DoD Contractors At A Cybersecurity Crossroads

With the new DoD cybersecurity enhancements approaching, small and mid-sized contractors have a big decision to make. Either outsource and comply, or leave.

DoD Contractors Need Solutions to Expensive Cybersecurity Mandates

With the new DoD cybersecurity enhancements approaching, small and mid-sized contractors have a big decision to make. Either outsource and comply, or leave.  

The U.S. Department of Defense is rolling out an upgraded cybersecurity model designed to protect sensitive data housed by supply chain contractors. While the impending five-tier certification may better protect national security, it puts small and mid-sized companies at a crossroads. DoD industry decision-makers face two choices: comply or be left behind.

“We need to lower the barriers. We need to speed up acquisition. But we also need to secure the (defense industrial base),” defense acquisition official Katie Arrington reportedly said at the Charleston Defense Contractors Association 2019 Summit. “With 70 percent to 80 percent of our data living on my contractors’ networks, I don’t have a choice but to worry about how they’re doing it.”

What You Need To Know About DoD’s New CMMC

The new cybersecurity mandates require that all vendors in the DoD supply chain earn independent third-party certification in one of the five tiers. Any contractor failing do secure proof of Cybersecurity Maturity Model Certification (CMMC) compliance by mid-2020 may be barred from bidding on or receiving DoD contract work.

The good news for many small and mid-sized outfits is that the three lowest levels of certification are familiar, basic cybersecurity standards that may not require a significant overall. Some vendors may not be required to recertify if they can demonstrate prior accreditation. The bad news is that the DoD expects small and mid-sized businesses to pay out-of-pocket for certifications just like big corporations. At the Charleston summit, Arrington reportedly said that the government’s view is that ongoing cybersecurity expenses are built into the lucrative contracts.

“Companies that say, ‘I’ll never get certified, I don’t want to, this is too high of a bar to reach to work with the Department of Defense. It’s already cumbersome enough to work there.’ Here’s my thing: I love ya, but good riddance,” Arrington reportedly said. “The companies that don’t want to acquiesce: I don’t want them to go, but they have a business decision to make.”

Her reasoning and statement highlight precisely the critical crossroads that small and mid-sized DoD contractors and supply chain businesses are approaching. Do you find a cost-effective way to meet the continually evolving government cybersecurity standards, or punt and work in another sector?

Get Ahead of the CMMC Deadline

It’s important to recognize that although DoD and other government agencies seem to keep moving the goalposts in terms of cybersecurity mandates, their fears are not unwarranted. Arrington reportedly explained that U.S. adversaries are costing the country upwards of $600 billion each year and that the 5G rollout is expected to only exacerbate the losses.

“That isn’t right, because our adversaries aren’t taking a cup of coffee and saying, ‘I’m going to come back to you when your (Plan of Actions & Milestones) is done,’” Arrington reportedly said. “They’re walking through those POA&Ms like they’re Swiss cheese. This is a change of culture. It’s going to take time. It’s going to be painful, and it’s going to cost money.”

Small and mid-sized outfits may be well served to start implementing cyber hygiene enhancements immediately. By enlisting the help of a third-party cybersecurity specialist on a short-term contract, companies can balance the additional expense against the profit-driving work coming down the pipeline. It’s no secret that the federal government passed a massive spending package that has many DoD contractors flush with work.

The benefits of working with independent cybersecurity contractors include not having to spend the time and money re-acclimating in-house IT employees or hiring additional full-time help to implement CMMC protocols. Strategies such as staff augmentation and folding outsourced costs into bids make far more sense than switching industries. The fact of the matter is that regardless of which sector you butter your bread, ongoing cybersecurity enhancements are part of the business landscape.

WRITTEN BY
Greg LaScala