The Defense Department is telling its vendors that the government, in some cases, will pay for cybersecurity.
That is huge, and if — and it’s a very big “if” — the Pentagon follows through with its promise by not making it so arduous to allocate costs, so long as they don’t make the allocation such a small percentage that it’s not worth it and so long as they make it a true incentive, this is one of those moments in procurement history that we will all remember.
Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, made this bold statement before a roomful of vendors.
“I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington, who got permission to say it from Mr. [Kevin] Fahey [the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment] security is an allowable cost. Amen, right?” Arrington said during an acquisition conference sponsored by the Professional Services Council in Arlington, Virginia. “Now what you need to do as industry is help me, help you. I’m not the enemy. I’m literally the one person in government who said, ‘Hi, I’m here to help and I’m legit here to help.”
Arrington is here to help because she is leading the DoD effort to develop and institutionalize the new Cybersecurity Maturity Model Certification (CMMC) standard for vendors.
“We have a great deal of standards for cybersecurity. What we are lacking is a unified standard,” Arrington said June 12 during a webinar sponsored by Government Executive. “It is a major undertaking, but just like we got to ISO 9000, we need to get there with cybersecurity. If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1% of [Defense Industrial Base] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”
And DoD is not taking aim at just the 20,000 prime contractors that it spends more than $250 billion a year with, but the approximately 300,000 vendors that make up its entire supply chain.
Arrington, who came to DoD in January, has been working with the Johns Hopkins University Applied Physics Lab and Carnegie Mellon University’s Software Engineering Institute to create the initial requirements.
Why the Navy is giving agencies, industry a much-needed wake-up call on supply chain risks
The draft standard details five maturity levels and DoD will require vendors to be certified through third-party assessment organizations. The standard is incorporating many of the existing requirements from NIST, the Federal Risk Authorization Management Program (FedRAMP) and other existing models.
“We will put the certification requirements for each contract in Sections L and M, and it will be a go or no-go decision,” she said. “It will not be used as a source selection tool.”
12 listening sessions to start
Arrington said DoD will hold 12 listening sessions across the country over the summer to get feedback and insights about the standard from industry and other experts.
She said the goal is to have the final draft standard out this summer with third-party assessors beginning to certify vendors in January 2020. DoD will begin adding the CMMC requirements in requests for information in June 2020 and by September 2020, it will add the standard to solicitations.
“We welcome having a standard because it’s a substitute for every contracting officer making a decision about what is most important,” said Alan Chvotkin, senior vice president and general counsel for PSC. “The long pole in the tent for me is how fast can they move to get the standard in place and then get the body or group of people in position to begin certifying contractors? This will be a very competitive discriminator in the marketplace. A lot of people are nervous about whether DoD will only do the big six contractors or where are we going to be as both a prime and a subcontractor.”
Arrington said DoD recognizes the standard can’t be so burdensome or costly that vendors will choose not to participate. She also said moving to CMMC, like ISO 9000 and other similar certifications, will take time and have some fits and starts.
“The committee is concerned that contractors within the defense industrial base are an inviting target for our adversaries, who have been conducting cyberattacks to steal critical military technologies. Currently, the Department of Defense mandates that defense contractors meet the requirements of NIST Special Publication 800–171 but does not audit compliance to this standard.
“The committee is concerned that prime contractors are not overseeing their subcontractors’ compliance with these cybersecurity requirements through the entire supply chain and that the Department lacks access to information about its contractors’ subcontractors,” the committee states in its report on the bill. “The committee believes that prime contractors need to be held responsible and accountable for securing Department of Defense technology and sensitive information and for delivering products and capabilities that are uncompromised. Developing a framework to enhance the cybersecurity of the defense industrial base will serve as an important first step toward securing the supply chain.”
Public incentive to secure the supply chain
SASC says DoD should provide direct technical assistance to contractors, tailor for small firms based on risk and doesn’t harm the size of the industrial base and evaluate both incentives and penalties for non-compliance and vendors’ cyber performance.
Lawmakers want DoD to provide the Senate Armed Services Committee a briefing by March 2020 and provide quarterly briefings on how it and its vendors are implementing the standard.
But for these and many reasons, this is why DoD specifically expressing its willingness to pay for cybersecurity as an allowable cost is so important.
Some may say security has always been an allowable cost as part of the basic overhead vendors can charge the government on time and materials and cost-plus type contracts.
The difference, however, is DoD is not only saying this publicly, but using it as an incentive as a way to get vendors to more quickly buy into the CMMC.
Chvotkin said by making security an allowable cost, DoD is acknowledging there is a cost that vendors bear and therefore the government must bear.
“This is an incentive not to force companies to trade off security with other expenses so the government is willing to reimburse some share of that,” Chvotkin said. “It may not be 100%, but it is better than eating the entire cost. That share will likely be based on the contract. The goal is to elevate everyone up above a basic hygiene level and this is why DoD is acknowledging there is a cost of going beyond basic hygiene.”
Chvotkin said cyber would not be an allowable cost in the same way under firm fixed price contracts. He said typically a vendor with a firm fixed price contract adds general overhead as part of the final cost to the government.
Arrington said for too long DoD talked about cost, schedule and performance and the Pentagon and its contractors viewed security as a tradeoff with one of those three.
“Cost, schedule and performance are only effective in a secure environment. We cannot look at security and be willing to trade off to get lower cost, better performing product or to get something faster. If we do that, nothing works and it will cost me more in long run,” she said.