The U.S. Department of Defense invests $1.8T every year in new weapons systems such as aircraft, ships, ground fighting vehicles and satellites and in new IT systems and capabilities delivered through prototypes or new procurement pathways. This is in addition to the annual procurement of offensive and defensive systems for front line fighting forces (Air Force, Army, Navy & Marine Corps).

These activities create, modify and manufacture existing/new technologies and Intellectual Property (IP) on many diverse digital platforms, residing with over 300,000 suppliers across the DoDs Defense Industry Base (DIB), platforms which are exposed to cyber threats.

Recent cyber events have compounded the view that if this IP gets into the wrong hands it could damage the effectiveness of the offensive and defensive capabilities of the US.  It has been estimated by the Council of Economic Advisers in their 2018 report published by the Office of the President of the USA, that the cost of malicious cyber activity on the US economy in 2016 was between $56B and $109B.

At the same time, the intangible costs of cyber-attacks on the DIB will be felt through the loss, damage or destruction of IP. This impact on the US competitive advantage, and the associated economic impact to DIB contractors, affects the flow of products and services through the DoD supply chain as well as the front-line fighting forces.

Cybersecurity is the Key in Acquisition

The U.S. DoD and the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognized this impact and acknowledge that cybersecurity is a foundation within the acquisition process driven by Defense Federal Acquisition Requirements (DFARS), a comprehensive suite of requirements setting out the expectations for the procurement and supply of products and services to the US military. Within these requirements is DFARS 48 CFR § 252.204-7012 (Safeguarding covered defense information and cyber incident reporting).

Under this regulation, DIB contractors and their subcontractors had been self-attesting to complying with NIST (SP) 800-171 practices since 2017. However, this did not fully address the requirement to ensure that suppliers to the DoD had actually implemented the appropriate cybersecurity practices. The DoD mandated a formal DFARS case 2019-D041 ‘Strategic Assessment and Certification Cyber Security Requirements’ to address the deficiency.

While this mandate initiated the processes to implement a methodology for assessing DoD contractor’s compliance with NIST (SP) 800-171 and the protection of Controlled Unclassified Information (CUI), and get ready for the Cybersecurity Accreditation Ecosystem, the OUSD (A&S) immediately recognized a need to manage their activities in the interim.

On Nov 5, 2020, the Defense Department issued a notice to formalize an information collection for the next three years, requiring the DIB contractors to submit their basic self-assessment on compliance with NIST (SP) 800-171 via DOD’s Supplier Performance Risk System (SPRS) starting Nov 30, 2020, governing the use of controlled unclassified information (CUI) for the acquisition officials and for DoD to immediately begin assessing vulnerabilities in its supply chain exist and take steps to correct such deficiencies.

This is part of an interim rule issued by DOD on Sept. 29, 2020 that is implementing its Cybersecurity Maturity Model Certification (CMMC) program in all DOD contracts by Oct. 25, 2025.