The Cybersecurity Maturity Model Certification program is the Department of Defense’s latest effort to enforce cybersecurity requirements for contractors. While CMMC is not necessarily new — read below for more information about CMMC’s history — there are a few things contractors need to know about the program as it becomes a defense contract requirement.
In this Executive Spotlight interview, we spoke with Eric Noonan, CEO of CyberSheath Services International, to find out what exactly contractors should know about the upcoming changes, how CMMC will affect contractors and why cybersecurity requirements are so important.
Read below for Noonan’s full interview.
GovCon Wire: What’s your outlook on the global defense landscape? What significant changes or trends are you seeing, and how are those factors moving the GovCon market?
Eric Noonan: A really interesting and universal trend is the focus on cybersecurity, and supply chain cybersecurity more specifically. There’s a regulatory trend because by and large, particularly here in the United States, defense contractors have been left to their own devices relative to cybersecurity, to kind of figure it out for themselves. While there have been expectations by the Department of Defense here in the U.S. around mandatory minimum cybersecurity for defense contractors, oftentimes it’s been an unaudited assumption that defense contractors are meeting these minimums and in fact, they’re not.
Globally, we’re seeing a larger shift towards regulation, because ultimately that’s the hammer the government has in order to force mandatory minimum cybersecurity. The government is regulating cybersecurity into their defense contracting base, and therefore into their entire supply chain. What we’re going to see in the next five to ten years is mandatory minimum cybersecurity requirements that are baseline requirements to even bid on defense contracts, certainly here in the U.S. but we’re seeing it with partners like Canada and other countries too. Ultimately we’ll get to that universal standard for U.S. defense contractors.
GCW: Why is cybersecurity so important in the defense landscape?
Noonan: I think most Americans would be shocked to know that defense contractors largely are allowed to self-certify to their level of cybersecurity and how compliant they are. So generally speaking, when a defense contractor wins a new contract, they by default take on a bunch of minimum requirements that they have to meet. But the thing is, the government never checks, so there’s no audit mechanism. It would be as if you’re allowed to self-inspect your own car and put a sticker on it.
That’s really the state of play in the defense market today here in the United States. Most defense contractors decide that any investment in cybersecurity comes right off the bottom line, and that ultimately can hurt profitability, so they’ve largely foregone these investments. The DOD has come out and said cybersecurity is foundational, so if you want to do business with them, you have to meet these requirements. They are now auditing defense contractors against these requirements, and I think ultimately that’s the only way we get better at cybersecurity.
We’re seeing that across the entire U.S. economy. If you look at the Securities and Exchange Commission, the Department of Defense, any number of agencies in the federal government, they are now regulating their constituents and their supply chains, because they recognize that cybersecurity is such an imperative, strategic, important capability for us here in the U.S.
GCW: Can you talk about CMMC? Where are we with CMMC right now?
Noonan: The Cybersecurity Maturity Model Certification has actually been required for almost 10 years now. These requirements have been in and are in well over one million contracts today by another name. They’re typically referred to as the DFARS 7012 clause. These requirements — these 110 things that defense contractors have to go do: really basic blocking and tackling around cybersecurity, things like multifactor authentication, whole disc encryption, having an incident response policy, very basic capabilities — these have been required for almost a decade, but there was no audit mechanism. By virtue of taking the contract, a defense contractor was effectively saying that they were meeting the requirements.
We’ve commissioned several independent research studies to really study if defense contractors were meeting these requirements. What we found out through these studies, and what the government found out, is they weren’t; they were taking the contracts but not implementing the security. Again, to my comment on the bottom line, if you don’t make these investments, you’re theoretically more profitable for having not made them, but far less secure. So CMMC is really just the auditing of what defense contractors have long been required to do.
It’s been a long time in the making — four to five years depending on when you start counting. It is here, we expect the final rule in the fourth quarter of 2024. What that will mean is contracts moving forward will have this independent third party audit to now enforce what has long been required of defense contractors.
GCW: How do you think CMMC will address some of the cyber risks government contractors face?
Noonan: This is an area where I think actually the U.S. government deserves a lot more credit than they’ve gotten for the public-private partnership that they forged with the defense industry. Again, these requirements have been around for about a decade now, and it started as a public-private partnership between the DOD and their large primes. This began with DOD leaders saying, ‘How can we be better together? How can we share threat information? How can we get defense contractors to report when they have a cybersecurity incident? What are the legal and operational barriers to us doing some of these things together?’ So this public-private partnership is probably one of the most successful between the DOD and their prime and sub contracting base. Ultimately, this provides a way to enforce all the good work that’s come as a result of that public-private partnership.
It really gives the DOD greater confidence when contracting with a defense contractor. The government now knows that it’s a level playing field. Every contractor is going to have to meet mandatory minimum cybersecurity requirements, and so therefore, whoever they award the contract to, security’s not really in question. There’s a built-in mechanism for reporting for threat information sharing. There are huge gains relative to cybersecurity that the government gets with CMMC, and frankly, there are lots of gains for contractors as well, even if it may feel like a forcing function to do the things that have long been required.
GCW: How will CMMC requirements affect contractors?
Noonan: One of the really interesting perspectives on this is that it really should have very little effect because again, these requirements have been mandatory for almost 10 years now. So in some ways, the government’s saying, ‘We’re just enforcing what you’ve already said and been attesting to by virtue of taking these lucrative contracts that you’re already doing.’ Now, we know that’s not the case. We know that it’s been a bit of a don’t ask, don’t tell environment in defense contracting for a long time as it relates to cybersecurity, where defense contractors have taken the contracts but not made the investments.
The big difference here is that defense contractors will have to make these investments, they’ll have to do it to the level required by the DOD, they’ll have to bring in an independent third party to audit the fact that they’re meeting these requirements. And then ultimately, the big gain — going back to the public private partnership — is that we, the taxpayers of the United States, get a secure defense industrial base, which is one of the 16 critical infrastructure sectors. And so there’s great benefit to national security as this rolls out.
For defense contractors who are confused, don’t know where to start, or otherwise are not sure what to think of CMMC, there is a free virtual event that we’re hosting on September 25th: CMMC CON 2024. It’s free, it’s virtual, and the reason for that is because we’re really trying to get the information out there because for many defense contractors, this is a surprise and some feel like this is a tax. This is a no-cost event to try and help defense contractors understand how they can do this cost effectively and at scale.
