The Department of Defense (the “DoD”) plans to release the standards at the end of January 2020 as it rushes toward a new requirement for universal auditing of contractors’ cyber safeguards by this summer. The military’s vast commercial supply chain has emerged as a critical national security weakness, and a total of about 300,000 contractors will be subject to the cyber auditing and certification.
“This can be a burden to small companies, particularly,” Pentagon acquisition chief Ellen Lord said in December at a Press Briefing on Defense Acquisition. “So we have been working with the primes, with the industry associations, with the mid-tiers, with the small companies on how we can most effectively roll this out so it doesn’t cause an enormous cost penalty for the industrial base.”
The Cyber-Security Maturity Model CertificationThe Cyber-Security Maturity Model Certification (“CMMC”) program establishes security as a foundational element of acquisition and combines the various cyber-security standards into one unified standard to secure the DOD supply chain. The CMMC framework will require any company in the DOD supply chain to become certified before it can do business.
Companies will be certified in five tiers, with level 1 being the lowest and level 5 being the most stringent cybersecurity rating for the most sensitive operations. The Pentagon has spent more than a year speaking with industry and releasing initial plans for the certification process.
“From the contractor’s perspective, this is being framed as a go, no-go decision on your ability to be awarded a contract,” said Corbin Evans, the director of regulatory policy for the National Defense Industrial Association. “The stakes really can’t be higher than when it comes to your ability to continue to do business with the department.”
Many large defense contractors have already bolstered themselves against foreign intrusions aimed at stealing intellectual property or sabotage. But many smaller companies are alarmingly unprepared, experts testified last year to the Senate Armed Services Committee.
Those smaller companies often work as subcontractors and handle what is called controlled unclassified information about Pentagon systems and manufacturing, making them “prime targets” for foreign hacking, Christopher Peters, CEO of the Lucrum Group who spent two years studying the vulnerabilities, told senators in March.
Insecurity in the DoD Supply ChainThe CMMC framework’s release follows watchdog reports that called out insecurity in the DoD supply chain because of contractors not following cyber standards. The DoD Inspector General (“IG”) released a report on July 25, 2019, after reviewing how DoD information is protected on contractor’s networks and systems. The IG found that contractors were not consistently adhering to DoD’s cybersecurity standards, which are based on controls created by the National Institute of Standards and Technology.
Specifically, contractors failed to use multifactor authentication, enforce strong password use, identify and mitigate vulnerabilities, and document and track cybersecurity incidents. Administrators also improperly assigned access privileges that did not align with users' responsibilities, the report stated. According to the IG, the department “does not know the amount of DoD information managed by contractors and cannot determine whether contractors are protecting unclassified DoD information from unauthorized disclosure.”
Policymakers’ concern over the potential for adversarial nations to steal U.S. secrets by targeting contractors is not a new development. However, two recent incidents have spurred greater urgency around the topic: (1) reports that in 2018, Chinese hackers stole “massive” amounts of sensitive data from the unclassified networks of a contractor working for the Naval Undersea Warfare Center; and (2) a 2019 internal review by the Navy that found Chinese hackers were pilfering so much Intellectual Property and classified secrets from the Defense Industrial Base that it was "materially eroding" U.S. economic and military advantages.
Current StatusThe certification requirements will be phased in, and the first Pentagon requests for proposals and quotes that include the tiered certification requirements could come later this year. For now, many questions remain regarding the auditing and certification process. That will be handled mostly outside the Pentagon and is coming into focus as the framework is released.
“There’s no question that the Department has laid out a very aggressive time frame for initiating the CMMC program,” said Alan Chvotkin, the executive vice president and counsel for the Professional Services Council.