New cybersecurity requirements for government contractors in 2020

Cyber threats are evolving—and the computer security requirements for government contractors are no different. 

In early October 2019, the Department of Defense released the Cybersecurity Maturity Model Certification (CMMC) requirement for government contractors. The Office of the Under Secretary of Defense for Acquisition and Sustainment put forth new cybersecurity requirements set to release in 2020 in collaboration with the Johns Hopkins University Applied Physics Laboratory, the Carnegie Mellon University Software Engineering Institute and other organizations. The CMMC has received support from associations including the National Defense Industrial Association, the Aerospace Industries Association and others. 

Specific to cybersecurity, the new requirement adds a verification component that builds upon existing regulations such as “Safeguarding Covered Defense Information and Cyber Incident Reporting” (Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012) and “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” (National Institute of Standards and Technology (NIST) SP 800-171).

Okay, now explain it in layman’s terms…

These new practices are a requirement for contractors wanting to engage in business with the government.

The CMMC is a stricter version of the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the risk management framework. These new practices are a requirement for contractors to engage in business with the government. The NIST was put in place to protect important government functions and data. But now, government contractors must adapt as the Department of Defense plans to release the first version of the CMMC in January 2020. 

The good news is that you can automate a lot of cybersecurity activities with IT departments, vendors and third parties, especially as new cybercrime technology becomes more available. 

How do I get certified?

To get certified, one must coordinate with an independent and accredited third-party commercial certification organization. Based on your specific business requirements, you will have to specify the level of certification you’re trying to obtain. The Department of Defense has gone on record stating that they will make public the CMMC level achieved by government contractors, which can have great positive impact on future business opportunities for your organization.

The CMMC framework consists of 18 different domains, each with capabilities that pertain to cybersecurity. Those capabilities are then mapped to a specific CMMC level, ranging from level 1 to level 5.

Popular Article: How to build a successful construction team: 3 positions you’re not thinking about. 

What’s the difference between level 1 and level 5 certification?

• Level 1 is the lowest, most basic cybersecurity practices whereas level 5 covers advanced actions to protect against the savviest threats. A couple of the topics covered in level 1 include, the use of anti-virus software and Defense Federal Acquisition Regulation Supplement (DFARS) compliance. 

To meet the minimum requirements, Department of Defense contractors must:

1.  Provide adequate security to safeguard covered defense information that resides in or transits through your internal unclassified information systems from unauthorized access and disclosure.
2. Rapidly report cyber incidents and cooperate with the Department of Defense to respond to these security incidents, including providing access to affected media and submitting malicious software.

You can learn more about DFARS requirements here.

In levels 4 and 5, cybersecurity practices become rather advanced as they support a small subset of the government. Examples include deployment of organizational custom protections, autonomous knowledge of cyber assets and continuous improvement across the enterprise. 

So what’s next for me?

As a government contractor, this is something you may need to address sooner rather than later. Maybe it’s time to review your entire company’s cybersecurity practices? Here are a few next step possibilities or questions you may want to address: 

• Do you have a modern cybersecurity plan or are you behind?
• Does a third party manage your cybersecurity? You may want to touch base with them. 
• Are you looking to get more high-profile government projects that require a higher level certification?
• Have you outgrown your current IT provider and need to explore new options?

Whatever you do, finding a starting point is the first step. Just make sure you change your password every couple of months, okay?

Interested in learning more? Other than a strong IT department, there are many other pieces to building a successful construction team.

Here are three positions you're not thinking about.