The Department of Defense has been working overtime to get the defense industrial base onboard with coming changes to cybersecurity standards for contractors. But it has another important constituency to prepare as well: defense agencies and the military itself.
The program management office leading those new standards — the Cybersecurity Maturity Model Certification (CMMC) — has been holding bi-weekly meetings with the services’ acquisition leaders to get the contracting officers across the military ready for the changes.
CMMC is the DOD’s new five-tiered system of controls that contractors will need to be assessed against in order to win a contract. Under the model, contracting officers will need to learn to mark new contracts with an appropriate level of CMMC requirements to ensure that data sent to contractors with certifications will have the right level of protection.
“Understanding what your data is, that is the very big issue everyone needs to get in line with,” Stacy Bostjanick, director of the CMMC standard, said Wednesday during an SNG Live virtual event on CMMC.
Other DOD officials have said the Defense Acquisition University has also changed its curriculum and training to train officers for changes under the shift to CMMC.
Understanding the type of data sent to a contractor is no small task, especially on large contracts with many subcontractors. CMMC requirements will flow down to subcontractors, but not necessarily at the same level as a prime. That means contracting officers will need to design systems and contracts to hand over the most sensitive data to only the contractors with a higher level of CMMC certifications and segment out less sensitive data in subcontracts, Bostjanick explained.
If they don’t, they risk fencing off small businesses that can’t certify at a higher level of CMMC from working on some DOD contracts. Bryan Rosensteel, a security architect at Duo Security, equated it to the tendency in the past to overclassify data in the defense community, which puts information and work out of the reach of contractors who don’t have the resources to earn security clearances. Getting a clearance or a CMMC level three certification or above are both time-consuming and expensive, especially for small businesses.
Contracting officers need to be “aware of and only flow the data that is necessary,” Bostjanick said of what her office is trying to communicate to the contracting community.
Rosensteel said the architecture of networks needs to be designed to optimize for both visibility and security. The more visibility both contractors and contracting officers have into where data is on a network, the better, he said.
“We can certainly get to the point where we understand data flows and who is getting access to what type of data,” he said for both government and private sector network managers preparing for CMMC. “There shouldn’t be any surprises.”