New Cybersecurity Certification Requirements

The Office for the Under Secretary of Defense and Sustainment (OUSD (A&S)) recently released its Cyber Security Maturity model Certification (CMMC). DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs) and the Defense Industrial Base (DIB) all had a hand in developing the CMMC model. This model measures cybersecurity maturity using five levels (from basic to advanced) and aligns a set of processes and practices with the type and sensitivity of the information to be protected and any associated threats to that information. (CMMC Model v1.0, January 30, 2020)

DoD’s CMMC enhances the protection of:

  • Federal Contract Information (FCI) provided or generated by the government, but not intended for public release
  • Controlled Unclassified Information (CUI), which requires safeguarding or dissemination consistent with laws, regulations and government-wide policies. (ibid)

The CMMC model includes the safeguarding requirements for FCI spelled out in FAR clause 52.204-21 and the security requirements for CUI stated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 per DFARS clause 252.204-7012 [3,4,5].

Included in the CMMC model is a certification piece verifying the implementation of cybersecurity maturity measure processes and practices. This is intended to deliver assurance to the DoD that contractors and subcontractors can sufficiently protect CUI at a level equal to the risk. (ibid)

To obtain a full overview of the CMMC Model, domains, practices, and processes, please review the Cybersecurity Maturity Model Certification.

Have questions about the effect on your current contract or one in works? Give us a call.

Line Item: Cybersecurity

We knew it would eventually happen. DoD is finally looking to permit cybersecurity costs as “allowable” on certain types of government contracts. (Federal News Network, June 2019)

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, recently spoke at the Professional Services Council (PSC) gathering in Virginia. Ms. Arrington is the lead for the DoD effort to develop and institutionalize the new Cybersecurity Maturity Model Certification (CMMC) standard for vendors. She told attendees that she wants to enact a legitimate standard for cybersecurity allowable costs. (ibid)

During a recent webinar, Arrington spoke about cyber attacks and the need for the defense industrial base to defend themselves against nation-state attacks. DoD is aiming at not just it’s 200,000 prime contractors but all vendors (approximately 300,000) that comprise the DoD supply chain. (ibid)

Arrington is working with the Johns Hopkins University Applied Physics Lab and Carnegie Mellon University’s Software Engineering Institute to generate initial requirements. The draft will require DoD vendors to be certified through third-party assessment organizations. The standard incorporates existing requirements from NIST, the Federal Risk Authorization Management Program (FedRAMP), and other models.  (ibid)

Arrington expects DoD to carry out 12 webinars across the country over the summer. She aims to receive feedback from industry experts with a draft standard by the end of summer and third-party assessors to start certifying vendors in January. (CMMC requirements will be added to requests for information by June of 2020 and become a standard in solicitations by September 2020.) (ibid)

According to Alan Chvotkin, senior vice president and general counsel for PSC, the certification of contractors will be a very competitive discriminator in the marketplace. His main concern is whether DoD will only certify the big six contractors and what is going to take place for the prime and a subcontractor. (ibid)

Congress recognizes that risks to the supply chain need to be reduced. The Senate version of the 2020 National Defense Authorization Act, includes a provision requiring DoD to move to a broader cybersecurity standard with its contractors. Currently, DoD mandates defense contractors meet the requirements of NIST Special Publication 800-171; however, there is no current audit for compliance. Oversight of subcontractors by prime contractors is also a reasonable concern as is the lack of information available on subcontractors. The committee feels prime contractors should be held responsible and accountable for securing DoD technology and sensitive information and ultimately delivering uncompromised products and capabilities. This is seen as a first step in securing the supply chain. (ibid)

The Senate Armed Services Committee (SASC) believes DoD should provide direct technical assistance to contractors, based on risk, and in such a way as to not harm the industrial base while at the same time providing incentives/penalties for non-compliance of vendors’ cyber performance. DoD is being asked to provide the SASC with a briefing by March of 2020 and quarterly briefings on how the standard is being implemented by both vendors and the DoD. (ibid)

Although security has always been an allowable overhead cost, it will now be used as an incentive to get vendors to more quickly align themselves to the CMMC standard. The incentive doesn’t force companies to trade off security for other expenses. It appears the government will offer some reimbursement for some share of the cost, hopefully bringing all vendors up to the same level. (Firm-fixed-price contracts do not fall under the allowable cost umbrella in the same manner, as cyber is counted as general overhead in the final cost to the government.) (ibid)

Eager to learn a little more about the cyber standard and how it might affect your current contract or an upcoming bid? Give us a call at 301-913-5000.

 

 

Matchmaking Money

The Department of Defense (DoD) is concerned that Chinese firms investing money into U.S. tech companies could provide the Chinese with a military advantage. A new effort to counter this effect, called the Trusted Capital Marketplace, is launching in upcoming weeks. At least 50, generally small, innovative tech companies without the sophistication to obtain capital seem to  fall under this umbrella. The Trusted Capital Marketplace will match these companies with capital investors, circumventing the “red tape” they’d normally go through to obtain the much-needed capital. (Government Executive, May 2019)

Over the next month, investment goals will be developed and put in place. The current plan is to set up a website infrastructure where providers of trusted capital can aggregate with those businesses looking for capital. (ibid)

Back in October of 2018, the Pentagon said they would invest in domestic manufacturing in an effort to keep the U.S. from relying too heavily on Chinese and other foreign made parts for American weapons. The next month,  Commerce officials released a list of “specific emerging technologies that are essential to the national security of the United States,” with the desire to keep these technologies based and “backed” by U.S. companies. The infrastructure should be in place by the end of June for these companies to receive the capital they need to work with DoD.

Questions about the Trusted Capital Marketplace and how your firm can obtain much-needed capital? Give us a call at 301-913-5000.