Association to Focus on Proposed Cybersecurity Rule

By Michael Bayer

iStock photo-illustration

The cyber threat is long past the emergent or developing stage. It has been maturing for some time. While its “guns” go unheard, it is real, and it often comes with more devastating consequences.

It is also a contested domain with a multi-decade struggle for influence that will have a direct impact on our national destiny.

There are many bad actors, but China and Russia have focused their efforts on strategic ways to achieve their objectives. Both are executing well-developed cyber-enabled regional and global “gray zone” strategies at scale against the United States and its allies. These threats are real and are not “unknown unknowns.”

From an economic and security perspective, it is vital we protect our nation’s critical data and networks. We cannot afford to allow a pacing adversary or near-peer competitors to steal intellectual property, personal health and financial information, or undercut our military’s competitive advantage on the battlefield. For these reasons, the National Defense Industrial Association and its members long ago committed to the necessity of securing the data and systems that power the defense industrial base, as well as the platforms, infrastructure and services that support warfighters.

Simultaneously, to avoid extraneous costs and burdens on industry, we have also been vigilant to focus our resources and efforts to prioritize protecting the critical information and systems that truly matter.

Our member companies understand that they are being targeted every day in cyberspace. They take an enterprise approach toward cybersecurity, are personally engaged and consistently communicate expectations. They select leaders who understand the threat and set priorities and incentives that reflect the centrality of information to the success of their operations. They hold everyone accountable for cybersecurity and demand education, training and constant testing of their workforce at every level.

They establish clear and enforceable standards and set priorities for what information must be protected. They establish organizational structures and processes that optimize alignment of responsibility, authority and accountability. They maintain good situational awareness of their organizations’ cyber-health and factor cybersecurity into every decision they make.

They also know that information security is furthered through authentic public-private collaboration, and it can fall short when industry is not allowed to be a strategic partner.

The process of implementing the long-anticipated Cybersecurity Maturity Model Certification, or CMMC, program is a perfect example of the need for industry and the government to collaborate and do so in a way that is both supportive and inclusive of the economic realities of all strategic industry partners within the defense industrial base, including small businesses.

In December, the Defense Department released the proposed rule to implement CMMC 2.0. The CMMC program is intended to verify that contractors are meeting cybersecurity requirements. This is a high-priority focus for the association because the verification program adds costs and requirements to member companies.

According to the department’s estimates, the defense industry will face an annualized cost of around $4 billion to implement CMMC 2.0. This cost estimate does not include the compliance costs associated with the underlying cybersecurity requirements already spelled out in federal regulations.

And unfortunately, despite this significant financial impact, the rule allowed industry just 60 days to review and comment on the newly proposed rule, eight CMMC guidance documents and requested additional information collection from industry.

The continued flux and uncertainty in the scope and application of cybersecurity requirements and the lack of a well-understood implementation plan continue to drive significant uncertainty for U.S. defense companies. The department and industry must partner to fully identify, understand and prioritize both the data government and industry need to protect and how that data should be protected.

Collaborating with industry as true strategic partners will help ensure we secure the necessary data and systems to maintain national deterrence and warfighting technological advantages while avoiding unnecessary burdens that will regulate innovative companies — especially small businesses and startups — out of their ability to support the Defense Department and its mission.
This is vital work, and we hope you will join our experts who will spend much of this year working on this issue.

At the same time, we have another high impact series of conferences underway. Plan on joining us in Charlotte, North Carolina, Feb. 26-28 for the 2024 Tactical Wheeled Vehicles Conference. This extraordinary event brings together leaders from the Pentagon, the military services, industry, suppliers and academia to discuss present and future tactical wheeled vehicle requirements.

In addition, do not miss out on joining NDIA and U.S. Indo-Pacific Command for the 2024 Pacific Operational Science & Technology (POST) Conference held March 4-7, in Honolulu, Hawaii. This annual conference promises to deliver an unparalleled platform for collaboration, innovation and exploration of opportunities for joint research, development and experimentation.

In addition to panels and break-out sessions, POST includes a one-of-a-kind mobile classified reading room for authorized attendees to gain insights into the capability priorities and requirements of the combatant command.

Also, POST Field Experimentation (POST FX) provides industry and academia guests with a unique opportunity to focus on accelerating innovation, including in areas such as biotechnology, quantum science, future generation wireless technology, trusted artificial intelligence and autonomy.

Your NDIA is off to a fast start in 2024. Please join in with us! ND

Michael Bayer is NDIA board director and president and CEO of Dumbarton Strategies.

Topics: Cybersecurity

Comments (1)

Re: Association to Focus on Proposed Cybersecurity Rule

CMMC is a burden imposed on the industry with no understanding of the cost or benefit. There is zero/zip/nada/zilch empirical data for either side of the equation. The government cannot keep its own data private, but want to be able to impose barriers and fines on businesses who fail to meet their arbitrary rules.

Charles Weis at 6:09 PM
Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.