New Cybersecurity Standards Pose Challenges for Industry
The Defense Department in late January released its highly anticipated new set of cybersecurity standards that companies must eventually adhere to if they want to do business with the Pentagon. But important issues have yet to be resolved, including how much it will cost contractors to comply.
Cybersecurity Maturity Model Certification version 1.0, or CMMC, is an effort to prod the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China.
The lower tier of the supply chain is of particular concern.
“Adversaries know that in today’s great power competition environment, information and technology are both key cornerstones [of national security], and attacking a sub-tier supplier is far more appealing than a prime,” Undersecretary of Defense for Acquisition and Sustainment Ellen Lord told reporters at the Pentagon during a briefing about the new model. “We know that the adversary looks at our most vulnerable link, which is usually six, seven, eight levels down.”
CMMC combines multiple cybersecurity frameworks, including NIST Special Publication 800-171, into one unified set of benchmarks. The specific standards that must be met will depend on the program and specific work that a company will be doing, said Katie Arrington, chief information security officer in the acquisition and sustainment office.
“Cybersecurity is not one-size-fits all.”
The level 1 standards will be the least demanding and level 5 the most burdensome.
Level 1 will be focused on “basic cyber hygiene” practices such as using anti-virus software and regularly changing passwords. Level 2 will require “intermediate cyber hygiene” and serve as a stepping stone to level 3, where the bar will be much higher.
“It’s a big move from level 1 to level 3,” Arrington said. “You’re moving from 17 to over 110 controls.”
Corbin Evans, director of regulatory policy at the National Defense Industrial Association, said level 3 is what the Pentagon expects a plurality of the defense industrial base to achieve. NDIA was in close communication with the department and provided feedback on CMMC drafts that were circulated prior to the release of version 1.0.
Standards for levels 4 and 5 are even more stringent and will be imposed on “very critical technology companies” working with the most sensitive information, Arrington noted.
Third-party assessors, known as C3PAOs, will be trained and approved by a new accreditation body. They will have to certify that a company has met the CMMC standards before it can win contracts.
The new model will be phased in over the next five years to give contractors time to adjust.
“Obviously this is a complicated rollout for industry and we’re being realistic in terms of making sure we have pathfinder projects, and then we implement it and learn, get the feedback and go on,” Lord said.
By fiscal year 2026, all new Defense Department contracts will contain CMMC requirements that companies must meet to win the award.
However, the new requirements will be included in requests for proposals for about 10 pathfinder projects in the September timeframe. The pathfinders are expected to impact about 150 contractors per contract — a total of 1,500, Arrington said.
Evans said it could be challenging to get that many contractors CMMC certified by then.
“We think the implementation of this, especially putting RFPs into place by the October ’20 timeframe, is going to be a real uphill battle,” he said. “It’s our understanding that your average level 3 certification will take between three or four business days just to conduct the on-the-ground inspection. … There’s going to be a lot of effort required for us to get to that number.”
In the coming years, companies trying to get up to speed may be in for a rude awakening, experts say.
The consulting firm Tier 1 Cyber in November conducted a survey of 150 government contractors and released a report titled, “Cybersecurity Preparedness: Perception vs. Reality.”
“Our survey discovered that respondents had a false sense of their cybersecurity preparedness,” said the study. “Nevertheless, 27 percent of respondents admitted they are unprepared for a cyber breach.”
Lord noted that the Pentagon conducted extensive outreach to industry and other stakeholders before it issued the new CMMC standards. However, 58 percent of contractors surveyed were unfamiliar with the initiative, according to the Tier 1 Cyber study.
“Despite the massive impact CMMC will have on all government contractors, … our DoD survey participants were largely unaware of CMMC,” the report said. “In fact, only a quarter could correctly identify the acronym.”
The poll also highlighted industry concerns about the supply chain.
“Only 12 percent of DoD contractors were confident in the cybersecurity of their vendors,” the report said. “The vast majority expressed no confidence, reservations, or not enough knowledge.”
NDIA, in partnership with the supply chain performance management firm Verify, has been conducting its own industry survey, which examines the hurdles that many companies will have to overcome to become CMMC compliant.
More than 40 percent of about 300 respondents thus far, said they only have between one and 10 individuals dedicated to information technology, and 10 percent didn’t have a dedicated IT professional at all, according to Evans.
That is “certainly a worrisome response there because ... it’s going to be difficult to comply with CMMC without at least one dedicated IT professional on your team,” he said.
About 44 percent of respondents said they were still working to meet the NIST 800-171 requirements — which are expected to be part of level 3 CMMC standards. Forty-one percent said their cyber incident response plan was a work in progress, and only 20 percent said they have an incident response plan in place. A sizeable number also said they haven’t been flowing down robust cybersecurity requirements to their subcontractors, Evans noted.
