Activity around DOD's new cyber certification to heat up in early 2020

Activity around the security requirements of the Defense Department's new cybersecurity certification program for contractors will heat up in early 2020 with those specifications expected to show up in solicitations in June.

That means now is not the time to sit back, according to panelists at the ImmixGroup Government IT Sales Summit in Reston, Virginia on Thursday.

DOD's Cybersecurity Maturity Model Certification requires that defense contractors certify that they meet a slate of current security requirements and standards. These are not new requirements in themselves.

What is new? Third party auditors will determine and score the contractors on a scale of 1 to 5, with 1 being the lowest level of maturity and 5 being the highest. Simultaneously, defense solicitations will include the needed CMMC levels as a requirement.

For example, an Army procurement can say bidders must have CMMC level 3 and above in order to qualify.

“If it says Level 3 and you are Level 3, you are OK, but if you are a Level 2, you can’t bid,” said Larry Allen, a managing director at BDO USA.

Fellow panelist Robert Burton, former deputy administrator for the Office of Federal Procurement Policy, agreed but also described a dark side. Burton said there is a risk that agencies will over-require the CMMC level they need.

“The government is not going to put out an RFP or an RFQ that is Level 1 or 2,” he said. “We are going to see a lot of Level 4 or 5 when Level 1 or 2 is fine.” The end result will make CMMC compliance “very expensive and a burden for a lot of small business contractors,” Burton said.

Agencies are shifting more of the risks and responsibilties for security compliance to the contractors and the requirements will likely flow down to subcontractors, Allen said.

“The government is very concerned about the subs and things sneaking in,” Burton said. “There will be mandatory subcontractor requirements. That’s my prediction.”

Allen said contractors need to closely track what the Defense Department is doing. He praised DOD for communications with industry and how it is rolling out changes. Right now, the CMMC requirement is at 0.6 with 0.7 coming in December.

“Stay up to date with what’s happening,” Allen said. “Start to identify the third parties that can help you.”

Allen expects those third parties to begin self-identifying and marketing themselves as 2020 gets underway.

“At the start of the calendar year, you’ll see third parties being identified,” he said. “We don’t have a long time to get this done.”

Once DOD has CMMC underway, the expectation is that the requirement will move over to the civilian side of the market. Allen said that will probably happen in 2021.