720-891-1663

DoD Just “Upped” The Cybersecurity Game for Defense Contractors

If you are a defense contractor – prime, sub or vendor to one of these and you were hoping that CMMC was going to go away, I don’t think that is going to happen – at least not on this president’s watch. Even if the party in power changes in January, I don’t much will change because no one wants to look weak on national security.

So, what just happened? The feds just released the Defense Industrial Base Cybersecurity Strategy 2024.

The DIB cybersecurity strategy plan is an implementation plan for all of the guidance that the feds have already released including the National Defense Strategy, the National Cybersecurity Strategy, the DoD Small Business Strategy, the DoD Cyber Strategy and the National Defense Industrial Strategy. Visually, it looks like this:

The strategy has four goals :

  • Strengthen the DoD governance Structure for DIB cybersecurity
  • Enhance the cybersecurity strategy posture of the DIB
  • Preserve the resillency of critical DIB capabilities in a cyber-contested environment
  • and Improve cybersecurity collaboration with the DIB

It does not take a genius to see that at least the first two goals are going to require DoD to tighten the cybersecurity requirements on the DIB. The third goal, in a very optimistic view could be seen as lightening that load a little bit, but as you will see in a moment, that is not the case. The last goal just says we need to improve communication and that is certainly true.

Note that nothing here says “throw a lot of money at the DIB with no quid pro quo”. There could be money if Congress chooses to do that, but money is not part of the strategy. On the other hand, the Pentagon is not stupid; they know all of this will not come for free, but they are going to try to put as much of this on your plate as they can get away with.

Those four “goals” will be implemented by achieving twelve “objectives” shown in the table below.

Objective 1.2 says more regulation. That means CMMC and the updating of the -7012, -7019, -7020, -7021, -7024 and the new “xx” DFARS that are part of the proposed CMMC regulation. The proposed CMMC regulation is broken up into two parts – CFR Title 32 and CFR Title 48. These are different parts of the Code of Federal Regulations. The Title 32 proposed regulation is what was released as a Christmas miracle last year. The Title 48 proposed regulation will, we think, be released in April. Getting all of this approved is what is required to complete objective 1.2. For more information on the Title 32 and 48 changes, check out this article from Breaking Defense.

Suffice it to say, none of this means less regulation, less compliance or fewer cybersecurity requirements.

In fact, according to Eric Crusius, a partner at the law firm Holland & Knight, these rules have “False Claims Act” written all over them. Check out my other blog posts for more information on the FCA, but Justice has set up an entire team just to prosecute false claims.

Inside goal two, 2.1 says we are going to not so much trust and definitely verify what you are doing with respect to cybersecurity. Objective 2.3 says they are going to look for vulnerabilities in your world. You will be much better off if YOU find them than if THEY find them. Finally, objective 2.5 says they are going to rinse and repeat. This is not something the government does well, so this part could be a bit bumpy.

Goal three is all about resilience. In case you have not noticed, there have been a few cyberattacks recently. These cyberattacks affect both small and large businesses, so no one is immune. What the DoD wants is that IF you suffer a cyberattack, they will still be able to depend on you to help the DoD achieve their mission. We have seen it takes from a few days to recover from a small attack to months (if ever) to recover from large attacks. While being able to recover quickly is important to you, it is equally important to the DoD.

The last goal basically says that this is an “all hands on deck” problem. DoD needs help from all of the companies that are part of the DoD ecosystem from cloud service providers and Internet providers to cybersecurity companies and other critical infrastructure. This includes all of the cloud software vendors that you have come to depend on, most of which are not meeting DoD’s requirements yet.

There is a lot more to dive into, but this covers the basics. I will write more about this as it evolves and look for a video blog at Cybercecurity.us.

Oh, and don’t forget FAR 52-204-21, which governs cybersecurity requirements for all contracts, both defense and non-defense, with the executive branch. It maps closely to CMMC Level 1 and there is a draft out of a complete overhaul of that too. So, if you thought you were going to escape because you don’t handle CUI, think again.

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *