They work shoulder to shoulder in your organization. They burn the midnight oil when deadlines need to be met. They embrace your mission as their mission. Contractors embody dedication. But those people – those companies – that you rely on might not always be around. Compliance requirements – necessary standards put in place to protect government assets and ensure good cyber hygiene – have made an impact on the industry, Your contractors need your help, and you have a vested interest in helping them.
Here’s the deal: Every Defense Department (DoD) contractor in the country has spent the last three months thinking about compliance with the Cybersecurity Maturity Model Certification (CMMC) framework, which defines cybersecurity controls and processes needed to protect Controlled Unclassified Information (CUI) stored on contractor systems.
For big contractors, compliance tasks are assigned to their IT or security team who dig in, check the boxes, and move forward. For small and mid-sized companies, however, reviewing their cybersecurity posture likely requires outside expertise. And closing security gaps has become a cost analysis question: Is it worth it?
You know how the process works. Contract officers for your organization are tasked with finding the best goods and services for the best price. It all comes down to supply and demand. The bigger the pool of potential contractors, the better the price will be. One of the constraints on that pool is CMMC compliance.
2020 has taken its toll on the contractor industry. COVID and the resulting shutdowns have disproportionally wiped-out small businesses, including those that serve the government. Efforts to support the defense industry have come too little too late for some. Worse, the pandemic’s lengthy impact has discouraged business growth and reduced the number of new companies being formed. Which brings things back to the question: Is it worth it?
I’m the first to say that contract work is not for everyone. Some companies are great at what they do, innovative in their approach, and turn heads in private industry, and yet they won’t make the leap to becoming a contractor. Other businesses want to be contractors but take one look at the process and are turned off. Others do the work and join the ranks, hoping that an award will make the investment worthwhile – but they are always asking if it’s worth it.
What can you do to help?
There are three important things:
- Check in with vendors to see how compliance efforts are going. For those who haven’t started, or who paused because of the expense, a reminder that they are wanted may be enough of a nudge to get the ball rolling. Since the CMMC process takes time, nearly everyone needs to get started now.
- Be a resource. Help educate your contractor base by sharing updates on CMMC requirements, communicating about contracts that will require advanced CMMC maturity levels, and even sponsoring webinars to share best practices or help with the readiness process. This year is a big lift to get contractors certified but as cyber threats evolve, staying compliant and meeting new controls will be an ongoing consideration.
- Encourage big contractors to help their subs. Some big contractors are helping speed the process – and even defray the costs – of compliance by providing third-party remediation services. These efforts ensure that everyone associated with their contract operations is up to standard. Compliance is especially important for small businesses as past investigations have shown that they account for 58 percent of cyber-attack victims.
With your support, all of your contractors can achieve CMMC and continue being part of the industrial base, and your dedicated partner.
Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected] And to read more from our Winter 2021 Cohort, here is a full list of every Featured Contributor during this cohort.
Edward Tuorinsky, Managing Principal at DTS, a government consultant business, is a service-disabled veteran who brings nearly two decades of experience to DTS in the areas of leadership, management consulting and information technology services.