New Department of Defense Cybersecurity Regulation could affect your business

The Department of Defense has issued a new rule that aims to protect sensitive data by improving the cybersecurity posture of companies in the Defense Industrial Base.

The Defense Federal Acquisition Regulation Supplement Interim Rule added three new cybersecurity clauses that went into effect Nov. 30. Companies in the DIB are no longer allowed to "self-attest" to compliance with the 110 cybersecurity controls in NIST SP 800-171, said Laura Rodgers, a cybersecurity compliance and business development professional with the North Carolina Military Business Center — an organization that helps local businesses secure military and federal contracts.

DFARS clause 252.204-7019 "requires defense contractors that process, store, and/or create controlled unclassified information on behalf of the Department of Defense to perform a self-assessment to the 110 cybersecurity controls in NIST SP 800-171 and upload their score to the Supplier Performance Risk System," said Rodgers.

If the DoD then decides that an organization needs further assessment, the next clause, DFARS 252.204-7020, states that the government must be granted access to the organization's facility, systems and employees.

The third DFARS clause — 252.204-7021 — implements the Cybersecurity Maturity Model Certification (CMMC), which is a quality management system for cybersecurity with five maturity levels. CMMC will be rolled out over five years, with 100% of defense contracts referencing the DFARS clause beginning Oct. 1, 2025.

Organizations that handle controlled unclassified information will be required to achieve certification to CMMC Level 3, at a minimum. From there, the DFARS clause should flow down to subcontractors and suppliers based on the type of data that they handle or create.

"The CMMC model is a more holistic way of implementing a cybersecurity program, and is intended to not only protect organizations from cybersecurity incidents, but to improve an organization's resiliency in the event of a breach," said Rodgers. "Organizations should look at compliance to these new DFARS clauses as a way for them to do their part to protect national security."

Heightened cybersecurity is important, but that doesn't mean it's easy to implement.

"Implementing CMMC is expensive and time-consuming," said Rodgers, "particularly for the very small companies that don't have any IT infrastructure within their company. They are suddenly faced with a decision about whether or not they can afford to continue to be a defense contractor."

For the North Carolina Military Business Center, this financial strain is a serious concern, since it interferes with a willingness to participate in the federal supply chain — especially for companies that have to make major updates in order to continue working with the government.

Since 2005, the North Carolina Military Business Center has helped businesses win over 3,000 government contracts worth over $13 billion. The NCMBC also offers counseling to simplify the contracting process, connects businesses to federal agencies and opportunities, supports defense contractor recruitment, and helps local businesses employ transitioning military personnel and veterans.

"Organizations leaving defense contracting is a huge risk to national security," said Rodgers. "It takes a long time to get a good supply chain going. Many of these companies have been in the supply chain for decades, and replacing them would be very difficult."

Although it would be ideal to have more time to get into compliance, cybersecurity is critical, and the changes are happening quickly. To ease the transition for businesses, several state entities and organizations that support the defense industry established the North Carolina Interagency Cybersecurity Coordinating Committee.

One of the committee's goals is "to help North Carolina defense contractors understand and implement cybersecurity regulations," according to CyberNC.us, the website created by the group as a source of information.

Managed by the NCMBC, the committee aims to provide local contractors with updated information, effective tools, and access to reputable companies to help them with compliance.