“We have a great deal of standards for cybersecurity. What we are lacking is a unified standard,” Arrington said June 12 during a webinar sponsored by Government Executive. “It is a major undertaking, but just like we got to ISO 9000, we need to get there with cybersecurity. If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1% of [Defense Industrial Base] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”
That was Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber, quoted in the article, “Why DoD’s decision to make cybersecurity an ‘allowable cost’ matters.” That new “unified standard” is called the Cybersecurity Maturity Model Certification (CMMC).
Here’s a bit more:
And DoD is not taking aim at just the 20,000 prime contractors that it spends more than $250 billion a year with, but the approximately 300,000 vendors that make up its entire supply chain.
Its surprising for me to think that cybersecurity was not an allowable cost. Since when is complying with government regulations not an allowable cost? Indeed, I’ve seen compliance with regulations separately priced into contracts, or compliance as a direct charge. If compliance were not an allowable cost, then government contractors would start drowning pretty fast. Why was cybersecurity supposedly different than facilities security, or any other unique-to-government requirement?
The government must be concerned that all the other firms in the supply chain aren’t getting up to standards at the expense of the government. A government official would think, “Why aren’t they complying? We’ll pay them to do it!”
Well, the contractor with substantial commercial business would then need to upgrade their cost accounting systems to be able to verify those costs to government auditors and price negotiators. They’d have to set up separate cost pools to collect the cyber compliance costs separately, then allocate them back to government work only, or else the increased overhead rates would adversely (and unfairly) affect their commercial business. Of course, the cost of cost accounting is an allowable cost too.
Then, of course, the commercial firm would have to finance the effort up-front to become compliant, which is no small feat. They could then start getting it reimbursed on government contracts, but that would also increase their proposal price, which would make them less competitive.
It is interesting that the DOD plans to directly pay for the physical capital assets of firms where there are supply gaps, but they won’t pay directly for intangible assets like cybersecurity. Instead, the DOD will pay for it on the back-end as an overhead cost — so long as you have the proper cost accounting systems to provide the certified cost data.
And then, this becomes the main drawback to industry’s participation. You have to get a whole team to meet security regulations which are long, rambling, and disjointed, and you also have to introduce new cost accounting systems, and then these management systems adversely affect the company’s culture and performance. It turns entrepreneurial action into bureaucratic action.
The DOD is trying to create a “unified standard” for cybersecurity. Besides the term being redundant — a standard is already unified — the fast-pasted and diverse world of cyber will not stop to conform with government standards. We’ve heard the same thing with what were originally the “unified cost accounting standards” (unified was dropped for being redundant). It turned out that even accounting was too diverse and complex for firms to comply, even at the government’s expense. Why should cyber be easier to standardize than accounting?
One question we should ask of the new cybersecurity standards is whether or not government officials, when they devised the NIST standards five years ago, set out to create a unified standard. That may hold some clues for the future of the new CMMC standards.
At any rate, industry observers must be incredulous when they hear the following from a government regulator:
“Now what you need to do as industry is help me, help you. I’m not the enemy. I’m literally the one person in government who said, ‘Hi, I’m here to help and I’m legit here to help.'”
As these regulations tend to work out, contractors already well placed will have the most influence over the standards, and will expense the cost as an allowable overhead charge, and will then be best positioned to win contracts. Those firms that cannot devote huge resources to influencing and complying will inevitably find themselves confused and frustrated, and perhaps without a way of recouping expenses put to the task.
Leave a Reply