19 November 2020

Starting Dec. 1, Cybersecurity Is No Longer Optional

By KELSEY ATHERTON

ALBUQUERQUE: As the deadline nears for the first 15 contracts awarded in compliance with the new Cybersecurity Maturity Model Certification, the Pentagon made it clear that is just the beginning, saying it will probably need to certify at least 1,500 contractors and subcontractors.

“It’s trust but verify. This is the start of a new day in the Department of Defense where cybersecurity, as we’ve been saying for years is foundational for acquisitions, we’re putting our money where our mouth is. We mean it,” said Katie Arrington, CISO for the undersecretary of Defense for acquisition and sustainment. On Dec. 1, the rules come into effect for new work contracts. Adversaries who target weak security in the United States can attack both commercial and military networks, looking to steal secrets. “We’re doing it because it is so critical to our commerce, our national security.”

Arrington said she and her team are pushing straight ahead: “The CMMC is going to continue. We are not stopping. We haven’t let up on the gas, we are rapidly rolling through mere days until the interim rule becomes effective.”

Her remarks came as part of an event put on by INSA. Taking center stage was the imminent implementation of the new contracting rules mandating cybersecurity, designed to guarantee baselines of competence and adherence to NIST and DoD standards throughout the workforce.

“As soon as the interim rule goes final, we are getting ready to release names of the pilot programs we are launching in 2021, it’s 15 contracts” said Arrington. Those first 15 contracts will start the shift to new, verifiable cybersecurity among contractors. A total of at least 1500 contractors and subcontractors are expected to work on those first projects, and each will need to be certified to do the work.

Those contracts are going to be spread out across the services, as well as commands such as Transcom and Cyber Command, and parts of the so-called Fourth Estate, like the Missile Defense Agency. The contracts range in size and complication; certification will take place over the course of fiscal 2021.

Under previous recommendations, it was enough for a company to meet some of the 110 NIST benchmark standards, so long as they claimed they were working towards compliance with the rest. That meant companies could compete for contracts without having to prove compliance.

“CMMC is going to be a go/no-go decision. When audited, you’re either level 1 or not,” said Arrington. The goal is a process that makes source selection equal for all companies that actually comply with the security they claim to offer. This way, the Pentagon can automatically price security into contracts, as considering a cheaper option that is not yet compliant will no longer be possible.

For contracts that specify a high level of compliance in primes, CMMC rules mean contracts will outline if subcontractors need to meet the same level of compliance, or if they can be entrusted with a lower level of compliance as they will not be handling sensitive information.

A cybersecurity regime built on verification means that the Pentagon can finally stop contracting with companies that leave vulnerabilities unfixed for years after patches are available. Voluntary compliance left these weaknesses in place, simple errors that threaten the whole of the supply chain.

“People are not changing passwords, not implementing two factor, not labeling documents appropriately. We are causing harm to our supply chain by not doing these,” said Arrington. Any company that continues to behave in this manner is not likely to get Pentagon contracts in the future.

No comments: