Story   Reform

DOD Will Help Small Companies Meet Cybersecurity Requirements

Dec. 8, 2019 | BY C. Todd Lopez , DOD News

As the Defense Department moves forward in implementation of its cybersecurity maturity model certification, small suppliers to the department won't be left behind, the undersecretary of defense for acquisition and sustainment said yesterday.

"The cybersecurity maturity model certification is generically what ISO standards are for quality," Ellen Lord said at the Ronald Reagan National Defense Forum in Simi Valley, California. "Right now we know that we have incredible vulnerabilities due to cyber threats. We really are at a cyberwar to some extent. So it is not practicable to not have some level of standards that have to be met."

A woman sits in a leather chair. Behind her, a backdrop reads “Reagan National Defense.”
Lord Remarks
Ellen Lord, the undersecretary of defense for acquisition and sustainment speaks at the Ronald Reagan National Defense Forum in Simi Valley, Calif., Dec. 7, 2019.
Photo By: David A. Vergun, DOD
VIRIN: 191207-D-UB488-008

When it comes to working on defense contracts, she said, cybersecurity standards are non-negotiable and can't be traded as part of contract negotiation, as are things like cost, quality or schedule.

"We have rolled out a five-tier set of standards," Lord said. "The challenge is that we know our most vulnerable links are not the first, second or third tier in the supply chain. It's four, five, six, and seven."

A military fighter aircraft flies across a blue sky.
Wings Over Houston
An F-35 Lightning II performs during the Wings Over Houston Airshow in Houston, Oct. 20, 2019.
Photo By: Air Force Senior Airman James Kennedy
VIRIN: 191020-F-AR133-0280

Those lower tiers in a supply chain — typically smaller companies that are just one of many providing products or services as part of a larger contract — might not be able to afford to meet the department's increasingly demanding cybersecurity requirements.

"So what we look to is our primes to help those small companies," she said, referring to the primary company on a contract. "We also look at the department as having resources to help bring those companies into compliance."

We are not going to put small companies out of business. We need them."
Ellen Lord, undersecretary of defense for acquisition and sustainment

Lord said the department has been working closely with industry associations, and holding listening sessions to understand the challenges small companies might have coming into compliance.

"We understand there is a challenge and we don't want to lose those small companies," she said. "We actually have a couple of very innovative concepts that have just recently been put out to us about how to deal with this in terms of broader certifications that are easier for small companies. So I think in the next three months you'll hear more about that."

In a laboratory setting, three civilians provide computer inputs to a large mechanical apparatus.
Tech Development
The U.S. Army Research Laboratory uses the “Shaker” to conduct experiments in multiaxial vibrations and develop technology to mitigate the danger it could cause to vehicles and structures, Sept. 26, 2019.
Photo By: David McNally, Army
VIRIN: 180926-A-GX166-228

The Defense Department, through CMMC, is looking to ensure that every company that works on a contract — no matter the size of their contribution — meets at least a basic level of cybersecurity that fulfills the security requirements of the contract. While companies aren't all now able to meet those requirements, Lord said the department won’t leave them behind.

"Cybersecurity is critical," Lord said. "We understand the challenge to small companies. We are not going to put small companies out of business. We need them. We will find innovative ways to help make them cyber secure with the help of our large primes as well."