Pentagon already scoring some contractors on cybersecurity via new assessment center

By Justin Doubleday  / February 6, 2020

While the Pentagon's contractor cybersecurity certification requirement is still months away from showing up in contracts, a new Defense Department cyber assessment center has emerged over the past year and is already scoring some companies on their network security practices.

The Defense Contract Management Agency is running the evaluations through the newly established Defense Industrial Base Cybersecurity Assessment Center. It was organized last year after senior DOD acquisition officials began pushing DCMA to strengthen its oversight of contractor cybersecurity requirements, according to John Ellis, director of DCMA's software division.

DCMA officials established the center, known as the DIBCAC, and developed a new assessment guide for grading companies on their implementation of the National Institute for Standards and Technology Special Publication 800-171. Since 2018, a standard DOD contract clause has required contractors who manage controlled unclassified (CUI) information on their networks to protect it in accordance with the 110 controls laid out by NIST 800-171.

Last June, the DIBCAC launched a pilot program to test out the scoring methodology by doing on-site assessments at some of DOD's "largest contractors," according to a previously unreported memo signed by Pentagon acquisition chief Ellen Lord in November.

"The feedback and collaboration provided during this pilot helped streamline the methodology and documentation of assessment results," Lord wrote.

The scoring assesses the extent to which contractors have implemented the 110 NIST controls. Contractors have mostly been allowed to "self-attest" whether they are meeting the requirement by documenting a system security plan.

A< DOD inspector general audit released last year found DOD often failed to verify whether contractors were meeting the requirements, while a lot of companies were not implementing many important cybersecurity controls.

Under the new methodology, when a contractor only submits a self-assessment to DOD, it's considered a "basic assessment" and results in a "low" level of confidence in the resulting scoring of the 110 NIST controls, according to Lord's memo.

But if the DIBCAC reviews the system security plan through "interviews, discussion and clarification with the contractor," the score is granted a "medium" level of confidence. And if DOD officials conduct an on-site visit to the contractor's facilities to validate the company's cybersecurity practices, the resulting score is given a "high" level of confidence, according to Lord's memo.

The scoring itself subtracts points for controls that haven't been implemented and is based on NIST 800-171A, a companion guide for "Assessing Security Requirements for Controlled Unclassified Information."

DOD officials are documenting the scores in a database, the Supplier Performance Risk System (SPRS), "DOD's authoritative source for supplier and product performance information," according to Lord's memo.

The assessments will continue even as DOD rolls out its much-anticipated Cybersecurity Maturity Model Certification (CMMC) program, Ellis said during a Jan. 22 webinar hosted by the Cyber Collaboration Center and eResilience.

DOD published the final version of CMMC last week. Beginning this fall, DOD will begin requiring contractors to obtain the required level of CMMC certification from a third-party auditor before they can compete for defense contracts.

However, DOD officials have also said CMMC will take more than five years to become standard in all new contracts. DOD plans on including the certification requirements in just 10 contracts this year.

Ellis said DCMA will continue its assessments, with a particular focus on programs the government has a special "interest" in safeguarding.

"Some flavor of DCMA assessments will continue even after CMMC is in place," Ellis said. "The government has an independent interest in certain programs and from time to time, DCMA will do assessments based on those interests."

And while companies may delay in meeting network security requirements until CMMC comes along, working toward a high score on DCMA’s assessment will better prepare contractors for the certification program, according to Ellis.

"At its core, it's the same requirement," he said. "So the work you're doing today does nothing but solidify your foundation for when CMMC comes your way."

'No surprises'

The DIBCAC conducted 16 assessments between last June and September to validate the methodology before it was institutionalized by Lord’s November memo.

"We are conducting assessments nonstop and will continue to do so for the foreseeable future," Ellis said.

Typical on-site visits take a week, and DOD officials stay in contact with company officials throughout the assessment to answer questions and clear up any confusion.

"There are no surprises," Ellis said.

After the assessment is complete, DCMA and the DIBCAC take about 30 days to put together the final report, according to Ellis.

"The ultimate goal is we verify the companies are doing what they're supposed to do," he said.

The assessments conducted so far show large contractors generally have "very robust cyber capabilities," Ellis said. "We have also looked at companies that were very small, and quite honestly, we expected that we would see those companies have some less-robust capabilities, and that was confirmed when we showed up," he added.

The new assessment also provides DOD a way to score contractors at "a strategic level," rather than on a contract-by-contract basis, according to Lord's memo.

"While these efforts have been effective at the contract level, we have learned that efficiencies can be gained by strategically assessing a contractor's implementation of cybersecurity requirements at the corporate level," Lord wrote.

The information being made available in the SPRS includes the contractor's score, the scope of the network that was assessed, the date and level of the assessment, and the date a full score will be achieved if all 110 controls were not yet implemented, according to Lord's memo.

While many contractors have neglected to implement all 110 NIST controls, partially due to DOD's lax enforcement, Ellis noted how the new assessments being logged in SPRS may be considered by the department's buying authorities.

"From a risk assessment perspective, if I scored that [low], you would have this massive negative number that says, 'This supplier is high-risk,' and I probably shouldn't be doing business with them," Ellis said.