In 2020, an ambitious Defense Department effort to account for its suppliers’ cybersecurity had many in the community kicking and screaming in tow, but represents a new collective policy thrust that won’t be dismissed.
The program, led by Katie Arrington, the chief information security officer for Defense acquisitions, is based on the idea that the government should incorporate security standards into its contract administration. Arrington’s presentations on the program often include an estimate of how much is lost each year through cyber disruptions—$600 billion, according to research cited in the DOD’s answers to frequently asked questions about the program—and highlight intellectual property theft by China.
Before the idea of CMMC, companies within the defense industrial base simply pledged their adherence to cybersecurity practices outlined by the National Institute of Standards and Technology. A 2015 rule required Defense contractors to report cyber incidents and to provide “adequate security” using NIST Special Publication 800-171 to protect covered information. But it wasn’t until summer 2019 that the Defense Department started checking whether companies were implementing the standard.
Following a pilot in June 2019, the Defense Contract Management Agency officially stood up the Defense Industrial Base Cybersecurity Assessment Center and now does spot checks on companies. John Ellis, DCMA’s software division director, told consultant Leslie Weinstein the selection of companies for these is informed by DOD priorities and threats observed in the cyber realm.
However, more than a year in, the DIBCAC has completed about 100 audits,