July 10, 2020

Volume X, Number 192

July 09, 2020

Subscribe to Latest Legal News and Analysis

July 08, 2020

Subscribe to Latest Legal News and Analysis

July 07, 2020

Subscribe to Latest Legal News and Analysis

“Help Me, Help You”: Defense Department Advises Contractors That Cybersecurity Is An Allowable Cost [VIDEO]

During a presentation at the Professional Services Council Federal Acquisition Conference on June 13, 2019, a high-ranking Department of Defense (“DoD”) official announced, with dramatic flair, that cybersecurity is an allowable cost:

“I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington [Special Assistant to the Assistant Secretary of Defense for Cyber] . . . security is an allowable cost. Amen, right?”

Channeling Jerry McGuire, Arrington added: “Now what you need to do as industry is help me, help you. I’m not the enemy. I’m literally the one person in government who said, ‘Hi, I’m here to help and I’m legit here to help.’”

Arrington’s June 13 presentation, which was titled “Securing the Supply Chain,” is just the latest indication that the DoD – like other federal and state agencies – is making the cyber hygiene of its contractors a priority. (Some of our previous posts on this topic are available here.)

During a webinar earlier this month, Arrington noted that, “[i]f we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base [(“DIB”)] doesn’t have robust cyber hygiene. Only 1% of DIB companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”

Arrington, who appears to be actively involved in the DoD’s development of a cybersecurity assessment and certification program, called the Cybersecurity Maturity Model Certification or CMMC, provided additional details about that program during her June 13 presentation.   Specifically, Arrington announced that:

  1. The CMMC will include five levels of certification. The levels will range from “basic” cyber hygiene to “state-of-the-art.”

  2. The CMMC initiative will require DoD contractor information systems to be certified compliant by an outside auditor. Under the new model, third-party cybersecurity certifiers will “conduct audits, collect metrics, and inform risk mitigation for the entire supply chain,” Arrington said. “Every contract that goes out,” she added, “will have a requirement and every vendor on that contract will have to get certified.”

  3. The DoD will hold 12 listening sessions across the country this summer to solicit feedback about the CMMC from industry and other experts.

  4. The DoD aims to complete the CMMC and begin certifying vendors by January 2020; to begin incorporating the CMMC requirements into requests for information by June 2020; and to include the CMMC in solicitations by September 2020.

Driving home her key point that the cybersecurity of its vendors is a major priority for the DoD, Arrington stated that “[c]ost, schedule and performance are only effective in a security environment.” She added that “[w]e cannot look at security and be willing to trade off to get lower cost, better performing product or to get something faster. If we do that, nothing works and it will cost me more in the long run.”

DoD contractors should heed Arrington’s warning that cost, schedule, and performance will not alone suffice to win future DoD contracts. To best position themselves to compete for those contracts, contractors should consider providing feedback to the DoD this summer about the CMMC, and should promptly begin the process of preparing to comply with its mandates.

Jackson Lewis P.C. © 2020National Law Review, Volume IX, Number 175


About this Author

Catherine Tucciarello Labor Employment Attorney Jackson Lewis

Catherine Tucciarello is an Associate in the New York City, New York office of Jackson Lewis P.C.

Ms. Tucciarello regularly represents employers in workplace law matters, including providing preventive advice and counseling, and workplace trainings.

In her Privacy, Data and Cybersecurity practice, Ms. Tucciarello advises clients in various industries on compliance with federal and international privacy laws, including HIPAA, the ADA, GINA, FMLA, the TCPA, FCRA, and the EU-U.S. Privacy Shield. She also provides guidance to organizations on data...

Damon Silver, Employment Lawyer, Corporate Matters, Jackson Lewis

Damon W. Silver is an Associate in the New York City, New York, office of Jackson Lewis P.C.

In his Privacy, e-Communication and Data Security practice, Mr. Silver advises clients in various industries on compliance with federal and international privacy laws, including HIPPA, the ADA, GINA, FMLA, the TCPA, FCRA, and the EU-U.S. Privacy Shield. He also provides guidance to organizations on data breach prevention and response. 

In the area of employment litigation, Mr. Silver defends employers in federal, state, abitral, and administrative proceedings against discrimination and retaliation claims under Title VII, the ADA, the ADEA, FMLA, and New York state and city laws; against wage and hour claims under the FLSA and New York Labor Law; and against contractual and workplace tort claims. He also counsels employers regarding personnel and policy decisions.