Thousands of smaller defense contractors face new cybersecurity standards that will soon be the cost of doing business as the Pentagon seeks to prevent hacking and theft from countries such as China and Iran.
The Defense Department plans to release the standards at the end of January as it rushes toward requiring new universal auditing of contractors’ cyber safeguards by this summer. The military’s vast commercial supply chain, especially smaller vendors, has emerged as a critical national security weakness.
“This can be a burden to small companies, particularly,” Pentagon acquisition chief Ellen Lord said in December. “So we have been working with the primes, with the industry associations, with the mid-tiers, with the small companies on how we can most effectively roll this out so it doesn’t cause an enormous cost penalty for the industrial base.”
A total of about 300,000 contractors large and small will be subject to the cyber auditing and certification, which the department has dubbed the Cybersecurity Maturity Model Certification, or CMMC.
Human auditors, potentially thousands who must themselves first be certified, will be needed and an outside nonprofit accreditation body that is supposed to manage the system has just been formed, Lord said Tuesday. Many questions remain about the cyber certification as time grows short, fueling anxiety among companies.
“From the contractor’s perspective, this is being framed as a go, no-go decision on your ability to be awarded a contract,” said Corbin Evans, the director of regulatory policy for the National Defense Industrial Association. “The stakes really can’t be higher than when it comes to your ability to continue to do business with the department.”
Many large defense contractors have already bolstered themselves against foreign intrusions aimed at stealing intellectual property or sabotage. But many medium- and smaller-size companies are alarmingly unprepared, experts testified last year to the Senate Armed Services Committee.
Those smaller companies often work as subcontractors and handle what is called controlled unclassified information about Pentagon systems and manufacturing, making them “prime targets” for foreign hacking, Christopher Peters, CEO of the Lucrum Group who spent two years studying the vulnerabilities, told senators in March.
“A lot of what makes U.S. industry uniquely capable of producing high-end military systems is critical manufacturing know-how,” said Andrew Hunter, a senior fellow at the Center for Strategic and International Studies. “That in fact may not be classified, but it’s a trade secret.”
China is a top concern and has been accused of hacking that U.S. defense intellectual property to speed its own military buildup. It allegedly hacked a Navy contractor in 2018 and stole information on a new anti-ship missile. Meanwhile, adversaries such as Iran, which has used hacking and is ratcheting up tensions with the U.S., could take aim at companies to disrupt national security.
The planned cybersecurity audits and certification of contractors spearheaded by Lord is the Pentagon’s most ambitious effort yet to shore up vulnerabilities. Former Defense Secretary Jim Mattis created a cyber task force and the Pentagon has adopted new cybersecurity standards that are being incorporated into contracts as part of the Defense Federal Acquisition Regulation Supplement, or DFARS.
The requirements must be in place this year, Katie Arrington, the special assistant to Lord who is the point person on CMMC. “I need you to lean in on this,” she told a roomful of contractors in November.
Companies will be certified on five tiers, with level 1 being the lowest and level 5 being the most stringent cybersecurity rating for the most sensitive operations. The Pentagon has spent more than a year speaking with industry and releasing initial plans.
“The expectation is that those who are qualified at CMMC Levels Four and Five are able to handle more complex and more sophisticated information or information that is more valuable to DOD,” said Alan Chvotkin, the executive vice president and counsel for the Professional Services Council.
Costs Baked In
Requirements for each tier and what levels companies must meet, called the final CMMC framework, will be first released at the end of January.
“The devil is going to be in the details on how companies are able to flow that cost into a contract etc.,” said Wesley Hallman, a senior vice president at NDIA. “But the bottom line is that any cost of the contractor eventually will be baked into whatever costs it is or what they’re producing or they’ll have to go out of business. It’s going to be that simple.”
The industrial group said the cost of a small- or medium-size defense company bolstering cybersecurity to what is estimated to be level 3 standards could run $250,000. The figure was actual security costs for a particular company that the group declined to name. It didn’t include costs of auditing and certification.
Hunter of the CSIS said the Pentagon has indicated companies could be able to claim the expense if contract language allows it. Those who have fixed-price contractors that date before the CMMC is adopted will be faced with absorbing the cybersecurity costs.
The first Pentagon requests for contracts using the certification levels could come later this year and the certification requirements will be phased in.
“We will start with the most critical systems, probably nuclear and missile defense, that type of thing and move it in,” Lord said Tuesday. “I do not anticipate waivers at this point in time.”
For now many questions also remain on auditing and certification. That will be handled mostly outside the Pentagon and is coming into focus as the framework is released.
Lord said the new nonprofit consortium will oversee the system of audits and certifications that could be used in defense contracts, but further details on who makes up the group was not immediately available from the Pentagon. It will have to oversee a small army of auditors that will likely be needed to avoid bottlenecks for companies seeking certification.
“To do the entire industrial base, the 300,000 companies, it’s not as high a standard as protecting classified information, but I think they’re going to need many thousands of auditors to make that achievable,” Hunter said.
The auditors would be required to physically visit companies seeking higher-tier certifications. They will need to be trained and themselves certified by a new CMMC accreditation body by June to meet the timeline laid out by Arrington.
“There’s no question that the department has laid out a very aggressive time frame for initiating the CMMC program,” Chvotkin said.
To contact the reporter on this story: Travis J. Tritten at firstname.lastname@example.org