New DOD Cyber Certification Just the Cost of Doing Business


By Chris Cornillie

Bloomberg Government subscribers get the stories like this first. Act now and gain unlimited access to everything you need to know. Learn more.

New cybersecurity certifications could shake up the defense industrial base by raising the cybersecurity costs of doing business with the Defense Department.

The Defense Department is seeking industry comments on a draft of the Cybersecurity Maturity Model Certification (CMMC), which would be mandatory for every one of the estimated 300,000 suppliers and contractors that make up the department’s supply chain, Katie Arrington, chief information security officer with the Office of the Assistant Secretary of Defense for Acquisition, told attendees at a Sept. 4 event.

The CMMC represents the Pentagon’s most sweeping attempt to date to secure the integrity of its supply chain against digital threats.

The CMMC will consist of five distinct certifications, or levels, of cybersecurity rigor, ranging from adherence to baseline security controls and best practices, to sophisticated cyber defenses capable of repelling even the most advanced threats:

  • Level 1 – Basic. The vendor performs a basic subset of cybersecurity best practices in an ad hoc manner, offering limited resistance against threats.
  • Level 2 – Intermediate. The vendor implements and documents all universally-recognized best practices, offering some resistance against threats.
  • Level 3 – Good. The vendor covers and actively maintains all security controls required by the National Institute of Standards and Technology’s cybersecurity framework (SP 800-171) for controlled, unclassified information, offering moderate resistance against threats.
  • Level 4 – Proactive. The vendor regularly reviews and improves security controls and processes. They also rely on automated security controls capable of responding to threats faster than human analysts, offering strong resistance against all but the most advanced threats.
  • Level 5 – Advanced/progressive. The vendor continuously improves security processes. It also relies on automated security controls and analytics, and offers strong resistance to even the most sophisticated cyber attackers.

Each vendor will be assessed on hundreds of cybersecurity best practices and processes, with the higher-level certifications corresponding to increasingly stringent requirements. Cyber-maturity scores won’t become a factor in evaluating proposals; rather, CMMC scores will dictate which vendors are eligible to compete. For example, the Pentagon could limit competition for a given contract to only those vendors with an active Level 3 certification.

As is the case with the Federal Risk Authorization Management Program (FedRAMP) cloud security certification, companies must be assessed by an independent third party. For vendors operating in the independent verification and validation (IV&V) market or considering entry, the CMMC would represent a substantial opportunity.

Critics Cite Business Burdens

Critics of the plan have pointed out that the CMMC would place a costly burden on companies that do business with the Defense Department, especially small businesses, which are less capable of absorbing the costs of compliance.

“The goal is for the CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels,” according to a DOD slideshow presentation. Further, the Pentagon recognizes that security will need to be an allowable cost, said Arrington, meaning that vendors will be allowed to bill the government for some of the cost of upgrading their cyber defenses.

Nevertheless, firms considering entering or remaining in the defense sector must decide whether to take on certain up-front costs to be eligible to compete for contracts. Others that are two or more tiers down in the supply chain may have to take on these costs just to maintain their business with downstream buyers. While the government may reimburse contract holders for certain security-related costs incurred, much of the burden will be borne by the private sector. But given the present cyber risk environment, Pentagon officials may see this as simply the cost of doing business.

Defense suppliers are encouraged to submit feedback on the CMMC by Sept. 25. The Pentagon plans to release a final draft of the framework in January 2020 and will begin using the model in requests for information in June 2020.

Chris Cornillie is a federal market analyst with Bloomberg Government.

To contact the analyst: Chris Cornillie in Washington at ccornillie@bgov.com

To contact the editors responsible: Daniel Snyder at dsnyder@bgov.com; Jodie Morrisat jmorris@bgov.com

Stay informed with more news like this – from the largest team of reporters on Capitol Hill – subscribe to Bloomberg Government today. Learn more.