Here's what the Pentagon is telling firms worried about meeting the new cybersecurity standards that will decide who does business with the US military

Advertisement
Here's what the Pentagon is telling firms worried about meeting the new cybersecurity standards that will decide who does business with the US military

The Pentagon is seen in this aerial view in Washington

AP Photo/Charles Dharapak

The Pentagon is seen in this aerial view in Washington

Advertisement
  • The Pentagon is preparing to radically overhaul its cybersecurity standards for contractors, and these new standards will eventually become a determining factor on who does business with the Department of Defense.
  • Some firms, small businesses in particular, have expressed concerns about the Cybersecurity Maturity Model Certification (CMMC), characterizing it as an unfair barrier to entry for business with the US military.
  • Kate Arrington, the special assistant for cybersecurity in the office of the under secretary of defense for acquisition and sustainment, said that most defense contractors will be asked to maintain only basic cyber hygiene while those that require higher levels of certification will be asked only to uphold the standards they are supposed to be meeting now.
  • "I am not understanding what the problem is," Arrington said Thursday, explaining that this is necessary and is definitely happening.

The Pentagon is pushing ahead with plans to roll out new cybersecurity standards that will be a decisive factor in determining who does business with the US military.

The Cybersecurity Maturity Model Certification (CMMC) is an attempt to create unified, tiered contractor cybersecurity standards across the Department of Defense, but some companies have expressed concerns. The Pentagon, one official explained Thursday, is "moving out on this" regardless, and contractors will need to adapt.

"We are going to put cybersecurity standards in every Department of Defense contract," Kate Arrington, the special assistant for cybersecurity in the office of the under secretary of defense for acquisition and sustainment, said Thursday at a defense symposium in Washington, DC.

The CMMC is an effort to address gaping vulnerabilities in the supply chain, weaknesses that are being exploited by US rivals.

Advertisement

Arrington called attention to the estimated $600 billion lost each year to intellectual property theft. After taxes, that works out to about $4,000 per US citizen.

Due to lax DoD and industry cybersecurity standards, roughly "$4,000 of your hard-earned tax dollars have gone overseas, outside the United States," she said, explaining that IP theft and data loss are supporting "our adversaries, namely China, in building ... I won't say the name of it, but there is a plane in China that looks suspiciously like the F-35."

The CMMC - a five-tiered program ranging from basic cyber protection to the current 110 control protocols of the NIST SP 800-171 (Special Publication 800-171 from the National Institute of Standards and Technology) to the special capabilities required for critical technologies - will be rolled out next summer.

The program will be implemented gradually over a five-year period. "We are not turning on a light switch in 2020. We are going to start this process in June 2020, and we are going to start rolling it out in very specific contracts," Arrington explained. But, CMMC certification "will become a go/no-go decision."

"Every company in the supply chain is going to need to get CMMC certified," she added, further explaining that the certification will be good for three years. "You're either certified to do the work, or you cannot bid."

Advertisement

Arrington estimates that around 90 percent of the 300,000 contractors who work for the Department of Defense will require only CMMC 1 certification. Only about 12,000 would need to meet CMMC 3 requirements, and a significantly smaller number would require CMMC 4 or 5 certification.

Since the Pentagon announced plans to implement new cybersecurity standards, some companies have expressed concerns that CMMC will become an unfair barrier to entry to doing business with the Pentagon.

"I am not understanding what the problem is," Arrington said Thursday.

"I have had people say to me, 'As a small business, I'm just not set up to do it," she said. "If you are not doing basic cyber hygiene, you might want to reconsider why you are in business."

As for the companies that require higher certification levels, Arrington insists that this is about accountability, not raising the bar since CMMC 3 is equivalent to the existing NIST 171 qualification. The only difference is that there will be an auditor checking to see if the company is maintaining the required standards.

Advertisement

Contractors have previously insisted that they had met all Department of Defense demands when in reality they had only met about 72 percent."Do you think China is sitting in the back, saying I'll come back when you're ready?" Arrington asked. "They are walking through those like Swiss cheese."

The CMMC is expected to introduce a new accountability process to better ensure that contractors are meeting the DoD's expectations.

"Will it be painful at first? Probably," Arrington said. "When industry makes a demand, the markets acquiesce. And, when we set the standard, the market will be there."

She added that the Pentagon will take steps to work with businesses to help them meet the new standards.

The Pentagon plans to start training auditors in January so that they are ready by the roll out in June and the introduction of the new CMMC requirements into "requests for proposals" toward the end of next year.

Advertisement

"We have to get good, and we have to get good quickly," Arrington said. "What we've created with the CMMC is hopefully going to help you get better at your business and then, in turn, help us protect what we need to protect more easily and more aggressively."

{{}}