Defense Department Will Likely Require Cybersecurity Capabilities for All Defense Contractors in 2020

The Defense Department expects that by June 2020, industry will see cybersecurity requirements included as part of new requests for information, which typically serve as one of the first steps in the awarding of new defense contracts.

Ellen Lord, the undersecretary of defense for acquisition and sustainment, said the new cybersecurity maturity model certification program is a critical part of ensuring that companies hoping to do business with the department meet important cybersecurity requirements.

“The cybersecurity maturity model certification, or CMMC program, establishes security as the foundation to acquisition and combines the various cybersecurity standards into one unified standard to secure the DOD supply chain,” Lord said.

She said the program will establish five levels of certification tailored to the criticality of a system or subsystem that a contractor might hope to do work on. The CMMC framework was developed by working with the defense industry, leadership on Capitol Hill and engagement with the public.

“These levels will measure technical capabilities and process maturity,” Lord said. “The CMMC framework will be made fully available in January 2020.”

The program’s concept is designed to ensure that any business doing work for the government can demonstrate that their computer networks and cybersecurity practices are up to the task of defending against intrusions by adversaries who want access to information about government contracts and weapons systems development.

“Cybersecurity is a threat for the DOD and for all of government, as well as critical U.S. business sectors, such as banking and healthcare,” Lord said. “We know the adversary is at cyberwar with us every day. So, this is a U.S. economic security issue, as well as a U.S. security issue. When we look at cybersecurity standards, I believe it is absolutely critical to be crystal clear as to what expectations [and] measurements are, what the metrics are and how we will basically audit against those.”

The government itself won’t audit potential contractors for compliance with the program’s standards. Instead, a third party will perform those audits. Lord said DOD is working with multiple companies that are interested in performing that work, and she said she expects a decision by January.

Lord said DOD expects some challenges for small businesses to meet the program’s requirements. DOD is aware of industry’s concerns, and efforts are being made to alleviate some of those concerns, she said.

“We know that this can be a burden to small companies, particularly, and small companies is where the preponderance of our innovation comes from,” Lord said. “So, we have been working with the primes, with the industry associations, with the mid-tiers, with the small companies on how we can most effectively roll this out so it doesn’t cause an enormous cost penalty for the industrial base.”