Defense primes highlight compliance needs, support for suppliers in reaching CMMC requirements

By Sara Friedman  / November 6, 2023

Stakeholders from large defense prime contractors at an industry event last week emphasized the need for their suppliers to reach compliance with requirements under the Pentagon's Cybersecurity Maturity Model Certification program, while also highlighting how they are working together to provide resources.

“Compliance doesn’t equal security but make no mistake, both the adversary and the regulations aren’t going anywhere. So, it is important to have a plan, it is important to act now,” Raytheon Chief Information Security Officer Paul Escobedo said on a panel Wednesday.

“There is never going to be a good time," Escobedo told event attendees. "In fact, the worst time is when you are in the middle of an incident and you are trying to figure out the level of compromise for you to figure out that you need a plan, that you’ve got to take action. The best time to take action is when there is none of that at your doorstep. It is not going away.”

Escobedo was joined on the panel by Northrop Grumman CISO Phyllis Schneck, Leidos CISO JR Williamson and former BAE Systems CISO JC Dodson. The daylong CMMC summit hosted by PreVeil featured a presentation from Cyber Accreditation Body CEO Matthew Travis and a session with National Institute of Standards and Technologies fellow Ron Ross and Fabricio Corrales of the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center.

Williamson agreed with Escobedo, emphasizing how “compliance isn’t going away, and it is going to be a requirement to be able to bid on and continue to operate on these types of contracts.”

Suppliers can work with cloud providers in addition to prime contractors to address maintenance and upkeep of their environments that need to be protected, Williamson said.

Williamson said suppliers that decide not to reach compliance will “exit” the defense market because they will no longer be “eligible to function,” or at least not on their own in the defense industrial base without additional support from cloud providers.

Escobedo encouraged attendees to join industry groups like the Aerospace Industries Association and the National Defense Information Sharing and Analysis Center.

“We’ve put resources out there to help small and medium-sized businesses,” he said, adding: “You join a community where we are all working together to get better at cyber defense, where we are all working on how best to achieve some of the compliance that gets flowed down to us from the government. You become part of that larger group and collaborate and make sure we all have a voice, we are all working together and sharing information when we have it.”

Schneck, a former senior DHS cyber official, placed an emphasis on information sharing and the need for rapid dissemination of threat intelligence. The work that smaller companies do for primes is “critical,” Schneck said, and primes don’t want to hurt any part of their supply chain.

Prime contractors need suppliers because they can’t do 100% of the requirements in a defense contract, Williamson said, and there are suppliers that can do certain things better than the prime would be able to do on their own.

Traditionally, Williamson said compliance has involved quality, safety and efficacy for performance. With cyber, there’s more of a look at “risks” for the customer, Williamson said, and as a result, compliance is “not negotiable.”

Williamson and Schneck agreed that in some cases the prime will need to step in to help their subcontractors to reach compliance in order to protect the mission.

Meanwhile, CMMC stakeholders are eagerly waiting for the Defense Department to issue a proposed rule to implement the CMMC program. The rule was submitted for review on July 24 to the White House Office of Management and Budget's Office of Information and Regulatory Affairs. It's unclear when the proposed rule will be published.

Travis of the Cyber AB said there are a lot of stakeholders that needed to come to an agreement on the rule before it was sent to OIRA, including the Pentagon’s acquisition office, the DOD Office of the CIO, the military services and the DOD Office of the General Counsel.

Travis provided a timeline in his presentation on what the rollout of CMMC would look like if the proposed rule comes out in November. Under his estimate, there will be a 60-day public comment period that runs into February 2024 and the earliest assessments could start after publication of the final rule is March 2025.

One potential complication is the November 2024 presidential election and the outcome, Travis acknowledged. When President Biden was inaugurated in 2021, the CMMC program was put under an internal review and changes were made which delayed the rollout for another two years.

There is also work to update NIST Special Publication 800-171, which serves as the foundation for CMMC level two. The second draft of 800-171 Rev. 3 is expected soon. NIST’s Ross said the publication is on a launch pad and it will not be very long before it is released.

NIST will also publish the initial public draft of NIST 800-171A Rev. 1 at the same time. The accompanying publication provides the assessment procedures for the 110 controls in NIST 800-171.

Ross said he expects to finalize both publications in the first quarter of 2024.