Facing ‘nightmare scenario,’ feds suspend cybersecurity requirements for defense manufacturers

Afederal program that issued sweeping cybersecurity requirements to any manufacturer doing business with the U.S. Department of Defense is undergoing significant changes.

Last month, the Defense Department announced that it will suspend and scale back some of the requirements spelled out in the Cybersecurity Maturity Model Certification (CMMC) program, which launched at the beginning of last year and was designed to more effectively safeguard controlled, unclassified information that comes with defense projects.

Want more news like this every weekday? Get the free MiBiz Morning Edition newsletter.

The CMMC program originally relied on third-party assessors to ensure that anyone doing business with the federal government — whether as a prime contractor or sub-contractor — was meeting new and enhanced cybersecurity measures.

The CMMC process proved daunting and expensive, especially for smaller manufacturers that belong to this vast defense industrial base, including many in West Michigan. The latest changes signal a more collaborative approach from the Defense Department as it rolls back some of the requirements and streamlines the process for gaining levels of certification. 

Still, experts warn that suppliers should continue moving forward in their efforts to beef up their cybersecurity posture.

A do-over

When it was rolled out, the CMMC program was met by a mostly shell-shocked defense industrial base.

“The problem is, I don’t think the (Department of Defense) understands their contractor base,” Jeff Farr, CEO of Florida-based consulting firm Prescott, told MiBiz. “For example, everyone says there are about 300,000 subcontractors, but it’s really closer to one million. The DoD doesn’t really have any visibility below the primes.”

Farr added that he believes the Defense Department “didn’t understand how (the program) would be received” when it was rolled out.

“All the small businesses looked up and said, ‘You gotta be freaking kidding me. This is massive and it’s expensive and look how hard it is.’ (The department) lost the PR campaign.”

The daunting cybersecurity requirements were poised to disqualify some manufacturers from the Defense Department’s supplier base. Estimates for how many the department would lose ranged from 10 to 20 percent. However, Farr said the department was poised to lose as many as half of its suppliers.

“Then the Department of Defense has an absolutely nightmare scenario on its hands,” Farr said. “The roll back is trying to say, ‘Wait a minute, we’re going to work with you and be collaborative.’”

Rolling back

CMMC 2.0 was designed to streamline the program from the previous five levels to just three now. Level 1 of the CMMC program features 17 controls and is designed to protect federal contract information. It’s fairly easy to attain and companies can self-attest that they meet the standards.

Level 2 of CMMC 2.0 is designed for companies that handle controlled unclassified information. The guidelines for this level now mirror those of National Institute of Standards and Technology (NIST) 800-171, which are cybersecurity measures that were mandated five years ago. Defense suppliers should already be adopting these practices, but many are not because there is no third-party assessment involved.

The CMMC program initially tacked on 20 additional controls for this level, but has since rolled those back. Now, contractors are left to satisfy the standards of NIST 800-171, which is still laborious. 

“The DoD is calling everyone’s bluff — they told everyone five years ago when NIST 800-171 was required to build the costs of implementation into indirect cost pools and charge us more,” said Ryan Bonner, founder and CEO of nationwide compliance consultant DEFCERT. Bonner was also part of the team that wrote the original CMMC assessment guides.

“The DoD never saw a huge price increase in what they paid, and the primes didn’t either. Practically, the DoD knows no one is doing anything about it,” he said.

Finally, Level 3 of CMMC 2.0 will eventually be required for companies that contribute to critical infrastructure projects, such as nuclear plants and the electrical grid more broadly. 

In limbo

Amid the highly technical and shifting requirements, experts say small defense subcontractors should still continue to beef up cybersecurity in accordance with NIST 800-171 to prepare for CMMC 2.0.

“I’ve been working with clients for years. Many of these companies were supposed to be doing this anyway and now we have companies that are knowingly not following NIST 800-171,” said Chad Paalman, CEO of NuWave Technology Partners LLC, an I.T. firm with offices in Grand Rapids, Kalamazoo and Lansing. “They would self-attest that they were compliant knowing they’re not, and that was frustrating and much of the reason we had such enthusiasm for CMMC.”

“My advice for West Michigan small businesses is: Don’t think you can just not do anything,” Paalman added. “In fact, I would use this as an opportunity to maybe accelerate your adoption to what you should have already been doing anyway.”

Specifically, companies are awaiting new CMMC guidelines that dictate when they can self-attest and when they must undergo a third-party assessment. The assessment, after all, is one of the costliest components of the program.

Nathanael Dick, ​​information technology manager for Grand Rapids-based technology engineering firm DornerWorks Ltd., said his company was prepared for an assessment before the changes came down.

“We’re now punting and we’re just kind of waiting for guidance to come out about that,” said Dick, whose company does a significant chunk of its work providing technology to the defense industry. “We did a NIST 800-171 self-assessment in May and did get certified by the assessor for that. Most of the CMMC 2.0 will map directly to that. … That will take us to the Level 2 area of CMMC 2.0.”

Dick said some quotes for a third-party assessment ran as high as $70,000, which  is why he hopes the company can self-attest and still gain CMMC certification.

Ultimately, though, Dick sees any added cybersecurity guidelines as a positive for the defense industry and an attractive value add for the companies that embrace it.

“Everybody is worried about how you’re treating their project data,” he said. “What we do at DornerWorks is we can say this is what we’re doing to protect it and we can validate it by having these external auditors like CMMC come in. It’s just a way to continue our success with security.”

Comments are closed.