WT Business Beat

By Nick Wakeman

Blog archive
Nick Wakeman

Activity around DOD's new cyber certification to heat up in early 2020

Activity around the security requirements of the Defense Department's new cybersecurity certification program for contractors will heat up in early 2020 with those specifications expected to show up in solicitations in June.

That means now is not the time to sit back, according to panelists at the ImmixGroup Government IT Sales Summit in Reston, Virginia on Thursday.

DOD's Cybersecurity Maturity Model Certification requires that defense contractors certify that they meet a slate of current security requirements and standards. These are not new requirements in themselves.

What is new? Third party auditors will determine and score the contractors on a scale of 1 to 5, with 1 being the lowest level of maturity and 5 being the highest. Simultaneously, defense solicitations will include the needed CMMC levels as a requirement.

For example, an Army procurement can say bidders must have CMMC level 3 and above in order to qualify.

“If it says Level 3 and you are Level 3, you are OK, but if you are a Level 2, you can’t bid,” said Larry Allen, a managing director at BDO USA.

Fellow panelist Robert Burton, former deputy administrator for the Office of Federal Procurement Policy, agreed but also described a dark side. Burton said there is a risk that agencies will over-require the CMMC level they need.

“The government is not going to put out an RFP or an RFQ that is Level 1 or 2,” he said. “We are going to see a lot of Level 4 or 5 when Level 1 or 2 is fine.” The end result will make CMMC compliance “very expensive and a burden for a lot of small business contractors,” Burton said.

Agencies are shifting more of the risks and responsibilties for security compliance to the contractors and the requirements will likely flow down to subcontractors, Allen said.

“The government is very concerned about the subs and things sneaking in,” Burton said. “There will be mandatory subcontractor requirements. That’s my prediction.”

Allen said contractors need to closely track what the Defense Department is doing. He praised DOD for communications with industry and how it is rolling out changes. Right now, the CMMC requirement is at 0.6 with 0.7 coming in December.

“Stay up to date with what’s happening,” Allen said. “Start to identify the third parties that can help you.”

Allen expects those third parties to begin self-identifying and marketing themselves as 2020 gets underway.

“At the start of the calendar year, you’ll see third parties being identified,” he said. “We don’t have a long time to get this done.”

Once DOD has CMMC underway, the expectation is that the requirement will move over to the civilian side of the market. Allen said that will probably happen in 2021.

Posted by Nick Wakeman on Nov 25, 2019 at 10:55 AM


Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • POWER TRAINING: How to engage your customers

    Don't miss our Aug. 2 Washington Technology Power Training session on Mastering Stakeholder Engagement, where you'll learned the critical skills you need to more fully connect with your customers and win more business. Read More

  • PROJECT 38 PODCAST

    In our latest Project 38 Podcast, editor Nick Wakeman interviews Tom Romeo, the leader of Maximus Federal about how it has zoomed up the 2019 Top 100. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.