Defense Dept. Sets Course on Cybersecurity Evaluation, Enforcement

On a limited budget, government contractors need to be compliant with a litany of statutes, regulations and industry standards in order to remain competitive. This has become particularly true in the cybersecurity context.

With no overarching federal law for cybersecurity standards or privacy protection (though the U.S. Senate is in the process of discussing a bipartisan privacy bill as they have done, unsuccessfully, in prior legislative sessions), rulemaking authorities have moved to create regulations governing cybersecurity and data privacy.

Some regulations applicable to government contractors, but by no means exclusively, are found in the Federal Acquisition Regulation and Defense Federal Acquisition Regulation Supplement (DFARS).

In this labyrinth of cybersecurity requirements, the Defense Dept. (DOD) often takes the lead in promulgating guidance, so it is beneficial to look to DOD and the defense industrial base for the future of cybersecurity. This future may come with DOD’s upcoming Cybersecurity Maturity Model Certification (CMMC), which could fundamentally alter DOD government contract awards and maintenance.

Where are we now?

DFARS 252.204-7012 and the incorporated security requirements in the National Institutes of Standards and Technology Special Publication 800-171 (collectively, the DFARS Rule) are currently the driving force in DOD cybersecurity compliance, setting forth 110 security controls. Responses can be tailored to entities of all sizes.

The DFARS Rule only requires government contractors to self-certify their compliance without providing any significant ability on the part of the government to conduct reasonable audits.

For many contractors, the result is a system security plan that represents an ad hoc attempt to satisfy the contractual requirement at minimal cost, with little thought for implementation.

The benefit of the DFARS Rule, however, has been the flexibility in implementation and the acknowledgment that cybersecurity standards should modulate based on the type of information being secured.

That flexibility has led to uncertainty as to how outside observers measure a government contractor’s security controls. Uncertainty, coupled with the ever-growing threat of cybersecurity intrusions, has long fostered within the defense industrial base a sense that heightened standards are inevitable. They may now be imminent.

Where are we going?

More likely than not, government contractors already have heard references to CMMC. Government contractors are also likely aware of the underlying rationale for why a new standard is needed.

Simply put, the current standard is not working. CMMC is meant to increase the efficacy of the defense industrial base’s cybersecurity initiatives, create more accountability in prime contracts, serve as the new standard and become an enforcement mechanism.

While the CMMC has not been published, we do know certain material aspects. For instance, we know that both the Johns Hopkins U. Applied Physics Laboratory and Carnegie Mellon U. Software Engineering Institute have been involved with the review and combination of the various cybersecurity standards into one unified standard.

That “unified standard” will have levels meant to demonstrate an entity’s cybersecurity posture, with the lowest level signifying basic cybersecurity hygiene and the highest level signifying state-of-the-art controls, with all levels capturing security controls and the institutionalization of processes that enhance cybersecurity within the defense industrial base.

Importantly, the CMMC will include the development of third-party cybersecurity certifications, audits and tools that will allow for the accurate collection of metrics associated with a government contractor’s cybersecurity position. Certification will be a significant differentiator when contractors bid for work with DOD as a prime or as subcontractors. This is because the CMMC will be required to flow down to all subcontractors, and certainly represents a significant step towards bolstering the cybersecurity associated with the defense industrial base, as companies will be required to be certified before they can compete for contracts.

Who is going to pay for this?

While there has been some indication from DOD that the costs associated with improving cybersecurity will be reimbursable for government contractors, there is nothing definitive enough to rely upon. Further, those contractors who have already expended resources to bring their entities into compliance may not be incorporating applicable cybersecurity costs in their proposals, thereby potentially presenting a more competitive bid. With the compliance framework taking shape, it would be prudent for government contractors to take the proactive steps necessary to set aside resources such that when the CMMC is published, the resources are there to adequately respond and maintain eligibility for DOD contracts.

Conclusion

Cybersecurity increasingly will become an area of evaluation in the federal government marketplace for all businesses, large and small. While many of the current requirements can be tailored to accommodate differing levels of enterprise sophistication, the baseline cybersecurity requirements are going to be elevated.

Accordingly, government contractors must take the necessary steps to understand the scope of the statutes, regulations and guidance applicable to their business and industry, and then implement the policies and procedures required to remain a competitive bidder.

~by David Shafer, associate, PilieroMazza PLLC