The Pentagon lead for the Cybersecurity Maturity Model Certification program argued the move will be good for small contractors. And for those that don’t want to comply: Good riddance.
The Defense Department’s impending cybersecurity certification requirement for all contractors has caused no shortage of concerns among small businesses worried about the cost. But the Pentagon’s lead for the effort made the case Wednesday that the move is necessary and, in some cases, will help small contractors.
“We need to lower the barriers. We need to speed up acquisition. But we also need to secure the [defense industrial base],” Katie Arrington, chief information security officer for the assistant secretary for defense acquisition, said during a talk at the Charleston Defense Contractors Association 2019 Summit in Charleston, South Carolina. “With 70% to 80% of our data living on my contractors’ networks, I don’t have a choice but to worry about how they’re doing it.”
Today, that process is “schizophrenic,” Arrington said. Defense contractors have been required to have a base level of cybersecurity on their systems through laws, policies and executive orders. However, those policies require vendors to self-certify—a method that is unreliable and, often, can put compliant businesses at a disadvantage. Arrington told the room of small businesses a hypothetical example:
In the true analysis, you haven’t been competitive. Here’s why: If I’m Small Business A, I have a contract with [controlled unclassified information]. DFAR clause 7012 applies to me. By the DFAR rule today, all you have to do is self-attest that you’re doing all 110 controls of NIST 171. I, Company A, attest I am doing 80 of the controls and I have a [plan of action] to implement the additional 30. I am technically acceptable on a contract. My rate is A.
I’m Company B. I, too, am bidding on the same piece of work. I, too, have to be DFAR compliant. But I’m actually doing all 110 controls on NIST 171. My rate is B. Whose rate is higher? B. Who’s technically acceptable? A and B. Who’s going to get the work? A—every damn time.
Under the new framework, dubbed the Cybersecurity Maturity Model Certification, all vendors doing business with the Defense Department will be required to be certified by a third-party assessor as fully compliant or be prohibited from being awarded the contract. The department is moving at a pace to have the compliance regime in place by mid-2020.
Arrington said that by codifying CMMC compliance, the department can—and will, by her assertion—consider it as an allowable cost of having the required certification level. By Arrington’s assessment, this will not only ensure that defense contractors have a base level of cybersecurity, but also that they are getting paid a reasonable amount to maintain that security.
The process started by pulling together all controls listed in relevant documents produced by the National Institute of Standards and Technology, international standards like ISO/IEC and those used in aviation set by the Aerospace Industries Association. The result was a large number of controls, many of which were redundant.
The Pentagon released the seventh draft version of the standards Wednesday, pared down from 380 practices and 85 capabilities to just 173 and 43, respectively.
The result is a five-tiered system, the first three of which map to standards most of the defense industrial base should already be familiar with. According to Arrington, a Level 1 certification maps to Federal Acquisition Regulation 52.204-21—the basic cybersecurity standard for federal contractors—while Level 2 and 3 map to NIST 171 and 171.b, respectively. She added that the department plans to acknowledge existing certifications for those standards, so vendors don’t have to recertify.
The accreditation body that will govern the program in being set up now, Arrington said, with the full process being turned over by January. Once the memorandum of understanding is in place, the body will begin to accredit third-party assessment organizations, or C3PAOs, that will do the certification and continuous monitoring work. Arrington noted those C3PAOs will be limited to auditing work and will not be companies that provide cybersecurity solutions.
From there, Arrington said the first solicitations to include CMMC requirements will be posted by June or July.
For vendors that think the cost of compliance will be prohibitive, Arrington says, “Good riddance.”
“Companies that say, ‘I’ll never get certified, I don’t want to, this is too high of a bar to reach to work with the Department of Defense. It’s already cumbersome enough to work there.’ Here’s my thing: I love ya, but good riddance,” she said. “We don’t want to lose you. … The companies that don’t want to acquiesce: I don’t want them to go, but they have a business decision to make.”
That said, Arrington’s goal will be to keep costs to a minimum.
“If it costs you more than a few thousand dollars to get certified at CMMC Level 1, I have failed,” she said. She also noted the program will have Title 3 authority to provide some funding assistance, similar to when the department mandated the shift from the Defense Information Assurance Certification and Accreditation Process, or DICAP, to the Risk Management Framework.
Once the CMMC process reaches a level of stability, Arrington said her next effort—CMMC 2—will focus on the products vendors use to secure their systems.
“We have big problems,” she said. “This is a start.”