Cybersecurity
By Derek B. Johnson
Are Contractors Ready for DOD’s Cybersecurity Framework?
The cybersecurity maturity model certification could have a profound impact n the procurement landscape when it goes live next year
oC
in operation by 2020 [is] going to be difficult,” said Robert Metzger, a lawyer specializing in government contracts and commercial litiga- tion and a consultant who focuses on supply chain security issues. “Naturally, industry has a lot of questions about the mechanics... Companies are understandably uncertain as to how these changes will affect what they’re doing, how they will demonstrate eligibility for contracts and what the costs might be upon their operations.”
Cybersecurity is Not Free
High costs, confusing guidance and low return on investment have all been cited as reasons for compliance challenges among defense contractors. Traditionally, DOD has declined to cover the costs as- sociated with implementing acquisition regulations related to CUI cybersecurity, but that has slowly changed over the past 12 months as military contractors have faced unprecedented attacks from foreign- sponsored hackers.
Last year, then-Deputy Secretary of Defense Patrick Shanahan
ontractors will face big changes and tight timelines next year when the Defense Department institutes its new Cyber Maturity Model Certification framework. An- nounced by DOD officials in June, the framework seeks
to certify companies’ compliance with federal cybersecurity regula- tions for controlled unclassified information (CUI). It will be used to evaluate and rate contractors’ ability to protect sensitive data on a scale of 1 to 5.
The initial version of the framework is scheduled to go public in January 2020. By June, its requirements will start appearing in re- quests for information, and it will become a regular feature of defense procurement by September. That means defense contractors will have less than eight months to implement the necessary changes to ensure that they comply with the Defense Federal Acquisition Regulation Supplement’s and the National Institute of Standards and Technol- ogy’s guidance on protecting CUI.
“Any timeline would seem ambitious. One that looks to have this
GS8
GOVERNMENT SECURITY OCTOBER 2019
Steve Mann/Shutterstock.com