On the 3rd of November 2020 myself, Rear Admiral William Chase (Senior Military Advisor for Cyber Policy to the Under Secretary of
Defense for Policy/Deputy Principal Cyber Advisor to the Secretary), and John Weiler (Chairman of the CMMC Center of Excellence and CEO of the IT Acquisition Advisory Council) were invited to speak to the UK All-Party Parliamentary Group on cyber security (APPG – http://www.appgcybersecurity.org/). Briefing the working group on several cyber security topics including the importance of international cyber collaboration and standards, protecting and advancing competitive advantage through private partnership and the Defense Industrial Base (DIB), the importance the DoD places on the CMMC for the protection of data across the DIB, the impact of the CMMC programme on the international DIB and reciprocity of oversight and assurance with partner nations.
We are at the start of a journey on maturing the DoDs supply chain cybersecurity culture. Self-attestation of cybersecurity alone has not worked in protecting the Intellectual Property (IP) of the DoD, resulting in the recent DFARS Case D041 Interim Final Ruling. Which will be effective from the 30th November 2020 and strengthens existing DFARS requirements through oversight, assurance and accreditation of NIST SP 800 – 171 and CMMC. CMMC and cyber compliance will require collaboration, harmonisation and reciprocity of cyber security involving partner nations for DoD acquisition. It will impact the DIB through changes to contractual obligations, that will require contractors and subcontractors to make economic decisions over compliance.
Oversight and assurance of international contractors and subcontractors will need to be reviewed and agreed by partner nations. Through mechanisms such as reciprocity, to overcome security considerations between partner nations. CMMC and NIST set a high standard for cyber security compliance and the cost of compliance will be a challenge for the DIB, as NIST and CMMC flows down the supply chain as far as Controlled Unclassified Information (CUI) is transmitted, created or stored. Requiring the implementation of a significant number of cyber security practices in line with NIST SP 800 – 171 and CMMC. The standard may be higher than that already applied by contractors, sub-contractors or by partner nations. But it should be viewed in line with already existing contractual commitments and should be considered a basic requirement for all partner nations.
There was agreement that further conversations are needed to discuss cyber collaboration, the impact of CMMC on the UK DIB, and the role that cyber standards play in supporting international partners achieve consistent and harmonised cyber security compliance.
Thank you to the Rear Admirals Office and the All Party Working Group who graciously allowed us to releases our slides, below.