"The cybersecurity maturity model certification is generically what ISO standards are for quality," Ellen Lord said at the Ronald Reagan National Defense Forum in Simi Valley, California. "Right now we know that we have incredible vulnerabilities due to cyber threats. We really are at a cyberwar to some extent. So it is not practicable to not have some level of standards that have to be met."
When it comes to working on defense contracts, she said, cybersecurity standards are non-negotiable and can't be traded as part of contract negotiation, as are things like cost, quality or schedule.
"We have rolled out a five-tier set of standards," Lord said. "The challenge is that we know our most vulnerable links are not the first, second or third tier in the supply chain. It's four, five, six, and seven."
Those lower tiers in a supply chain — typically smaller companies that are just one of many providing products or services as part of a larger contract — might not be able to afford to meet the department's increasingly demanding cybersecurity requirements.
"So what we look to is our primes to help those small companies," she said, referring to the primary company on a contract. "We also look at the department as having resources to help bring those companies into compliance."
Lord said the department has been working closely with industry associations, and holding listening sessions to understand the challenges small companies might have coming into compliance.
"We understand there is a challenge and we don't want to lose those small companies," she said. "We actually have a couple of very innovative concepts that have just recently been put out to us about how to deal with this in terms of broader certifications that are easier for small companies. So I think in the next three months you'll hear more about that."
The Defense Department, through CMMC, is looking to ensure that every company that works on a contract — no matter the size of their contribution — meets at least a basic level of cybersecurity that fulfills the security requirements of the contract. While companies aren't all now able to meet those requirements, Lord said the department won’t leave them behind.
"Cybersecurity is critical," Lord said. "We understand the challenge to small companies. We are not going to put small companies out of business. We need them. We will find innovative ways to help make them cyber secure with the help of our large primes as well."