My fellow Americans … for the 18th year, October has been designated National Cybersecurity Awareness Month. In that time, we have seen exceptional innovation in technologies which have allowed us to create next-generation aircraft and offensive platforms for military campaigns, should such ever be needed.
However, we have also seen extraordinary advancements by our adversaries attempting to keep up with us by stealing our intellectual property and utilizing it to leapfrog the United States in limited capacities.
As a result, the United States Government instituted a number of cybersecurity “requirements” to which all Government Contractors (GovCons) must adhere. And while this has been in play for eight years, the Government had higher expectations of support. So, in 2019, the Government worked with Academia and Industry to create the Cybersecurity Maturity Model Certification (CMMC).
Band-Aids and Splints
While creating the CMMC program, those that were responsible (and in some cases still are) had some minor slips and falls ranging from shuffling leadership teams in the Accreditation Body and DOD Leadership to revisions that reduced the scope of the framework to just NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations”. This became known as CMMC 2.0, which was released almost a year ago. Some end results included:
- Level 1 Organizations can self-attest.
- Level 2 Organizations could have a model that allows for self-attestation but more likely requiring all Level 2 to be certified by a C3PAO.
- If Level 2 is defined in a solicitation, submitters must already be certified at time of submission.
- POAMs can take place for up to 180 days; however only certain controls can have a POAM.
- Radio Silence by the Department of Defense on progress for formal codification of CMMC 2.0 as a final rule resulting in GovCons kicking the can and waiting.
Medicine Tastes Horrible
Since CMMC 2.0 was released, the guidance from the Department of Defense, Cyber-AB, and most cybersecurity consultants has been to start preparing immediately.
But what does that really mean? Generally speaking, it means you should:
- Create a System Security Plan.
- Figure out what data types you have and if they do currently or likely will qualify as CUI in the future.
- Ascertain where you have gaps and construct Plans of Actions and Milestones (POAM) to resolve the initial findings.
- Properly define and submit your SPRS Score.
The main problem right now is that Industry continues to dig-in and take a position of “I still don’t get it and I don’t have the money to do this” – OR – “I will do it when I actually see it in contract language.”
Either way, GovCons need to look at taking tactical next steps towards ensuring they can either 1) continue doing business with the DOD or 2) not be in breach of existing contracts because of former declarations in conformance with DFARs 252-204-7012, much like an 8-year-old taking a tablespoon of the worst-tasting medicine imaginable.
Its all about the GovCons, right? W-R-O-N-G!
Regardless of what is being socialized, the one-sided approach by the DOD, finger pointing at GovCons without considerations for how they can also improve, is dead wrong. Case in point, SoundWay has helped numerous GovCons. And as we look at their contract language, it is quite interesting. You can have DFARs 252.204-7012 thrown in as simplistically as in a table of statutory obligations without ensuring the GovCon is “paying attention to” this call out. Or, throwing an 800-171 obligation but no DFARs clause. Or, asking for Authority to Operate-style language for hardware and software, but nothing for how the business protects its operations. It is literally all over the place.
Recent information obtained by SoundWay supports that in any given year, 11 million contracts are executed by the US Government. Per GovWin, the DOD and its branches (including Veterans Affairs) represents 1,776,039 contracts in play to date.
When CMMC language comes into solicitations, additional protests are quite likely to occur for a variety of reasons. This could result in a significant increase to the current protest rate of .03% (RAND Corporation). Now, I know .03% doesn’t sound high, but factor in this:
- Details obtained by SoundWay from former Acquisition Officers support that for every protest, no less then 3 or 4 GS15/SES are involved to execute Rule 4 within 30 days. Using the publicly available GS Paygrade scale, the lowest step for a GS15 will equate to a burn of over $17,500 per month in personnel costs alone to respond to a protest. Considerably more if the protest is held with GAO. And if in a Federal Court of Appeals, well … you get it … it’s A LOT.
- So much so that for every 2,000 protests, the US Government could have purchased an F35 Jet Fighter. Trust me, the math holds.
The Defense Department and US Government at large must pull away from a culture of “the clause was put in – I’m good.” This approach has proven to be highly ineffective and a main factor for CMMC in the first place. In point of fact, this need was first identified back in 2013 by both GSA and DOD (Section II page 14).
But the Good News …
SoundWay is pleased to announce its partnership with the Advanced Assessment Academy to address this very challenge. To learn more about how SoundWay can help, contact us at CMMC@soundwayconsulting.com or speak with one of our training experts at (571) 210-0624.