The DoD’s cybersecurity maturity model certification has opened a whole new set of challenges. Find out what to do next.
Cybersecurity regulations are changing for defense contractors, and the shifting landscape has kept many players in the industry off balance. The changes, prompted by the theft of critical defense technology, mean that companies doing business with the Department of Defense (DoD) will need third-party certification of their compliance with heightened cybersecurity standards. The current transition period has sown confusion among companies that need to identify and classify which data is to be protected, understand how the security standards will be evaluated, and know which parts of their network will be subject to the more stringent requirements. But organizations can take proactive steps to assess their readiness now so they can decide what business actions make sense once the new program is in place.
The first contract requiring the new standards is planned to be released in the fall of 2020. However, with an estimated 300,000+ companies in the supply chain for the defense industrial base, certifications will take time. All relevant companies are expected achieve certification by 2025.
Key questions companies can ask
A critical issue for companies will be to determine where they fall on the DoD’s five-tier maturity rating. Most contracts are expected to be at Tier 3 or lower, and the Tier 3 requirements are expected to closely align with those from an earlier security standard. That standard, the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), offers cybersecurity guidance on issues such as multifactor authentication and cyber-incident response.
But all companies that do business or aspire to do business with the DoD should ask themselves the following:
- Where do I stand today? Where will I be?
- If they expect to be classified at Tier 3 (or, in the case of some prime contractors, Tier 5), do they foresee being able to meet the standards for that level? If not, what will it take to get there?
- For companies that only do a small percentage of work with the DoD, does the time, effort and expense needed to get there and continue as a government contractor make business sense?