DoD Should Create Objective Guidelines for Selecting the Appropriate CMMC "Go/No-Go" Thre
The Department of Defense (DoD) will likely publish a draft Cybersecurity Maturity Model Certification (CMMC) standard sometime this summer (see here and here). While much focus has been on how the CMMC will help shore up defense industrial base (DIB) cybersecurity—i.e., as the enforcement mechanism for DFARS 7012/NIST SP 800-171 compliance via third-party audits––DoD also must address the process of how agency personnel will select the CMMC “go/no-go” threshold for set-aside procurements. [1]
According to recent reports (see here and here), for each procurement, DoD acquisition personnel will select a CMMC level as the “go/no-go” threshold that contractors must meet in order to be eligible to compete for an award. Likewise, defense contractors could potentially see five levels of cybersecurity maturity within the CMMC, moving from basic to "state-of-the-art" cybersecurity protections. Given the breadth of acquisitions within DoD––IT services, consulting services, administrative services, cyber services, training, healthcare, software, parts, logistics, etc.––it is likely that DoD may neither need nor want to select the highest CMMC level as a "go/no-go" threshold in every instance.
With likely considerable differences between the lowest and highest CMMC level, [2] and the likely additional costs of preparing for and obtaining a higher certification level (notwithstanding reported allowable cost recovery under certain types of contracts), DoD should create objective guidelines for how agency personnel will select "go/no-go" thresholds in set asides. Objective "go/no-go" guidelines not only will serve to guide DoD agency personnel in selecting the appropriate CMMC threshold but also will introduce uniformity into the process, which will allow small business defense contractors to plan for future government acquisitions with some measure of predictability.
Without "go/no-go" guidelines, however, small business contractors will likely face additional confusion (and frustration). On the one hand, small contractors will need to consider whether they should expend the time, money, and resources to obtain the highest CMMC level so that they can compete for any contract that is potentially in their wheelhouse (to hedge) and, on the other hand, whether they should simply strive for a lower/mid CMMC level and let the chips fall where they may. If the latter happens, we could see a dramatic change the competitive landscape (and innovation) of small businesses within the DIB, the result of which may hinder DoD in meeting its small business contracting goals. Not good.
Takeaway: Challenges abound for small business government contractors. But, opacity regarding how DoD selects each CMMC “go/no-go” threshold should not be one of them. DoD should create objective guidelines for how agency personnel will select the appropriate CMMC "go/no-go" threshold in set-asides. This will introduce uniformity and predictability to the acquisition process, which, in turn, will help ensure that DoD and large primes do not encounter a dwindling pool of small businesses within the DIB.
__________________
[1] Unlike large (and many mid-tier) defense contractors who likely have the money/resources to spend on obtaining the highest certification in the CMMC, small businesses will face yet another disadvantage as the costs of obtaining a certification level at the higher end of the CMMC scale may outweigh the benefits of remaining in (or entering) the DIB.
[2] The CMMC is reportedly based, in part, on Aerospace Industries Association National Aerospace Standard 9933 (NAS9933), “Critical Security Controls for Effective Capability in Cyber Defense.” The NAS9933 provides for various levels of cybersecurity––a maturity model––with “an eye toward growth in cyberdefense capabilities.” From a maturity standpoint, under NAS9933, companies typically must implement more cybersecurity measures to attain Capability Level 4 or 5 (the highest end) than what is required to attain a Capability Level 1 or 2 (the lowest end).