* The Pentagon is rolling out new cybersecurity regulations for handling unclassified information that may bar contractors from bidding on future programs if they do not obtain the required certifications.
Katie Arrington, chief information security officer at the office of the undersecretary of defense for acquisition and sustainment, said it will take until 2025 to fully implement the cybersecurity maturity model certification program, or CMMC.
"If we don't understand that this is a collective issue, that everybody needs to have cybersecurity requirements and in their day-to-day business, we're never going to get ahead of this game," she said in October during an interview with Exostar, a company focused on protecting the supply chain.
The Defense Department plans to tighten its policies as digital warfare becomes more prevalent, she noted. The CMMC will need to be continuously updated to keep pace with changing cyber threats, and these certifications will be especially important as technology continues to advance. One specific threat includes the development of quantum computing, which can be used to break encryptions, she said.
"The way it lives in 2020, I hope isn't the same model that is in existence in 2025 because the threat vectors will change," Arrington said. "This is electronic warfare. The moment that we move and we're capable of plugging that hole, our adversary will be ... finding a new access point."
The Pentagon's supply chain currently consists of about 300,000 companies and about 290,000 of those have no cybersecurity requirements whatsoever, she said. Under the new regulations, Defense Department contractors and subcontractors will need to become certified regardless of the program.
In the National Defense Industrial Association's new report, "Vital Signs 2020: The Declining Health and Readiness of the Defense Industrial Base," industrial security for 2019 scored a 64, or a D grade, the lowest among the eight dimensions the report measured. (See story on page 22)
Current regulations to address these shortcomings are implemented by the Defense Federal Acquisition Regulation Supplement Clause 252.204-7012 and NIST Special Publication 800-171. Companies must safeguard covered defense information, report cyber incidents and facilitate damage assessment, in addition to meeting other requirements.
But the Pentagon has decided that it needs more stringent regulations, Corbin Evans, NDIA's director of regulatory policy, said in...