DISA Official: ‘No One Knows’ How Cyber Standards Will Impact Contractor Pool


Many small businesses might find themselves excluded from the Pentagon’s most sensitive tech projects under the new Cybersecurity Maturity Model Certification.

Officials at the Defense Information Systems Agency don’t know whether forthcoming vendor cybersecurity standards will shrink the pool of contractors that qualify for critical tech projects.

In January, the Pentagon plans to publish the final version of the Cybersecurity Maturity Model Certification, or CMMC. Under the framework, companies would have their cyber practices graded on a scale of one to five, and procurement officials would use the rating to determine which vendors are eligible for certain contracts, with more sensitive projects requiring more stringent security standards.

While the program is intended to push vendors to strengthen their security standards and increase visibility into the department’s supply chain, it could also render a significant chunk of the Pentagon’s contractor pool ineligible for its most sensitive projects, according to DISA officials. 

“A very small number … of the 300,000 [defense industrial base] companies have state-of-the-art cybersecurity. The majority of them are at the lower end of that one to five scale,” Maj. Gen. Garrett Yee, assistant to the director of DISA, said Monday during a speech at the agency’s annual Forecast to Industry Day. That notion is based on estimates from the Office of the Secretary of Defense, not DISA’s own assessment, he noted.

When asked during a media roundtable how the program would impact the pool of qualified vendors for the agency’s sensitive tech projects, Yee said, “No one knows the answer to that.”

Small businesses make up a significant percentage of the department’s contractor pool, and many of those firms haven’t historically devoted as many resources to standing up robust cyber defenses, according to Yee. The certification is meant to be both “affordable” and “achievable” for small businesses, he said, though the Pentagon received many questions about how small businesses would compete with larger vendors under the new model.

The Pentagon released the first draft of the CMMC in September, and officials expect to begin adding certification standards to requests for information by June 2020 and solicitations by next fall. During his speech, Yee called the program’s timeline “very aggressive,” but said the mounting espionage and supply chain security threats facing the Pentagon require quick action.

During a separate speech, DISA Director Vice Adm. Nancy Norton urged vendors to begin ramping up their cybersecurity efforts with the CMMC on the horizon and pushed them not to oversell their tech.

“Be honest about the scope and scale of a solution and its readiness to operate and to meet unique DOD mission requirements,” Norton said during her keynote address. “As an industry partner, you must understand … who and what is at stake in this environment. Build cybersecurity into all your products and services and capabilities from concept to completion … be as innovative in your approach to cybersecurity as you are in your functional capabilities.”