3 minute read 28 Jan 2020
How to navigate through challenges posed by the cybersecurity compliance

How defense contractors can navigate cybersecurity compliance regulations

By

Michael Tomaselli

EY Americas Government Contract Services, Senior Manager

Career focused on government contracts and financial investigations. Native to the Northern Virgina area where I live with my wife and two boys.

3 minute read 28 Jan 2020

The DoD’s cybersecurity maturity model certification has opened a whole new set of challenges. Find out what to do next.

Cybersecurity regulations are changing for defense contractors, and the shifting landscape has kept many players in the industry off balance. The changes, prompted by the theft of critical defense technology, mean that companies doing business with the Department of Defense (DoD) will need third-party certification of their compliance with heightened cybersecurity standards. The current transition period has sown confusion among companies that need to identify and classify which data is to be protected, understand how the security standards will be evaluated, and know which parts of their network will be subject to the more stringent requirements. But organizations can take proactive steps to assess their readiness now so they can decide what business actions make sense once the new program is in place.

The first contract requiring the new standards is planned to be released in the fall of 2020. However, with an estimated 300,000+ companies in the supply chain for the defense industrial base, certifications will take time. All relevant companies are expected achieve certification by 2025.

Key questions companies can ask

A critical issue for companies will be to determine where they fall on the DoD’s five-tier maturity rating. Most contracts are expected to be at Tier 3 or lower, and the Tier 3 requirements are expected to closely align with those from an earlier security standard. That standard, the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), offers cybersecurity guidance on issues such as multifactor authentication and cyber-incident response.

But all companies that do business or aspire to do business with the DoD should ask themselves the following:

  • Where do I stand today? Where will I be?
  • If they expect to be classified at Tier 3 (or, in the case of some prime contractors, Tier 5), do they foresee being able to meet the standards for that level? If not, what will it take to get there?
  • For companies that only do a small percentage of work with the DoD, does the time, effort and expense needed to get there and continue as a government contractor make business sense?

Under the new DoD program, called the Cybersecurity Maturity Model Certification (CMMC), accredited third-party certifiers will begin training in the spring of 2020.

What can companies do now

  • Guidelines and standards

    Companies should examine the contracts they have with the DoD and talk to those within their organizations who run those projects to understand the scopes of work. Internal guidelines and classification standards can be established based on the information utilized to complete the scopes of work.

  • Third-party assessment

    Contractors of all sizes should consider consulting a third party to get an independent assessment of where the company stands and where it needs to be. An important issue for companies that do a combination of commercial and government work is whether they need to institute a compliance program that extends across their enterprise or maintain a separate environment related only to their DoD work.

  • Cyber assessment

    If a company hasn’t completed any DoD-specific cyber assessments, the time to do so is now. The latest draft framework was released on December 6, 2019, and only minor changes are expected in the final version. As the latest release closely aligns with NIST SP 800-171 at Tier 3, an assessment against the requirements can provide a good idea of whether security gaps exist and, if so, how prevalent they are. Conversely, it can provide some peace of mind for contractors whose system security appears to be sound. In any case, companies will need to closely monitor the CMMC process as it advances.

  • Supply chain evaluation

    Prime contractors who manage programs that include numerous subcontractors should conduct a risk assessment to understand how a failure on the part of a subcontractor may impact their ability to perform on a contract. Contractors should be proactive in identifying weaknesses or points of reliance within their supplier population and establish procurement and contracting plans to mitigate the effects of non-compliant suppliers.

  • Consulting

    Other considerations for prime contractors include consulting their administrative contracting officer who oversees their DoD contract for any information regarding timelines and whether they should try to get certified as soon as possible. Ultimately, contractors will need to communicate with the yet-to-be established accrediting agency to determine when they can be evaluated. Suppliers can contact prime contractors on existing programs to get ideas on how those programs will be affected.

Summary

Cybersecurity regulations are changing for defense contractors, and the shifting landscape has kept many players in the industry off balance. But organizations can take proactive steps to assess their readiness now so they can decide what business actions make sense once the new program is in place.

About this article

By

Michael Tomaselli

EY Americas Government Contract Services, Senior Manager

Career focused on government contracts and financial investigations. Native to the Northern Virgina area where I live with my wife and two boys.