Department of Defense (DoD) vendors and contractors need to constantly be one step ahead of the compliance game. The DoD and related U.S. Federal agencies are constantly putting forth new frameworks and requirements designed to keep sensitive government and military information out of the wrong hands.
Compliance is often a confusing — but completely necessary — exercise for any vendor or contractor that wants to conduct business with the DoD or U.S. military.
We recently caught up with Katherine Arrington, the DoD’s current Chief Information Security Officer (CISO) for Acquisition and Sustainment (A&S) to provide insight and advice regarding DoD vendor compliance. Katherine is also a form House Representative of South Carolina’s 94th congressional district and previously served as CISO for the entire DoD.
Here’s what Katherine had to say about new regulatory frameworks like the Cybersecurity Maturity Model Certification (CMMC), how she sees the vendor compliance landscape evolving in the near future and how DoD contractors can best prepare themselves.
Q: What are the main cybersecurity or compliance issues facing DoD vendors today?
Katherine Arrington: The Office of the Undersecretary of Defense’s (OUSD), Under Secretary of Defense for Acquisition and Sustainment (A&S), DoD CIO, and other DoD stakeholders have been working with the Defense Industrial Base (DIB) sector to enhance the cybersecurity posture of contractors’ unclassified networks that store, process, or transmit sensitive unclassified information. There have been several public release reports and articles that have highlighted gaps in contractors’ implementations of the NIST SP 800-171 security requirements per DFARS clause 252.204-7012. These gaps increase the risk of cyber threats and exfiltration of the Department’s Controlled Unclassified Information (CUI).
Q: What should vendors be aware of in terms of internal cybersecurity practices?
KA: The Department recognizes the need to verify contractors’ full implementation of security requirements as part of a risk-based cybersecurity framework. Towards this end, the Department plans to implement the Cybersecurity Maturity Model Certification (CMMC) and the DoD Standard Assessment Methodology to ensure that contractors protect CUI appropriately. After the interim DFARS rule is in effect on November 30, 2020, the Department will implement a phased rollout of CMMC that will require that contractors achieve a specific CMMC level as a condition of contract award. The CMMC framework requires prime contractors to flow the appropriate CMMC certification requirement down throughout the entire supply chain.
CMMC Level 3 encompasses the 110 security requirements of NIST SP 800-171 and adds 20 cybersecurity practices and 3 maturity processes per domain. As a result, contractors who have already implemented the 110 NIST SP 800-171 security requirements should be well-positioned to achieve CMMC Level 3.
Q: How do you see the regulatory compliance landscape evolving over the next few years with regards to procurement-related cybersecurity compliance?
KA: The Department will implement a phased rollout of CMMC over a five-year period to enable a smooth transition from the current “trust” to the new “trust and verify” paradigm. The rollout will ensure that the DIB sector and DoD supply chain can meet the appropriate CMMC level.
The CMMC framework aligns the set of cybersecurity practices and maturity processes with the sensitivity of unclassified information to be protected and the associated risks. The Department recognizes that cybersecurity is not a “one size fits all.”
Q: Will frameworks like ITAR and CMMC present unique challenges for vendors?
KA: CMMC Level 1 corresponds to the 15 basic safeguarding requirements specified in the FAR clause 52.204-21, which map to 17 security requirements in NIST SP 800-171 per DFARS clause 252.204-7012. As a result, CMMC is only adding the verification component to the existing federal regulation. The Department anticipates that the majority of CMMC requirements will be for Level 1. The goal is for the achievement of CMMC Level 1 to be cost-effective for small businesses, which represent the preponderance of DIB contractors.
Q: Do you have any specific advice for DoD contractors to ensure compliance with relevant regulatory frameworks?
KA: I recommend that contractors review the interim rule “Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements” (DFARS Case 2019-D041 on the Federal Register) and the CMMC Model on the OUSD (A&S) public website.
The Department will continue to work with the DIB sector, industry associations, National Defense Information Sharing and Analysis Center (NDISAC), DIB Sector Coordinating Council (SCC) CyberAssist Task Force, and Procurement Technical Assistance Centers (PTACs) so that information and updates on CMMC are available to DIB contractors.
Q: How can vendors position themselves to maintain preferred vendor status and streamline the procurement process?
KA: For contractors who seek a CMMC Level 1 certification, I recommend that contractors review the basic safeguarding requirements per FAR clause 52.204-21, and the associated 17 security requirements in NIST SP 800-171 and NIST SP 800-171A. OUSD(A&S) will release the draft CMMC Level 1 assessment guide later this fall.
For contractors who seek a CMMC Level 3 certification, I recommend that contractors do the following: (i) review their current system security plans and associated plans of actions in relation to NIST SP 800-171 per DFARS clause 252.204-7012, (ii) take action to close identified gaps, (iii) review the additional 20 practices and 3 maturity processes associated with the CMMC Level 3 requirements, (iv) develop a plan to implement these additional requirements, (v) implement these additional requirements, and (vi) conduct a self-assessment. OUSD(A&S) will release the draft CMMC Level 3 assessment guide later this fall.
Closing Thoughts
New frameworks like CMMC will surely be a game-changer for DoD vendor compliance efforts over the next few years. Katherine recommends contractors get to know CMMC in-depth — and applying best practices like “trust and verify” — to maintain compliance and a smooth business relationship with the DoD.