The Evolution of Cybersecurity as a Foundation in DoD Acquisition

This article was provided by Leon Jaimes with Sollievo IT, LLC of Anchorage.  The cybersecurity posture of the United States is undergoing a historical transformation. Department of Defense Acquisition and Sustainment officials have indicated that however painful the transition process may be, the current status quo is no longer acceptable. It is not sustainable to continue to allow our nation state adversaries and criminal organizations to leverage cybersecurity weaknesses to exfiltrate capabilities and intellectual property developed by the United States. This is the challenge that the Cybersecurity Maturity Model Certification (CMMC) addresses.

I attended the project kickoff for the CMMC accreditation body in Arlington, VA and one of the key takeaways is while the CMMC is applicable only to DoD contractors right now, a future goal for the accreditation body is to build a scalable model for accreditation for other government agencies and international entities. This is a clear signal the cybersecurity threat extends beyond the Defense Industrial Base (DIB), the US government is aware of the risk and they are moving to mitigate the risk by either extending the CMMC or implementing similar programs.

In January 2019, Katie Arrington was appointed to a newly established position, the CISO for Assistant Secretary for Defense Acquisition. Ms. Arrington comes from a background of running a company whose focus was cybersecurity software for DoD. She was selected as a Highly Qualified Expert (HQE) and her primary role is to lead a small team in an aggressive rollout of new cybersecurity standards to protect the DoD supply chain, which she named the Cybersecurity Maturity Model Certification.

Cybersecurity threats cost money, organizations of all types and sizes struggle to effectively defend themselves, the threats continue to advance, and the attack surface is expanding. Three primary factors are driving the escalation in enforcement of cybersecurity for the DoD. First, Katie Arrington has repeatedly stated that the United States’ adversaries are exfiltration the equivalent of about $600 billion a year with cybersecurity attacks – a cost of $4,000 per year for each U.S citizen. Second, even with existing cybersecurity requirements for DoD contracts, DFARS 7012 clause and the NIST SP800-171, the vast majority of companies in the DIB only employee inconsistent cyber hygiene practices and low-level attacks succeed consistently. Third, as Artificial Intelligence (AI) and 5G connectivity become more prevalent in the technology landscape, the cybersecurity threat capabilities of adversaries will increase and the attack surface for American companies will increase. While these are the factors driving the CMMC, they are uniform across all industries.

Comprehensive cybersecurity must be foundational to operations. Where does that leave the Defense Industrial Base (DIB) and organization across the country? The CMMC slide deck now shows the three pillars of acquisition; cost, performance, and schedule built on a foundation of cybersecurity. Many organizations have not even attempted to implement adequate cybersecurity. Some organizations have tried but failed to do so successfully. However, there are some who have been able to successfully implement cybersecurity programs which are both effective and advance the mission of the organization. The historical shift that is happening now will increasingly hinder organizations in their general operations if they neglect or fail at cybersecurity. We will see an increase in the number of opportunities that will be unavailable to organizations that have not implemented cybersecurity basics. The way new organizations launch will evolve and adapt to this new reality as those who operationalize their cybersecurity from inception achieve a significant competitive over those who do not.

To learn more about the CMMC, visit the CMMC FAQ here: https://www.acq.osd.mil/cmmc/faq.html. Leon Jaimes with Sollievo IT, LLC dives into aspects of preparing for the CMMC in blog post here:

Cybersecurity Maturity Model Certification (CMMC) Readiness