These are the words right out of the mouth of Katie Arrington, The Pentagon’s Chief Information Security Officer for the acquistion policy office. Katie reports up to Kevin Fahey, the Assistant Defense Secretary for Acquisition. He is the guy who is responsible making sure that the Pentagon spends those hundreds of billions of dollars a year responsibly.
She has been leading the charge for the Pentagon’s new Cybersecurity Maturity Model Certification (CMMC). The plan is for the Pentagon to require that EVERYONE in the DoD supply chain, from the company providing nuts and bolts to the company writing complex software. There are 5 CMMC certification levels, depending on the risk that a supply chain provider represents.
The current plan is that the new standard will come out early next year, start being included RFPs in mid-2020 and part of contracts starting in late 2020 (FY22). For more information check out our CMMC web site.
Currently, companies who have classified contracts or handle controlled unclassified information have some cybersecurity requirements, but 290,000 defense contractors and suppliers have no requirements right now.
While it is likely that this will be phased in on new contracts and higher risk contracts, Katie says that by 2025 it will be fully rolled out across the entire defense contractor space. Given the requirements to become certified, now is the time to start planning, even if you think you, as a supplier, won’t be required to be certified until, say 2022.
From a cost standpoint, DoD understands that contract awards today are based on cost, performance and schedule, but they plan to add security as a fourth pillar and they understand that it will cost both you and them money. That does not mean that you will have a blank check – you won’t – but it does mean that since the DoD standards are higher than general industry, they will have to pay some portion of that cost.
Regarding the pain part, it will be painful. Companies will need to implement new rules and those rules will affect employees and there are likely at least some things that they will not be able to do any more. In addition, companies will either need to add staff to manage these security requirements or outsource that management.
Katie is saying that the DoD has the ability to FINE companies for selling products with security defects and companies should not underestimate their willingness to use that legal ability.
DoD has struggled since 2013 with improving their Defense Industrial Base’s security practices first by changing the DFARS, the regulations that defense contractors have to follow, then by creating a NIST guide (which is self certified) and now with a standard that requires annual third party certification. All the while China has been stealing $500 billion a year or more in intellectual property. Third party certification is the kicker with this rule. People tend to stretch the truth when they self certify, but a third party that runs the risk of getting their certification rights revoked if they stretch the truth is much less likely to stretch things.
CMMC does not have any exclusions for small contractors. They have to meet the same standards as Lockheed does. Since small business systems are less complex, it will be easier for small to meet those standards, but it will not be free and it will not be painless. Small companies have less internal sophistication and less internal resources, hence the pain part.
So, if you are in the defense supply chain at any level, become educated and start getting compliant. Or run the risk of getting kicked out of the DoD supply chain.