right way to go, Graves said. “But, ultimately, we have to do what’s right for the mission spaces, and not all of those are uniform. Most of them in the civilian space don’t comport with DOD.”

While a civilian vendor cybersecurity certification would need to be specialized for the different mission areas across government, it would not be agency by agency, Graves said.

“It would be based on the level of protection and the type of data and the type of mission that you’re talking about. A lot of these missions … they’re a portfolio and they cross agencies,” she said, offering law enforcement and disaster management as examples.

“If you were to look at in terms of a law enforcement portfolio, that has a certain kind of protection requirement as opposed to disaster management, which has more interaction with the public on a real-time basis,” she said. “Those are the kinds of things I’m talking about: the spectrum. But I’m talking about one, two or three; I’m not talking about a thousand flowers blooming.”