One of the Pentagon's top acquisition officials told Inside Defense this month he sees the Pentagon's Cybersecurity Maturity Model Certification program as critical -- despite industry's complaints.
In an interview at the Pentagon, Kevin Fahey, the assistant secretary of defense for acquisition, said the Defense Department simply must move forward with the effort.
"We can't afford not to do it," he said. "When you look at the amount of money we lose [through] stealing, it's far more than what it's going to cost to implement."
Fahey said the pushback from industry "upsets me a little bit."
"They're supposed to be there today," he said of contractors' cybersecurity, pointing to existing standards set by the National Institute of Standards and Technology.
"What we're finding when we do the assessments is they're not always where they should be," he said of contractors' cybersecurity. "So, the fact that we're now making it you need to be certified and them saying it's going to cost money – you're supposed to be doing it anyway."
"And they should care about their stuff as much as I do," Fahey added.
He acknowledged the Pentagon has some concerns that CMMC may deter nontraditional companies from doing business with the Defense Department, but said it may also provide others with a fairer competitive landscape.
"I've got as many small businesses that provide what I would [call] critical, classified stuff that are thanking me for doing this because they've been NIST compliant, and they believe that their competition hasn't been," Fahey said. "It sort of levels the playing field."
Additionally, he told Inside Defense the "harder part" is training prime contractors about requiring the proper CMMC level from their subs.
"We've done audit after audit and assessment after assessment, and, in a lot of instances, the primes haven't done a good job of flowing down what they should," Fahey said. "Part of it is the training of the primes on if your contract's [level] 5 because you're doing missile defense, it doesn't mean your subs have to be [at level] 5 depending on what you flow down to them."