Gaining a Competitive Edge Within the Department of Defense (DoD) Supply Chain

February 25, 2022

By Travis Epp and Jill Lawson

The Department of Defense (DoD) Chief Information Officer (CIO) recently announced an updated version of the third-party certification, the Cybersecurity Maturity Model Certification (CMMC), from 1.0 to 2.0. Positive news for companies in the Defense Industrial Base (DIB) included: 1) exclusion from CMMC 2.0 certification for most of the DIB and 2) some simplification in the certification levels. CMMC 2.0 will appear in contracts after the legal review process is completed and released in the Final Rule. For those companies that will still be required to have the CMMC 2.0 third-party certification, an accelerated timeline was put forward and the full implementation was changed from 2025 to after the Final Rule is released. The Final Rule is estimated to be released between August 2022 and November 2023. DIB companies will be required to be certified within a specified time from that release; the DoD CIO has announced they are finalizing that time frame and have discussed six months.

CMMC 2.0 has not affected the current DoD contract clauses mandating NIST 800-171a self-assessments that require action right now. In addition to the self-assessment companies must apply a DoD scoring method to compute a compliance score. In addition to that score, companies must provide a C-suite signed attestation validating score accuracy. Both documents must be uploaded to the Supplier Performance Risk System (“SPRS”) database for companies to be qualified to compete for or enter DoD contracts.

The Business Challenge

Management team members responsible for developing proposals are challenged by understanding the impact of the cybersecurity contract clauses not only on their own company, but also the flow down requirements to the Sub-Contractors and Suppliers. Quantifying responsibilities and costs of flow down cybersecurity requirements are essential for accurate proposal development. Accuracy facilitates competitive bidding with justifiable costs which in turn inspires the government confidence that protections have been implemented. Confidence from government selection authorities is essential for a competitive edge.

The DoD has long considered the DIB as the first line of cybersecurity defense. The DIB companies that pursue a perfect SPRS score of 110 will be competitively positioned to continue to bid on DoD contracts or be contracted by Prime Contractors. The DIB companies that are not aggressively pursuing a perfect SPRS score right now may find that there will be a long and costly wait for assistance. The “Let’s not worry about Cybersecurity compliance” herd will be stampeding at the same time, and since the NIST 800-171 compliance industry is new, competent resource availability and expenses will be at a premium.

Action Items to Achieve a Competitive Advantage

  1. Stay ahead of the herd.
  2. Understand your cybersecurity requirements based on your current business operations (i.e., contract mandates) as well as your business plan.
  3. Designate a team to achieve the internal requirements and include a process to determine that self-assessed scores are accurate (i.e., mock assessment).
  4. Ensure that the external companies involved with your DoD contract provide their NIST 800-171 Self Assessments and Self Attestations prior to entering business relationships; and
  5. Identify resources to assist the company in the process when necessary.

In summary, DoD suppliers must manage NIST 800-171 implementation for their own company, and if applicable, for companies connected to the contract’s deliverables. America’s adversaries are relentless and are growing in numbers continually. The American taxpayers, as most of us are, need to know that all aspects of our country’s defense have standards and are meeting those standards to have the capability to defend, continuously.

About Travis Epp

Travis Epp is EisnerAmper’s Partner-in-Charge of the Manufacturing and Distribution Group, with nearly 30 years of experience in public practice and private industry. Travis focuses on private companies in the middle market.