DEFENSE CONTRACTORS ARE A THREAT TO THE DEPARTMENT OF DEFENSE AND AMERICAN ECONOMY

“On March 23, 2020, Under Secretary of Defense for Acquisition and Sustainment, Ms. Ellen Lord, and Mr. Ty Schieber, Chairman of the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB), signed a Memorandum of Understanding (MOU) that established the roles, responsibilities, and authorities of each organization to help ensure a cyber-safe, cyber-secure and cyber-resilient defense industrial base.

The MOU states that DoD will only accept certifications from an assessor or a CMMC Third Party Assessment Organization (C3PAO) who has been accredited for assessments by the CMMC-AB.

“Why did the Department of Defense mandate the use of C3PAO’s to perform CMMC certification assessments?”

This question has come up in several LinkedIn posts and comments lately and appear to be a concern among defense contractors and sub-contractors.  Some individuals are concerned that the small businesses will be forced out of the market.  Others are concerned that it will be another bureaucratic mess.  No matter whatever the concerns are, one must keep an eye on the cause of such drastic measures.

You ask, “what is the cause?”

That is easy.  DoD contract DFARs currently mandate compliance to cybersecurity practices in accordance with NIST-800-171.  Any company providing services or products to the DoD must self-certify that they are compliant.  Cyber breaches have been rampant in spite of the fact that companies said they were compliant.  Billions of dollars were lost due to theft of American designs and innovation.

The result is the creation of CMMC to hold companies accountable to implement the cyber security measures mandated by the DFARs.  Katie Arrington, chief information security officer with the Office of the Under Secretary of Defense for Acquisition and Sustainment says – “CMMC has, and will remain a priority for the Department, and will safeguard our enterprise against cyber theft losses that cost our Nation $100 billion annually, and $600 billion worldwide, equating to 1% of global GDP.”

The model for the Accreditation body and Certification Body (C3PAO) is mandated by the Department of Defense and mirrors  the world-wide ISO management System certification requirements, ISO 17011 for the Accreditation Board, and ISO 17021 for the certified body.

Why did they choose this model?  Because it has been in effect for over 30 years and has proven to achieve the results of improving organizational management performance.

The issue with NIST-800-171 is there was no accountability for cyber security performance.  The ISO model is successful and repeatable and provides the schema to ensure cyber security breaches go down by verifying companies are compliant to CMMC.

Finally, the answer to the question – “Why ISO 17021 for C3PAO’s?”  CMMC will ensure a more level and fair playing field for companies bidding on DOD contracts, Arrington said. Today, she said, some small businesses bidding on work might self-attest that they meet requirements to handle certain kinds of information, but in fact only are planning to meet those requirements, while another business might actually be meeting the requirements. CMMC, she said, will ensure that only companies that actually meet requirements can compete for contracts.

“We need to make sure our industry partners are prepared to take on the work, and our third-party auditors will ensure that they are implementing the practices that we need in place to secure that national defense and our industrial base,” Arrington said.