Should DoD Contractors Outsource Cybersecurity To Meet Mandates?
The DoD continues to update cybersecurity certification. Although national security is necessary, contractors must find cost-effective ways to compete.
The U.S. Department of Defense recently released information about its upcoming cybersecurity certification model, and government contractors throughout the supply chain better sharpen their networks.
The latest Cybersecurity Maturity Model Certification (CMMC) will have far-reaching implications on large defense-sector corporations, as well as small and mid-sized companies. The DoD is taking a more comprehensive view of potential vulnerabilities. It appears the day of placing stringent cybersecurity requirements only on top-tier contractors is a thing of the past.
“Every company within the DoD supply chain — not just the defense industrial base, but the 300,000 contractors — are going to have to get certified to do work with the Department of Defense,” DoD official Katie Arrington reportedly said at a recent Intelligence and National Security Summit. “With 70 percent-plus of our data living on your networks, it is no longer a moment. It’s (not) a me-thing or a you-thing. It’s a we-thing.”
What DoD Supply Chain Businesses Need to Know About CMMC
Under previous cybersecurity mandates, small and mid-sized organizations may have avoided the high costs of meeting the expectations the DoD placed on massive contractors such as Lockheed Martin and Raytheon, among others. Every outfit that derives a benefit from the defense industry will now need heightened cybersecurity to participate. The new CMMC mandate reportedly creates five distinct certification levels. These include designations such as Level 1 “basic cyber hygiene” to Level 5 “advanced” cyber hygiene. Businesses may be tasked with implementing as many as 47 cybersecurity controls to pass DoD muster.
A substantial gap is expected between Level 1 and Level 5 certification. That space will undoubtedly have a significant impact on the ability of DoD contractors and affiliates to win bids and earn profits. According to a CMMC draft released by the Office of the Under Secretary of Defense for Acquisition and Sustainment, those that pass a Level 1 audit do not necessarily demonstrate maturity. By comparison, the report states that Level 5 outfits would have proven process maturity that “activities are standardized across all applicable organizational units, and identified improvements are shared.”
Defined details are on track to be released during the first quarter of 2020, and all companies must be thoroughly audited and achieve certification to bid on lucrative DoD contractors by year’s end. The change is expected to level a burdensome cost on small and mid-sized companies.
Make An Informed Decision About Outsourcing DoD Cybersecurity Mandate
Over the past five years, the DoD has repeatedly called for improved cybersecurity measures among top-tier contractors and others in the supply chain. As the CMMC draft points out, cyber threats and losses remain a clear and present danger to businesses and national security.
Intellectual property theft is estimated in the hundreds of billions, and the U.S. economy suffered to 9 billion in 2016 alone due to subpar cybersecurity. Although some in the defense sector may be frustrated with the high cost of DoD cybersecurity mandates, the threats are quite real and updates necessary. That being said, decision-makers may be best served by considering the evolving cybersecurity landscape when deciding how to fund seemingly never-ending changes.
Large defense contractors generally have adequate IT resources to keep pace with emerging government expectations. In fact, the largest DoD contractors usually have teams dedicated to these specialized tasks. Folding in-house IT staff education and training into budgets that exceed hundreds of billions in contractual work is inconsequential. Such is not the case for small and mid-sized outfits competing for a larger market share.
Outsourcing has emerged as a cost-effective strategy on two fronts. Mid-sized organizations are pivoting when the government hands down changes and utilizing staff augmentation as a stop-gap measure to fulfill the mandate and remain in the bidding landscape. Those with modest in-house IT departments outsource portions to keep their employees from getting bogged down in time-consuming education, training, implementation and audits such as the CMMC.
Small outfits tend to lean more heavily, if not wholly, on third-party managed IT service providers. The benefits of bringing in a DoD cybersecurity expert on a contract basis far outweigh the cost of hiring a team and funding ongoing education and training. The question for DoD industry decision-makers remains: Do you want to spend more on in-house training or less outsourcing to an expert?