The Pentagon’s approach to making cybersecurity a foundational part of acquisition is mandating new compliance requirements for the defense industrial base, which could potentially create a division between primes and subcontractors when it comes to information sharing.
An interim rule went into effect on Nov. 30 setting up the requirements for the Defense Department’s Cybersecurity Maturity Model Certification program, which will be rolled out over a five-year period. In the interim, contractors who handle controlled unclassified information will need to submit a self-assessment on their compliance with NIST 800-171 through DOD’s Supplier Performance Risk System when they submit a bid for a new contract or order.
While conducting a self-assessment has been required for all contractors since 2017, the interim rule will make the reports visible to DOD and hold primes and their subs accountable for achieving compliance with the 110 controls outlined in NIST 800-171.
The intent is to give contractors time to meet all of the 110 controls, but primes, such as Lockheed Martin, are encouraging their subcontractors who handle CUI to get their scores into SPRS now and not all contractors have been able to achieve full compliance.
“Some companies are being forced to submit a score that is actually a misrepresentation because they have not had the time to do a full check on compliance with NIST 800-171A,” Leslie Weinstein, CMMC practice lead at auditing firm OCD Tech, told Inside Cybersecurity.
Weinstein, a former DOD contractor said, “They are not trying to lie. They just have not been instructed to do this kind of assessment before and they are being rushed so the score is almost definitely not accurate.”
Primes have taken steps to help their subs become compliant with NIST 800-171 and the upcoming CMMC requirements.
“We have modified our contract terms and conditions to be compliant with the new requirements that went into effect on November 30th,” a BAE spokesman told Inside Cybersecurity. “In early November, we provided our suppliers a letter that explained the new requirements with the expectation of compliance, and shared resources for additional guidance.”
Scores submitted via SPRS are also only visible to DOD officials, and to not the primes who will be competing for contracts and the larger defense industrial base.
“At the end of the day if there is an issue we will hold the prime accountable for what happens during the conduct of their contract,” the Defense Contract Management Agency’s John Ellis said at an industry event last month. “We are not going to hold their suppliers accountable because that is a relationship between the supplier and the prime. From a government perspective, we hold the primes accountable for managing who they share information with and how they go about managing that.”
DOD has developed an assessment methodology for NIST 800-171, which establishes three levels -- Basic, Medium and High. The basic level is the initial self-assessments done by contractors.
Medium and High assessments will be conducted by DCMA after a contract is awarded based on the “criticality of the program or the sensitivity of information being handled by the contractor,” according to the interim rule.
The lack of an industry-focused database might lead some primes to establish their own environments to collect self assessments from their subs, which could put companies at an increased risk of a cyber attack if submitting a plan of action and milestones is required.
“When you talk about your plan of action and milestones, those are literally best practices that you have not fully implemented, which is a great roadmap for an attacker,” former Pentagon cyber leader Jack Wilmer, told Inside Cybersecurity. “You would be able to understand what basic controls a company hasn’t done.”
Wilmer was DOD’s chief information security officer and deputy CIO for cybersecurity before leaving the Pentagon in August to join the private sector.
“Government should have the responsibility of facilitating the information exchange among DOD, primes and their subs and ensuring they are all compliant,” Wilmer said. “There clearly needs to be an authorized or approved way that the government can display this data which could just be a score based on the self assessment and the names of your auditors.” -- Sara Friedman (sfriedman@iwpnews.com)