Ensuring cybersecurity in DoD acquisitions
Over the course of time, cyber and data security have become the key differentiators for defense contractors as agencies have increasingly integrated cybersecurity compliance into the evaluation process. Now, CMMC has been created to ensure cybersecurity in all DoD procurements therefore increasing its entry standard for defense contractors. According to the DoD, “CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect Controlled Unclassified Information (CUI) that resides on the Department’s industry partners’ networks.”
The cybersecurity standards have now changed. CMMC will now allow these cybersecurity standards to impact all DoD contractors and subcontractors. Those contractors and subcontractors not housing Covered Defense Information (CDI) on their IT systems previously did not have to adhere to DoD cybersecurity standards, however CMMC will now involve all DoD contractors and subcontractors regardless of housing CDI.
This will likely be one of the bigger impacts on contractors due to the desire not to allocate the financial resources. The typical preference has been to spend just enough to keep the DoD satisfied. However, CMMC is now forcing defense contractors to become more vigilant in maintaining and surpassing current standards because it is the only effective way of combatting the increasing danger in cybersecurity.
Cost is certain to have an impact on small businesses. Katie Arrington, DoD’s chief information security officer for acquisition, acknowledged this stating, “We need small and medium businesses in our industrial base, and we need to retain them…We will continue to work to minimize impacts, but not at the cost of national security.”
The CMMC could be a barrier to entry for some but for those who can compete and can afford to invest in technology and processes there will be a great amount of opportunity. The fortunate part is that CMMC requirements will not be ‘all or nothing,’ providing a range of compliance with costs likely scaling up for each level. To further ease affordability, security will now be an allowable cost on DoD contracts.
Impact on primes and subcontractors
CMMC is designed to ensure a more level and fair playing field for prime contractors bidding. Presently, some small businesses bidding might self-attest that they meet requirements to handle certain types of information, however in fact are only planning to meet those requirements, while other business may actually be meeting the requirements. CMMC ensures that companies actually meeting the requirements can compete for contracts.
Subcontractors to a prime contractor will not necessarily have to meet the same level of CMMC certification to win a contract. Arrington has stated that “security is not one size fits all.” It is dependent on how the CUI flows between prime contractor and the subcontractors involved in a contract. In some cases, subcontractors may only need to be certified at CMMC level 1.
How can vendors prepare for CMMC?
It is important for all defense contractors to make sure you are meeting the basic requirements in FAR 52.204-21. For others in the DoD that work or may work in, near or around CDI, you will need to continue maintaining your ability to meet the requirements of DFARS 252.204-7012 and the iterations of NIST SP 800-171 that are out and coming out.
Many contractors may not have the skills or resources to address the requirements of NIST SP 800-171 Rev. 1 or SP 800-171B. The most effective means for these organizations to meet CMMC requirements is to outsource their compliance initiative to a qualified provider. The challenge is that defense contractors work in a dynamic environment which is why technical vendors need to be involved to ensure compliance is maintained. The effort that contractors put towards cybersecurity must be equally dynamic and properly assess and balance needs and risks.
If you have plans to compete or recompete on DoD contracts in the future, we want to be your partner in ensuring you are CMMC compliant and audit ready.