Vital Signs 2020: Small Businesses Concerned About New Cybersecurity Certification
This is part-three of a four-part series based on "Vital Signs: The Health and Readiness of the Defense Industrial Base," to be released by the National Defense Industrial Association on Feb. 5.
The Pentagon is rolling out new cybersecurity regulations for handling unclassified information that may bar contractors from bidding on future programs if they do not obtain the required certifications.
Katie Arrington, chief information security officer at the office of the undersecretary of defense for acquisition and sustainment, said it will take until 2025 to fully implement the cybersecurity maturity model certification program, or CMMC.
“If we don’t understand that this is a collective issue, that everybody needs to have cybersecurity requirements and in their day-to-day business, we’re never going to get ahead of this game,” she said in October during an interview with Exostar, a company focused on protecting the supply chain.
The Defense Department plans to tighten its policies as digital warfare becomes more prevalent, she noted. The CMMC will need to be continuously updated to keep pace with changing cyber threats, and these certifications will be especially important as technology continues to advance. One specific threat includes the development of quantum computing, which can be used to break encryptions, she said.
“The way it lives in 2020, I hope isn’t the same model that is in existence in 2025 because the threat vectors will change,” Arrington said. “This is electronic warfare. The moment that we move and we’re capable of plugging that hole, our adversary will be … finding a new access point.”
The Pentagon’s supply chain currently consists of about 300,000 companies and about 290,000 of those have no cybersecurity requirements whatsoever, she said. Under the new regulations, Defense Department contractors and subcontractors will need to become certified regardless of the program.
In the National Defense Industrial Association’s new report, “Vital Signs 2020: The Health and Readiness of the Defense Industrial Base,” industrial security for 2019 scored a 64, or a D grade, the lowest among the eight dimensions the report measured. (See related story.)
Current regulations to address these shortcomings are implemented by the Defense Federal Acquisition Regulation Supplement Clause 252.204-7012 and NIST Special Publication 800-171. Companies must safeguard covered defense information, report cyber incidents and facilitate damage assessment, in addition to meeting other requirements.
But the Pentagon has decided that it needs more stringent regulations, Corbin Evans, NDIA’s director of regulatory policy, said in an interview. NDIA is one of the organizations providing feedback on the program. The Defense Department is still finalizing details of the CMMC.
“They have basically decided that this is not working, that this regulatory scheme is not robust enough,” Evans said. “It doesn’t do enough to essentially protect the requirements or protect the data.”
In the future, the new certifications will be baked into program contracts, making them a prerequisite for doing business with the government, he noted.
If the Pentagon remains on track, starting in October 2020 each issued request for proposals would outline which CMMC certification level a company needs to bid on the program, Evans said. These would range from levels one through five, with one being the lightest of security requirements. Less stringent regulations would be similar to those mandated for private homes or small businesses, he noted.
The first version of the CMMC framework will be released in January 2020, according to the office of the undersecretary of defense for acquisition and sustainment’s new CMMC website. By June 2020, these requirements will be inserted into requests for information, the website said.
The Defense Department has not decided on the length of the certification’s validation period.
One example of changes companies may need to make is improving access controls, which could be done by implementing technology that tracks all visitors who have access to a company’s system, Evans noted. Two-factor authentication to ensure server security will be particularly expensive to implement, he said. Many companies will fall under certification level three, which has more regulations than the current rules, he noted.
Michael Flavin, director of IT sales at Saalex Information Technology, said these new requirements will largely affect small businesses because they may not be able to handle the financial burden associated with completing the certifications.
“Say it’s a DoD contractor of like 20 employees,” Flavin said. “To get all of this done, just a gap analysis from a consultant can run $25,000 to $50,000 bucks.”
However, according to the CMMC website, certification costs “will be considered an allowable, reimbursable cost and will not be prohibitive.”
Without obtaining the certifications, many companies will be unable to participate in future competitions, Flavin noted. The CMMC website says businesses could be disqualified.
“They can’t bid on it” or recompete for contracts, he said. “It really could suck the lifeblood out of a company.”
Additionally, the CMMC effort will be a big change because many companies are still working on coming into compliance with current cybersecurity guidelines, he noted. This doesn’t necessarily mean that companies have not implemented any security features such as firewalls and encryption, he said, but many steps required by the current rules “probably haven’t been done, which is why they’re saying the vast majority are not in compliance.”
Based on informal discussions at industry events, many small business members with less than 100 employees do not seem to understand technical controls for protecting data, Flavin said.
“It was shocking to me. … These people would become a deer in the headlights,” he said. “These people have just not kept up with the pace of cybersecurity and risk-based cybersecurity philosophies.”
For existing contracts, Evans said the Defense Department plans to insert the certification requirements during renegotiations. Officials will begin by working on high-priority contracts, which include major weapons programs.
“They will essentially go contract by contract for renegotiations if they are multi-year contracts,” he said. “Then they’re going to roll this out starting … with the most sensitive contracts and then moving … all the way down to apparel supplies.”
This is expected to be a major change for many firms, he noted.
“The boots lace supplier will have to be CMMC at least level one compliant,” he said.
The present October 2020 timeline may be “aggressive or optimistic,” Evans said.
“This is an area where we understand and are sympathetic to the security concerns,” he added. “But we are worried about the negative impacts of rolling this out department-wide and essentially pushing people out of the defense industrial base.”
Arrington said to create the CMMC, the Defense Department was inspired by international cybersecurity standards such as the United Kingdom’s General Data Protection Regulations.
“We took those standards into creating what is now the CMMC,” she said. “Our international partners are looking to adopt the CMMC and integrate it, and we’ve done our best to try and incorporate all the different standards into the model.” That includes NATO, she added.
Auditors from a third party will assess whether companies meet requirements, Arrington said. The Defense Department has already put out a request for information asking industry about creating an accreditation body that will be responsible for training companies and individuals on how to become auditors, she noted. Training will run from this January to April or May.
“We in the Department of Defense know very well that we are not set up or resourced to do these certifications and audits of 300,000 companies,” Arrington said. “As it is, our $750 billion budget doesn’t really cover all that we need to do. So we needed to look outside.”
However, higher level assessments may be conducted by organizations such as the Defense Contract Management Agency or the Defense Counterintelligence and Security Agency, the CMMC website said. Companies’ certification levels will be made public and firms will not be allowed to certify themselves. Auditors will make a “go/no go” decision rather than providing a score.
Arrington said program managers will also be taught how to determine which companies need to meet certain cybersecurity levels.
“Why would you need to put a CMMC level five on someone who’s … selling pens to the government?” she said. “That’s not obtainable and we need to teach our PMs to do that.”
The Defense Department hopes to help industry develop critical thinking skills about cybersecurity and cause a cultural shift by implementing these certifications, Arrington said. A company should already have its own basic cybersecurity policies in place by the time it reaches level two, she noted. Most companies will not be asked to obtain the highest certification.
“It’s very expensive and very hard to obtain that,” she said. “To have the capability at CMMC level five — to have a 24-hour, seven day a week stock capability — isn’t something that we would even think to ask of most contractors.”