New Cyber Standards May Shrink Contractor Pool

Officials at the Defense Information Systems Agency (DISA) have expressed confusion about whether new vendor cybersecurity standards will limit the number of vendors that qualify for critical government technology projects. The Cybersecurity Maturity Model Certification (CMMS) standards published by the Pentagon in January were meant to increase cyber protections, but some small businesses have expressed concerns that they will not be able to compete for government contracts.

Under the CMMC framework, companies have their cyber practices graded on a scale of one to five. Procurement officials would use the grades to determine which vendors are eligible for certain contracts, with more sensitive projects requiring more stringent security standards.

“The CMMC establishes security as the foundation to acquisition and combines the various cybersecurity standards into one unified standard,” explained Pentagon Undersecretary for Acquisition and Sustainment, Ellen Lord.

Now, DISA officials are warning that the standard may make a significant portion of the Pentagon contractor pool ineligible for sensitive projects.

“A very small number … of the 300,000 [defense industrial base] companies have state-of-the-art cybersecurity. The majority of them are at the lower end of that one to five scale,” Maj. Gen. Garrett Yee, assistant to the director of DISA, said Monday during a speech at the agency’s annual Forecast to Industry Day.

During a media roundtable Yee was asked if the standards would impact of the pool of qualified vendors to which Yee responded, “No one knows the answer to that.”

Yee noted that the standards are meant to be both “affordable” and “achievable” for small businesses, though the Pentagon has received many questions about how small businesses, who have historically not devoted funds to cyber protections, would compete with large vendors.

During a separate speech reported by NextGov, DISA Director Vice Adm. Nancy Norton urged vendors to begin ramping up their cybersecurity efforts with the CMMC on the horizon and pushed them not to oversell their tech.

“Be honest about the scope and scale of a solution and its readiness to operate and to meet unique DOD mission requirements,” Norton said during her keynote address. “As an industry partner, you must understand … who and what is at stake in this environment. Build cybersecurity into all your products and services and capabilities from concept to completion … be as innovative in your approach to cybersecurity as you are in your functional capabilities.”