Cybersecurity Requirements for US Defense Contracts Expected in 2020
The US Department of Defense (DoD) is planning to protect its supply chain from threat actors by introducing a cybersecurity certification program for its contractors.
Undersecretary of defense for acquisition and sustainment, Ellen Lord, said the new cybersecurity maturity model certification program will play a vital role in ensuring that the companies seeking to win DoD contracts meet stringent cybersecurity requirements.
"The cybersecurity maturity model certification, or CMMC program, establishes security as the foundation to acquisition and combines the various cybersecurity standards into one unified standard to secure the DoD supply chain," said Lord.
The certification program is expected to be up and running in June 2020, with cybersecurity requirements included as part of new requests for information. These requests typically form part of the opening stage of awarding a new defense contract.
Under the program, five different levels of certification will be established that correspond to the importance of a particular system or subsystem which a contractor is bidding to work on.
"These levels will measure technical capabilities and process maturity," Lord said.
The framework for the CMMC program, which will be made fully available in January, was developed in partnership with the defense industry and leadership on Capitol Hill. It was also shaped in part through engagement with the public.
Behind the program is the logical concept that any business applying to do contract work for the US government should be required to demonstrate that they have taken reasonable steps to secure the computer networks from cyber-attacks. Ensuring that the cybersecurity policies and practices of the companies are up to snuff will not be the government's responsibility but will be undertaken by an as yet unconfirmed third party.
"Cybersecurity is a threat for the DoD and for all of government, as well as critical U.S. business sectors, such as banking and healthcare," Lord said.
Lord added that the DoD would be taking steps to assist small businesses to meet the requirements of the CMMC program.
"We know that this can be a burden to small companies, particularly, and small companies is where the preponderance of our innovation comes from," Lord said. "So, we have been working with the primes, with the industry associations, with the mid-tiers, with the small companies on how we can most effectively roll this out, so it doesn't cause an enormous cost penalty for the industrial base." Source: Information Security Magazine