Contractors will face big changes and tight timelines next year when the Defense Department institutes its new Cybersecurity Maturity Model Certification framework. Announced by DOD officials in June, the frame- work seeks to certify companies’
compliance with federal cybersecu- rity regulations for controlled unclas- sified information (CUI). It will be used to evaluate and rate contractors’ ability to protect sensitive data on a scaleof1to5.
The initial version of the frame- work is scheduled to go public in Jan- uary 2020. By June, its requirements will start appearing in requests for information, and it will become a reg- ular feature of defense procurement by September. That means defense contractors will have less than eight months to implement the necessary changes to ensure that they comply with the Defense Federal Acquisi- tion Regulation Supplement’s and the National Institute of Standards and Technology’s guidance on pro- tecting CUI.
“Any timeline would seem ambi- tious. One that looks to have this in operation by 2020 \\\[is\\\] going to be dif- ficult,” said Robert Metzger, a law- yer specializing in government con- tracts and commercial litigation and a consultant at Mitre who focuses on supply chain security issues. “Natu- rally, industry has a lot of questions about the mechanics.... Companies are understandably uncertain as to how these changes will affect what they’re doing, how they will demon- strate eligibility for contracts and what the costs might be upon their operations.”
‘Cybersecurity is not free’
High costs, confusing guidance and low return on investment have all been cited as reasons for compliance challenges among defense contrac- tors. Traditionally, DOD has declined to cover the costs associated with implementing acquisition regulations related to CUI cybersecurity, but that has slowly changed over the past 12 months as military contractors have faced unprecedented attacks from foreign-sponsored hackers.
Last year, then-Deputy Secre- tary of Defense Patrick Shanahan
expressed reluctance on the part of DOD to help contractors cover added costs for cybersecurity, say- ing it should be a baseline expecta- tion in contracts.
However, at a Professional Servic- es Council event earlier this month, Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber, announced that the department would allow contrac- tors to write off a portion of their cybersecurity spending for govern- ment contracts, including implement- ing NIST guidance.
Alan Chvotkin, executive vice president and counsel at the Profes- sional Services Council, welcomed the shift, telling FCW that it would be contradictory for DOD to refuse to provide financial incentives for cyber- security while it is also expressing a desire to expand the number of businesses that make up the defense industrial base.
Allowing contractors to write off a portion of their cybersecurity compli- ance activity is “an acknowledgment by the department that cybersecurity is not free,” he said.
“To be a smart businessman, let alone a contractor, you ought to undertake this \\\[level of security\\\] because our adversaries are steal- ing everything,” Chvotkin said. “On the other hand, \\\[DOD\\\] is trying to entice nontraditional companies and small companies that otherwise... might not see the need to incur such significant costs to reach the level that is expected as a contractor or subcontractor.”
Still, it’s not clear how DOD’s reimbursement policy will work, which contracts it would apply to or what percentage of a company’s costs would be covered. This sum- mer, DOD is conducting outreach sessions by sending officials across the country to meet with contractors, explain the new maturity model and solicit feedback from industry on the best way to structure the framework.
August 2019 FCW.COM 15