CMMC version 1.0 will start rolling out in RFIs in June 2020. There will be cyber requirements, CMMC levels, in RFIs. Companies will have to go out, have an assessor come in and get audited, and they cannot start work — it is a go/no go decision at the time of contract award. If they are not certified to what the contract requires, they will not be awarded work.
We don’t want to put small business out. We do not want to lose new technology. But I’ll tell you, from being on the outside coming in, it never was about the money coming to work for the Department. The biggest barriers for industry to get [defense work] have nothing to do with money. They have everything to do with waiting and not understanding the requirements. Two years to get a new technology a sponsor and an ATO [Authority to Operate] is too long. Especially if you’re a startup.
RFPs will start to be released in October 2020.
That was Chief Information Security Officer Katie Arrington discussing the Cybersecurity Maturity Model Certification (CMMC) at a DAU/NavalX event, “Thinking Differently: Cybersecurity and the Adaptive Acquisition Framework.”
Seems like a bold statement to say that money is not a big barrier to entry for firms. Indeed, the two years of waiting a firm has to go through to get defense work is all about making the funds available through the PPBE process! Waiting and money are intimately tied.
If it were just a problem of waiting and not money, then there would be plenty of VCs throwing down capital under the expectation that government revenues will be there on the back end. But the uncertainty and often small amounts devoted to new firms is precisely what keeps many VCs away from defense firms.
Contracts
Later on, Ms. Arrington properly identifies lowest-priced technically acceptable contract awards as a major impediment. Firms that invest in cybersecurity will likely have higher prices. A recurring outcome is that the cyber-insecure firm wins the contract with a lower cost and provides a POAM to correct any perceived deficiencies, but never follows through because it wasn’t funded to it. And so CMMC levels audited by a third-party will be strict requirements in future contracts.
A complication to that story is that a firm investing in cybersecurity may not be able to charge higher prices to recoup the investment cost, particularly if they have commercial business. This is a continual struggle. Higher costs due to government compliance is expensed to overhead or G&A accounts, but cannot be traced to specific government contracts. Cost auditors would then count them as unallowable costs. Here’s Ms. Arrington:
Security will become an allowable cost. I am only asking you to do what I’m paying you to do. But I’m going to audit that you’re doing it.
The Navy has taken the lead in making cybersecurity investments an allowable cost. But that brings in the chicken-or-the-egg problem. If the company doesn’t have existing government contracts, it can’t expense the cybersecurity costs. The government won’t pay for cybersecurity! And if the company doesn’t have a contract, it can’t justify raising capital to become cybersecure — in addition to building out a new product. Thus CMMC risks locking out new entrants.
Last thought… if money wasn’t a problem for new entrants, then why is Ms. Arrington stressing the importance of making cybersecurity an allowable cost?
Leave a Reply