Why so few Defense contractors are compliant

Posted on by Amira Armond
picture showing CMMC levels and coins to represent each cost

๐‡๐จ๐ฐ ๐ฅ๐จ๐ง๐  ๐๐จ๐ž๐ฌ ๐ข๐ญ ๐ญ๐š๐ค๐ž ๐š ๐œ๐จ๐ฆ๐ฉ๐š๐ง๐ฒ ๐ญ๐จ ๐ ๐จ ๐›๐š๐ง๐ค๐ซ๐ฎ๐ฉ๐ญ ๐ข๐ญ ๐ฐ๐ก๐ž๐ง ๐œ๐š๐ง’๐ญ ๐ฐ๐ข๐ง ๐ฐ๐จ๐ซ๐ค?

One year? Two? Three?

Let me tell you a story about how a system of perverse incentives caused our current cybersecurity situation in the Defense Industrial Base.

Back in 2017 (six years ago), new and renewing DoD contracts started including the DFARS 252.204-7012 clause. The intent of adding the 7012 clause to new contracts was to get defense contractors to increase their bid to account for increased cybersecurity costs (typically double or triple what a commercial company spends on IT).

So in 2018, a new contract comes out for bid. The contract asks for parts which costs roughly $1m to create. The contract also asks for cybersecurity, which would require an additional $500k to comply with.

Ten companies bid on this contract.
Five companies carefully read the contract, see the 7012 clause, contact a cybersecurity consultant to understand what it means, and adjust their bid from $1m to $1.5m.
The other five companies, for various reasons, disregard the 7012 clause. They bid only based on the cost to manufacture, which is $1m.

Who wins that contract?

Who wins the next contract?

And the one after that?

๐‡๐จ๐ฐ ๐ฅ๐จ๐ง๐  ๐๐จ๐ž๐ฌ ๐ข๐ญ ๐ญ๐š๐ค๐ž ๐š ๐œ๐จ๐ฆ๐ฉ๐š๐ง๐ฒ ๐ญ๐จ ๐ ๐จ ๐›๐š๐ง๐ค๐ซ๐ฎ๐ฉ๐ญ ๐ฐ๐ก๐ž๐ง ๐ข๐ญ ๐œ๐š๐ง’๐ญ ๐ฐ๐ข๐ง ๐ฐ๐จ๐ซ๐ค?

Since 2017, because of this system of perverse incentives, it is my opinion that we’ve driven almost every compliant company out of the DIB.

Even today, with CMMC looming over us, the companies that are able to bid low are ๐˜ด๐˜ต๐˜ช๐˜ญ๐˜ญ ๐˜ธ๐˜ช๐˜ฏ๐˜ฏ๐˜ช๐˜ฏ๐˜จ ๐˜ต๐˜ฉ๐˜ฆ ๐˜ธ๐˜ฐ๐˜ณ๐˜ฌ!  I can’t even fault contractors for dragging their feet on cybersecurity. If they didn’t have that attitude, they would be GONE.

I have to give major respect to Katie ArringtonStacy Bostjanick, and DoD A&S leader Ellen Lord for identifying the solution to this problem: mandatory verification of compliance as a prerequisite for contract award.

CMMC is the solution that will fix the perverse system which makes compliant defense contractors too expensive to win the work. We should be rewarding them, not driving them to bankruptcy.

In the meantime, is there any way to protest a contract award when you know your competitor isn’t performing cybersecurity? It is a fairly simple task for a systems administrator to look up DNS records for a company to see if they are using FedRAMP cloud providers. Could that be a strategy? Has anyone heard of this working?

Leave a Reply

Your email address will not be published. Required fields are marked *