Can small businesses keep up with defense cyber requirements?

The Defense Department wants to know how well small businesses comply with its cybersecurity requirements, so it's going to start assessing their self-assessed security plans.

Nick DelRosso, of the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), said the agency will start reviewing companies in the coming months to learn more about acquisitions with smaller businesses and how they comply with DOD's cybersecurity requirements. 

The DIBCAC has mainly assessed large and medium size companies and hopes the study will illuminate "the level of compliance and understanding of cyber requirements with smaller companies who compose of the majority of the DIB" as "small companies face unique challenges" in implementing acquisition rules on safeguarding defense information and cyber incident reporting, DelRosso told FCW in an email.

That regulation pertains to the implementation of the security standards used as the basis for the Defense Department's Cybersecurity Maturity Model Certification (CMMC) program. However, DIBCAC's study is being conducted independently of CMMC and is not expected to affect the rulemaking, DelRosso said.

"At the DIBCAC, we work with many program offices across the government. We work with different entities that are finding a particular interest in cyber, and they're doing a lot of looking and trying to understand how compliant the [defense industry base] is with some of these requirements," DelRosso said March 29 during a virtual town hall meeting hosted by the Cybersecurity Maturity Model Certification program's accreditation body.

"So working with our partners, we're going to be examining companies which have self-assessed at a variety of score levels based on their [Supplier Performance Risk System] input, and we're going to perform a medium assessment on that."

Those medium assessments are meant to be largely paper-based reviews of system security plans, not their implementation, DelRosso said. The goal is to include a mix of assessment levels and at different sectors "and see if there's any patterns...that can be identified based on a score." 

DelRosso previewed the assessment process saying that the so-called "paper review" would start with DIBCAC contacting a contractor on a Monday and requesting that security plans and documentation be submitted by that Friday.  

"We request your SSP and any associated documentation, we perform a check through that SSP and make sure that it's likely that you're complying based on what you're saying. So we're not actually going out and verifying the implementation of that, just that you have the foundational paperwork in place for that," DelRosso said during the event. 

"We recognize not all companies have cybersecurity [subject matter experts] on staff and have different capabilities in performing self-assessments. This study will help inform program management offices of relevant acquisition insight such as risks to their supply chain," DelRosso told FCW via email. "In addition, this study may provide insights into the challenges faced by the [defense industry base] which will allow for better dialogue between the DOD and small suppliers."

DCMA, which sits under the undersecretary of defense for acquisition and sustainment, helps provide contract administration services for DOD and select federal agencies and other organizations. The DIBCAC is one of the agency's newer organizations that focuses on 

support to the Defense Department's CMMC program, such as vetting third-party assessment organizations. Those organizations, called C3PAOs, will be responsible for conducting CMMC assessments of defense industry companies. 

The medium assessments are slated to begin in "the next couple of months," no further details on timelines were revealed. The DIBCAC hasn't yet decided how many companies will be assessed, DelRosso told FCW.