The defense contracting community is holding its collective breath, waiting for a batch of new contracts, that will be the first to require Cybersecurity Maturity Model Certification. They could be the shape of things to come. Federal Drive with Tom Temin got more insight from federal sales and marketing consultant Larry Allen.
Insight by Micro Focus Government Solutions: Learn from agency and industry executives as they explore why protecting data requires a comprehensive approach involving every part of the IT chain – people, policy, infrastructure and applications in this exclusive executive briefing.
Tom Temin: And I guess it’s fair to say, Larry, really the whole community kind of is waiting on – to see what the language will be in these contracts. What do we know, and what can we expect?
Larry Allen: Tom, I think what we can expect is that the first 15 contracts – that’s what DoD has said are coming out in this initial wave – are going to be classic defense-oriented contracts. What I mean by that is, it’s going to be obvious that these are for things like weapon systems or tactical strategic DoD support. They’re not going to be borderline contracts that could maybe have some commercial items in them. Perhaps some professional services, definitely some professional services given that CMMC talks about companies at their core, handle controlled unclassified information for a government agency. So I think in this initial wave, we’re going to see those types of contracts. DoD is going to require certification. And then they’re going to conduct as frequently as annual audits of companies to ensure that they are maintaining the level of cybersecurity that they claim they’re meeting. And we’ll have to see how that plays out. I think that even though there’s some good guidelines on what constitutes being cybersecure, at the different levels, CMMC contemplates that, you know, the first few times through this, there’s going to be some things that you find that make it less obvious.
Tom Temin: Sure. And I would think as observing people, they would want to look as much at how the contractors responded, and what language they used as much as what the government is doing. I’m guessing that these 15 were worked out by hand, so to speak, between the government and the contractors.
Larry Allen: Well, I think it’s safe to say that at least some of them were. They probably did sit down with some of their major suppliers, some of the frequent defense contractors that are brand names. DoD has a history of doing this when they’re rolling out any new broadbased requirement. So whether it was individual part tagging, or scanning or whatever, they did sit down with the defense industrial base. One lesson that I hope DoD has learned from those days, Tom, is that they buy an awful lot of things from companies that aren’t classically part of the defense industrial base. These are companies that may sell in the commercial market, as well as to the government market. I know that a lot of these commercial companies have heard of CMMC. We certainly had a long enough lead time for people to get up to speed on it. But whether or not these companies are going to have the same capability to implement the level of requirements that a DoD might want remains to be seen. And also, I think that another way of saying that DoD requirements may require a higher level of CMMC certification, just because people are nervous, they really want that security. But the project itself on its face may not rise to that level.
Tom Temin: Sure. And I guess recent statements by the current, assumed to be former, director of national intelligence, on China in the threats that it’s posing throughout the economy, would be a good spur to get this thing over the line, also.
Larry Allen: There’s no question that the Cybersecurity Maturity Model Certification program, Tom, is very timely. We have to remember that the reason it was put into place was precisely because industry wasn’t always implementing the National Institute of Standards and Technology cyber standard. So this is a requirement on top of a requirement. It’s an indication that DoD absolutely expects its supplier base to take cybersecurity seriously. As I mentioned, we’ve known about CMMC for a while, we’re just on the fringe now of having the first 15 procurements come out. It’s time for industry to understand this, to know what the requirements are and to try to work with DoD, as we do the shakedown cruise for how this is going to play out in the defense community.
Tom Temin: So everybody’s going to have their Christmas week reading, digging into 15 contracts. You thought you were gonna read that Alexander Hamilton biography or something but no. We’re speaking with Larry Allen, president of Allen Federal Business Partners. And you’ve also been watching the parade of transition people connected to the General Services Administration, from the Biden team, and some familiar faces there.
Larry Allen: There are some familiar faces, Tom. A number of the people on the GSA transition team actually served in GSA during the Obama administration. leading off that list as Katy Kale. Katie had been the chief of staff for the GSA administrator during the latter part of the Obama administration. And she’s coming back now, from her job in industry to lead the transition team on a volunteer basis. Certainly somebody who knows a lot about GSA. One of her top deputies at GSA is a gentleman named Nate Denny. Nate now comes from North Carolina, where he’s going to help Katy out, but they both were senior people in GSA under the Obama administration. And that’s not all. There are a couple of people who served in GSA during that time that are also members of the transition team. So people who are experienced with GSA’s mission. One of the things that I thought was really interesting about the list of transition team people, though, Tom, is while they have some experience with the agency, it’s really more from an overall managerial standpoint. And a little bit from a policy standpoint, there’s some policy mavens on this transition team. What you didn’t immediately see was representative from the GSA public building service community. Now that’s GSA’s largest single portfolio. When a lot of people think about GSA, they first think about public buildings. Yet there’s nobody on the transition team who has obvious strong ties to [the Public Buildings Service]. There are some people who have some ties to information technology, which, of course, is a very important thing that the agency does. That just kind of struck me as something a little different. I’m not sure if the Biden administration is trying to send a message here, or if we can expect to see them look more at how GSA is managed and organized moving forward rather than specific portfolios. But time will tell.
Tom Temin: Well, it is a little strange, because given the fact that the Biden administration is going to be focusing heavily on refreezing the polar ice caps, saving the polar bears and making the oceans recede, that they would focus on the federal building service because the footprint of federal real estate surely is going to have a role in reducing world carbon.
Larry Allen: Well, there is someone on the transition team who fits that bill, Tom, whose name is Josh Sawislak.
Tom Temin: Oh, sure I know Josh.
Larry Allen: Josh and I have worked together before. He’s a good guy, he’s very savvy, he knows a lot about GSA. His background is in energy-related green-type initiatives, a lot of things that have to do with reducing carbon footprints, things of that nature. He spent a lot of his time since the Obama administration really traveling the world, least until COVID, talking about ways to reduce greenhouse gas emissions and to be clean energy viable. So maybe he’s the voice that will be doing that in GSA?
Tom Temin: I guess those federal mules and the hay they eat better wake up and smell the coffee.
Larry Allen: Haha, you know, that was a true story. You never know if you could see that type of thing again.
Tom Temin: Larry Allen is president of Allen Federal Business Partners. Thanks so much.
Larry Allen: Tom, thank you and I wish your listeners happy selling.
Tom Temin: We’ll post this interview with FederalNewsNetwork.com/FederalDrive. Hear the Federal Drive on your schedule. Subscribe at Apple Podcasts or wherever you get your shows.