“That speaks to where folks are … [and] the floor that they’re kind of operating on,” he said. “We can assume that that subcontracting base is operating on a pretty low foundation, as far as their level of cyber controls they have in place currently. So they’re probably going to see a large delta in the amount of work that they need to do just to get up to CMMC compliance, but also the costs associated with that.”
A number of factors will affect the price tag, including where companies stand now with their cybersecurity and the level they are trying to reach.
“If I’m a small business looking to get CMMC, let’s say level 3 compliant, and I’m starting at a foundation of essentially zero, I think the costs are going to come in a few different camps,” Evans said.
One is the hiring of outside consultants to help contractors reach the required security level.
“That knowledge is going to be hard for you to come by just being a small business owner or small business leader,” Evans said. Firms will also need dedicated IT staff in-house to keep up with the requirements.
Additionally, there are subscription services that are required for compliance with a number of these controls, such as active encryption software, he noted. Those will impose a continual cost on companies that need to keep their protections up to date.
Contractors will also have to pay to have their cybersecurity systems inspected and certified by the third-party assessors. “That one is an unknown as to how much that’s actually going to cost,” Evans said.
The certifications are expected to be valid for three years before they must be renewed.
Becoming CMMC compliant could be more expensive than the Pentagon anticipated, Evans said, and it remains to be seen who will ultimately bear the cost — contractors or the government.
“Initially they had a number that was in the low thousands [of dollars] to get CMMC compliant,” Evans said. “I can tell you that from my conversations with NDIA members that have implemented NIST 171 up to the full 110 controls — so essentially getting themselves level 3 compliant — they’re looking at about $250,000 to do that.”
Some firms could opt not to do business with the Pentagon rather than shell out large sums of money to meet the new standards, especially if they have a customer base in the commercial sector, Evans said.
“If not handled carefully and … brought to small businesses in a way that can usher them through the program in a way that they can absorb the costs — whether it be over time or some sort of cost sharing or reimbursement mechanism with the department — we think [CMMC] will chase them out of the defense marketplace,” he added.
The Pentagon is working on ways to ensure that complying with the new rules won’t be cost prohibitive, Lord noted.
“One of my biggest concerns is implementing CMMC for small and medium businesses because that’s where a large part of innovation comes from,” she said. “We need small and medium businesses in our defense industrial base and we need to retain them.”
Prime contractors have come up with ideas about how to more cost effectively accredit lower-tier suppliers that they work with, including ways to streamline the certification process, she noted.
But nobody can sidestep compliance.
“We understand that CMMC could be a burden to small companies particularly, and we will continue to work to minimize impact — but not at the cost of national security,” Lord said.
Evans said primes will likely have an easier time meeting the requirements because they already have relatively robust security systems in place and extensive in-house IT expertise. However, no one is getting away scot-free, he noted.
“The primes and these traditional actors are typically going to enter at the level 4 or level 5 level of CMMC, which is going to be quite a bit more onerous and expensive to comply with most likely than even what they’re currently doing now,” he said. “The delta between level 3 and level 5 is going to be pretty large in terms of costs and complexities of controls.”
Level 5 would be an exclusive club, Evans said. “I’ve not heard of any company having that level of robust security on their unclassified systems.”
However, for some firms and individuals CMMC could provide a financial windfall, as 300,000 contractors in the defense industrial base move to come into compliance with the new standards and get certified.
“It’s certainly a good time to be a cyber consultant or a cybersecurity expert in this space,” Evans said. “A lot of NDIA members have reached out to us that offer these services.
So we know that they’re certainly out there, and I think they’re going to be very useful to companies. That’s going to be a pretty lucrative business to be in as companies kind of go through this initial adoption period over the next four or five years.”
Lord said a number of firms are interested in being third-party assessors, but the department had not yet officially determined who is qualified.
CMMC is expected to evolve over time, as indicated by the Pentagon’s referral to the recent release as version 1.0.
“Since this is a big, complex issue, I think we’re going to see kind of some trial and error,” Evans said. “I’m sure there will be some missteps in the coming year on both the part of the department and industry, … so I think there will be some changes there.”
Lord said industry associations like NDIA will play a key role as intermediaries between the Pentagon and contractors as CMMC is rolled out.
“The role that we look to continue to play is … to transmit what’s coming out of DoD, translate it for our membership, ensure that they know what’s going on and they know what requirements they will be expected to comply with,” Evans said.
Also, the association will look for the downsides and communicate unintended consequences to the Defense Department. “What’s the cost piece? Are there companies that are actually going out of business or leaving the defense marketplace as a result?”