At the recent National Defense Industrial Association (NDIA) Procurement Division Meeting, Ms. Katie Arrington, the Special Assistant for Cybersecurity to the Undersecretary of Defense for Acquisition & Sustainment, updated attendees on DoD’s new approach to addressing cybersecurity vulnerabilities. She stated the DoD will no longer compromise cybersecurity over performance, cost or scheduling in government contracts. The Pentagon estimates billions of dollars are lost each year in expertise and trade secrets as adversaries and bad actors target our defense industrial base.
The DoD’s new approach to cybersecurity will be a collaborative effort between industry and the U.S. Government as they transition away from the current self-reporting requirements under National Institute of Standards and Technology (NIST) 800-171. Known as the Cybersecurity Maturity Model Certification (CMMC) system, this new approach will use a tiered system based on the level of cybersecurity a contractor will be required to maintain in order to perform certain services or provide certain products. The range of certifications will span CMMC 1 to CMMC 5 with CMMC 1 being basic cyber hygiene. Certification under the CMMC will be performed by third party vendors and the CMMC envisions contractors receiving security scores during the performance of their contracts.
The CMMC system will apply to ALL government contractors who want to do business with the DoD. It is currently anticipated that these new requirements will be introduced in the Requests for Information (RFIs) and Requests for Proposals (RFPs) under Sections “L” and “M” during late fiscal year 2020.
Widerman Malek believes it will be only a matter of time before all federal agencies mandate similar cybersecurity protocols.
If you have any questions concerning this new development or current cybersecurity requirements, please contact Government Contracts attorney Jason Lagasca.