Defense contractors across the U.S., including those in and around the District of Columbia, are facing new and more stringent information security regulations that require companies to pass additional hurdles before engaging in contract work with the Department of Defense and its ancillary agencies.
These regulations, some of which may begin appearing in RFPs as early as this spring, trace their roots back to early 2020 when the DoD, in partnership with Carnegie Mellon and John Hopkins, formed what is known today as the Cybersecurity Maturity Model Certification (CMMC) program, governed by the Cyber Accreditation Body (Cyber AB). The program requires all Defense prime and subcontractors who access, store and/or transmit Controlled Unclassified Information to implement a specified level of cybersecurity.
The upcoming contract requirement known as the DFARS 7021 clause adds a “trust but verify component” to existing federal contract data protection identified under DFARS 252.204-7012, Safeguarding Covered Defense Information & Cyber Incident Reporting. Prior to CMMC’s release, defense contractors were able to self-attest that the businesses were abiding by established contract security standard.
All that is changing now.
While these regulations will undoubtedly mean additional time and effort for defense contractors, they are essential to ensure that sensitive information is kept secure. With more than 500 government contractors in the Hampton Roads, Virginia, area alone, preparing for these new requirements is of utmost importance. Those who do so most efficiently and effectively are likely to come out on top in the highly competitive government contracting landscape.
To prepare for the new regulations, organizations should take proactive action to determine their gaps, prioritize resource allocation to address those gaps, and continually adjust to the moving target of cybersecurity compliance across the DoD contracting landscape.
Here are a few key steps for accomplishing those objectives:
— Review any existing (if applicable) or upcoming contracts to identify security requirements/DFARS clauses.
— Identify whether the business handles only FCI or more sensitive CUI (Controlled Unclassified Information). As a reference, a company’s contracting officer should be able to assist in determining this.
— Review NIST 800-171 controls in preparation for performing a security controls analysis.
— Ensure there is an established company-wide cybersecurity training program, to include initial and ongoing cybersecurity awareness and education. Continuous cyber training will empower and enable company personnel to identify threats and mitigate their business impact.
— Consider obtaining outside resources, either over the short-term or long-term, to supplement in-house resources to help identify gaps in the organization’s readiness posture, assist with drafting operational security policies, and to help position the organization for continued CMMC compliance.
While these additional hurdles may mean additional time and effort for would-be contractors, they are in many ways sensible and attainable with the right amount of advance planning and resources. Since its inception, the CMMC Program has undergone multiple commentary periods, allowing for DIB contractors and cybersecurity leaders to provide constructive feedback.
The DoD and Cyber AB are committed to safeguarding important data, people, and systems from nefarious actors who would like nothing more than to execute a devastating cyberattack, so the hope is that the newer regulations will help eliminate confusion over the certification process while also easing the contractor burden of implementation.
The implementation of new and more strict information security regulations is causing anxiety among defense contractors in Hampton Roads and elsewhere across the country. These regulations require companies to face further scrutiny and pass additional hurdles, some of which may begin appearing in RFPs as early as this spring, before engaging in contract work with the DoD and its ancillary agencies.
However, while these regulations may mean additional time and effort for defense contractors, they are essential to ensure that sensitive information is kept secure. Those who prepare for these new requirements efficiently and effectively are likely to come out on top in the highly competitive government contracting landscape.
Greg Tomchick is CEO of Valor Cybersecurity, headquartered in Norfolk, Virginia, a provider of cybersecurity services to small to medium-sized businesses in technology, defense, and investment communities.