The DoD to Contractors: Improve Your Cybersecurity Maturity or No More Contracts

[UPDATED 9/3/2019 to discuss the DoD missing the August 30, 2019 deadline for the release of CMMC Version 0.4]

Is your company’s cybersecurity program mature and effective?  When asked this question, most executives will answer yes, but the Department of Defense (“DoD”) disagrees.  According to Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Cyber:

“If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base [(“DIB”)] doesn’t have robust cyber hygiene. Only 1% of DIB companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”

That is why the United States Department of Defense (“DoD”) recently announced two important changes to its approach to securing its supply chain:  1) cybersecurity costs will soon be allowable under DoD contracts, and 2) the creation of a Cybersecurity Maturity Model Certification (“CMMC”) which will be required under all DoD contracts.[1]

Aggressive CMMC Implementation Timeline

The DoD knows it needs to make fundamental changes quickly to combat threats to its supply chain and has set out an aggressive timeline: CMMC Version 1.0 and the certification process will be finalized in January 2020, and the CMMC will be a mandatory go/no-go part of all solicitations beginning in September 2020

Schedule your cybersecurity maturity evaluation today so you don’t miss out on future contracts.

The DoD’s Motivation

The DoD’s motivation for these changes is pretty clear: the DoD is heavily dependent on its contractors, and the DoD recognizes that no matter how secure it makes its own computing systems, those systems are only as secure as their weakest link.  The DoD’s broad announcement regarding cybersecurity is a good sign that it recognizes that these weak links can come from a variety of sources including the more obvious technology issues, such as vulnerabilities in technology supplied to the DoD like Citrix security software[2], Cisco routers[3], or Microsoft Windows[4], and also from vendors providing non-technical products and services to the DoD. 

CMMC Will Even Apply to Non-technical Vendors

This latter category of risks is illustrated by All-Ways Excavating’s (“All-Ways”) role in the near collapse of the U.S. electrical grid[5].  All-Ways is an excavating company based in the Pacific Northwest.  They provide residential and commercial contracting and building services for residential, commercial, and government customers.  One day, the FBI appeared at the All-Ways offices as part of their investigation into the near collapse of the United States electrical grid, the system through which power plants throughout the US distribute electricity to each other and their customers.  Fortunately, U.S. intelligence officials detected and were able to stop the attack before it could be completed, but it could have had a devastating impact on the country.  The intelligence officials traced the attackers’ actions back to an All-Ways E-mail account that had been compromised.  The attackers used that compromised account to send infected E-mails to the All-Ways employee’s contacts, including contacts at prime contractors and utility companies.  These seemingly legitimate E-mails were then opened by some recipients, and the attackers then repeated this process until they obtained access to the machines that connected to the electrical grid itself.

Cybersecurity as an Allowable Cost

DoD is joining the growing number of large organizations that pay for at least a portion of their vendors’ efforts to improve their cybersecurity maturity.  The DoD has yet to announce whether all or only a portion of the cybersecurity costs will be allowable, but in either case this should come as welcome news to government contractors.  We will update our subscribers when new information is available from the DoD, but government contractors should already begin assessing how and where they will make additional investments.

Cybersecurity Maturity Model Certification

The DoD knows that even paying for cybersecurity will not cure all of its problems. That is why it has also announced the CMMC.  Rather than focusing on the presence or absence of certain technologies, as is the case with DFARS 252.204-7012/NIST SP 800-171 or NIST SP 800-53 compliance, the CMMC measures the maturity of contractors’ cybersecurity programs. That is, the CMMC will measure how well the contractor is using the tools in the environment, and other factors such as whether cybersecurity is embedded in the organization’s culture.  The CMMC will define five levels of maturity, from “basic” to “state-of-the-art”, and no later than September 2020 all government solicitations will include threshold maturity requirements for all contractor cybersecurity programs.  Every vendor on a contract, including subcontractors, must meet certain maturity requirements or the proposal will not be considered.  The maturity certifications must be conducted by third-party cybersecurity auditors who will conduct audits, collect metrics, and inform risk mitigation for the entire supply chain.

False Certifications

Falsely certifying maturity levels can lead to debarment and can also result in liability under the False Claims Act. False Claims Act penalties can include damages of up to three (3) times the payment for the goods and services, plus up to $21,916 in penalties per claim.  Depending on the nature of the claims, it is easy to see how the damages could skyrocket to many millions of dollars.  Thus, it is imperative for contractors to ensure that they are fully in compliance with the CMMC before submitting any proposals.

Conduct a Maturity Assessment Now

A draft version of the CMMC, dubbed Version 0.4, was due at the end of August, but its release has been held up. The first official CMMC version, Version 1.0, and additional details about the certification process are expected to be released in January 2020, but that may also be delayed.  Meanwhile, DoD is still targeting adding CMMC requirements to its requests for information (“RFIs”) by June 2020, and they are targeting September 2020 for adding it to all solicitations.  In our experience, initial cybersecurity maturity assessments are a wake-up call for many companies, and it can take significant time for the companies to find the resources necessary to improve their maturity.  Assessing systems now will allow your company to begin addressing any issues so it is better situated when the CMMC requirements take effect.

Don’t lose your competitive edge or be cut out of competing for lucrative DoD contracts. Let Fathom Cyber perform a cyber maturity review for you today. Contact us for more details.

[1] “Help Me, Help You”: Defense Department Advises Contractors That Cybersecurity Is An Allowable Cost – Damon Silver and Catherine Tucciarello – (last viewed 6/28/2019)

[2] Iranian-backed hackers purportedly gained access to Citrix’s internal systems and were able to at least monitor, and possibly implant vulnerabilities in, the company’s security efforts – (last viewed 6/28/2019)

[3] Cisco makes very secure routers that are highly intelligent.  However, this intelligence also creates attack surfaces that criminals can probe for, and ultimately exploit, vulnerabilities – (last viewed 6/28/2019)

[4] Microsoft recently announced a major flaw in its Remote Desktop Protocol service which can be exploited to give attackers complete control over impacted systems – viewed 6/28/2019)

[5] The All-Ways issue is a America’s Electric Grid Has a Vulnerable Back Door-and Russia Walked Through It – Rebecca Smith-Rob Barry – (last viewed 6/17/2019)