The United States Government is in the process of rolling out two far-reaching procurement changes aimed at securing the federal supply chain: a new set of supplier cybersecurity requirements known as the Cyber Maturity Model Certification (CMMC) and restrictions on the use of products made by Huawei and others as required by Section 889(a)(1)(B) of the 2019 National Defense Authorization Act (NDAA).
Individually, each of these initiatives will have a substantial impact on federal purchasing. Together, they are the largest change in federal procurement practices in many years and have implications well beyond the direct provision of products and services to the U.S. Government.
What do these changes entail and who is affected?
CMMC, based on NIST cybersecurity standards, is a program to establish foundational cybersecurity requirements for members of the Department of Defense (DoD) industrial base. Section 889 applies to the entire federal government and aims to minimize network infiltration or intellectual property loss due to the use of certain high-risk technologies from covered entities (companies), including Huawei and ZTE. A bumpy and uncoordinated rollout of these rules is magnifying their impact on both industry and government.
But, if you provide products or services to the U.S. Government, or to other companies that in turn provide such products or services, you need to comply. That is immediately true for Section 889. The implementing rule went into effect on August 13 of this year, although some agencies have waivers through September 30. It covers government procurements almost without exception, and requires any company selling to the government to represent that they are not using products from the “covered entities” (Huawei, ZTE and several smaller video equipment manufacturers) and are not aware of the use of those products in their own supply chains.
At the same time, DoD is working through the much more complex implementation of CMMC.1 Timing and other details of this program are evolving and it is unclear why DoD chose to entrust oversight of a complex new certification regime to an unfunded group of volunteers. Nevertheless, all companies in the Defense Industrial Base (DIB) will need a third-party auditor-provided cybersecurity certification within the next five years. The level of certification depends on the type of information handled, and the plan is for this requirement to be gradually introduced, but it will apply to all prime and subordinate suppliers in the DIB.
Where do we go from here?
The broad reach of both these procurement rules into the supply chain has significant implications. You don’t need to be directly selling to the government to be affected; both apply to all companies regardless of where they land in the federal supply chain.
There is a notable likelihood similar provisions will be contemplated at the state and local level. DoD is actively trying to establish CMMC as a broader regulatory standard, both inside and outside the U.S. Government. It is probable that evolving supply chain or cybersecurity threats will cause further expansion of certification requirements.
Companies looking to comply with these rules by passing audits or attesting to security practices of their U.S. Government operations will only end up hamstrung—it will be too inefficient to bifurcate their operations, so they will either adopt these regulations as de facto standards across the board or they will decide that the cost is too high and withdraw from markets altogether. That is a tough choice in a likely future where commercial customers will also expect companies to maintain robust supplier and cybersecurity practices.
Companies need to be confronting this reality today: how and to whom you will demonstrate cyber and supply chain security on a continuous and ongoing basis needs to be a fundamental component of operations. If you’re not doing this already, you need to start preparing now.
Advice for policymakers
Finally, if you are a policymaker contemplating supply chain and cyber risk, you should be thinking about total risk. How can the government share enough information with industry broadly, so that industry can make a full and fair assessment of the risk and the cost of alternatives?
Policymakers must also pay close attention to the mass confusion caused by the current rules and consider the effect these policies will have on long-term U.S. competitiveness. The cost of compliance is large and will inevitably mean slowing down innovation and access to new products and services for the U.S. Government.
These are clearly hard problems and there is a critical need to make progress in addressing them. That progress is best made through public/private cooperation, including open dialogue and sharing of information, and clear and consistent policies that seek to advance U.S. and western technological strengths.