One of the primary tensions within the Department of Defense's efforts to raise the cybersecurity bar for its defense industrial base is setting standards without eroding the military’s supply of small businesses.
On the one hand, military officials have insisted that they must hold defense contractors to a higher cybersecurity standard if they are to beat back the increasing volume of hacks, data breaches and attacks targeting U.S. military assets over the past decade.
On the other hand, the department is desperate to reverse already existing trends of small businesses and startups, who often provide much of the innovative technologies DoD relies on, exiting the defense contracting space. According to a recent analysis by Amanda and Alex Bresler of PW Communications, the total number of small businesses in the U.S. defense market shrank by nearly a quarter (23%) over the last six years, from an estimated 68,000 companies in 2015 to about 52,000 in 2021. That's potentially thousands of fewer small businesses and startups for DoD to tap.
Defense contractor security: A top down approach
The issue was top of mind for many lawmakers at a Senate Armed Services Committee hearing this week. Sen. Joe Manchin, D-Va., noted that many hacks in the defense industry happen from the “bottom up.” That is to say, threat actors tend to exploit weaker links in the supply chain – often small businesses with inadequate security protections – as a means to gaining access to larger contractors and federal agencies.
“Today it seems like our larger contractors, we can hold them accountable; but the smaller contractors in many cases may have excellent capabilities specific to a particular product but do not have the capabilities in house to take care of their cyber protection needs,” said Manchin, who expressed openness to considering new federal programs.
Ellen Lord, who served as undersecretary of defense for acquisition and sustainment until 2021, also promoted the concept to lawmakers, saying many smaller businesses need expertise and help covering the costs that come with federal cybersecurity standards. A model where the federal government or larger prime contractors can step in to provide certain services or take on some of cybersecurity load would make sense.
“I think there are a couple ways we could go about [improving security at small businesses]. One: there’s some resources inside of the department to help and mentor on that – [for] what is a minimum viable cybersecurity posture,” said Lord, now a senior advisor at The Chertoff Group. “Secondly, I think that’s one of the ways that small companies can partner with large companies with a mentor-protégé type arrangement, which actually benefits not only the small company but the large company.”
It's a concept the Pentagon is already working on.
Last week, Stacy Bostjanick, director of the Cybersecurity Maturity Model Certification program at DoD, told SC Media in a moderated discussion that the Pentagon is actively considering the potential for a model that could allow the government or another third party to manage the security needs of smaller businesses.
"One of the things that the department is talking about that we're actively pursuing is trying to figure out cybersecurity as a service. Something, an environment, that can be provided that would allow companies to operate and be secure," said Bostjanick. "Now, undoubtedly your endpoints are still going to have to be taken care of, there's still going to be some responsibility for cybersecurity...but if we can provide an environment for people to operate and it's not as costly as having to implement [every federal requirement], that would be where we're looking to try to help and mitigate."
David Berteau, President and CEO of the government contracting lobbying shop the Professional Services Council, said a program where the federal government securely managed certain assets such as servers and other infrastructure is “worth pursuing” but expressed skepticism that the federal government was guaranteed to produce better outcomes.
“The problem is [Cybersecurity-as-a-Service] is a huge cost for the government and frankly I’m not optimistic that the government can do this more effectively than the companies themselves can,” he said.
A more important shift would be dealing with the associated costs. A $20 million company that has to spend $100,000 annually to comply with federal cybersecurity regulations would very likely need to raise its contracting rates to levels that would remove them from many competitive bids.
Berteau floated two other ideas to boost small contractor participation: reauthorizing the Small Business Innovation Research which provides incentives for smaller companies to work on research and development projects for the government that also have commercial appeal, and building contracts to hold contractors accountable for cybersecurity outcomes, not just metrics.
“From my perspective, if you’re focusing on outcomes, you’re going to focus a whole lot less on what the rate ought to be and what the return is and getting the results in place if you start rewarding companies for delivering results as opposed to effort,” he said.
Waiting for cyber certifications
Defense contractors are also anxiously waiting for DoD to finish rulemaking for another initiative, the Cybersecurity Maturity Model Certification program. It's designed to map contractor cybersecurity capabilities along one of three defined "levels" that will eventually make their way into DoD contract requirements.
Berteau said that defense contractors and federal agencies can’t do much at this point beyond waiting for the Pentagon to finish its regulatory process around CMMC. The program is currently going through a rulemaking process under Title 32 of U.S. law, which governs regulations that deal with the national defense. Following that, it will also need to undergo an additional round of rulemaking later this year under a different section of U.S. law, Title 48 that covers federal acquisitions.
“Almost every company I know and that participates in the defense business today at the prime contractor level – whether large, medium or small – is already investing in and has a plan on record for compliance in meeting those standards,” said Berteau. “The real question is do those standards go far enough in order to protect us against the evolving threat, and nobody really knows the answer to that.”
Bostjanick said that the department’s is hoping to have the interim rule for the next process land in May of this year, clearing the way for Defense officials to begin actually implementing the program with U.S. defense contractors as they work on other issues, like handling international suppliers.
Berteau said that despite the fact that CMMC requirements have been tied to existing government contractor regulations on cybersecurity – namely the National Institute for Standards and Technology’s 800-171 document – precisely how and when those requirements will be formalized remains less than clear.
“What we don’t know is what’s the next standard we’re going to have to comply with, what’s the timeline in which the flag will go down and you have to be in compliance and what can you do now to be ready for that when you don’t know what standard you’re going to have to meet,” said Berteau. “So there’s a lot of ambiguity there, but a lot of people are moving forward anyway.”