How does a business reassure the government that it can keep hackers and spies out of its computers?

It’s a question occupying many San Diego defense contractors.

A change in certain Pentagon cybersecurity rules related to certification has grabbed the attention of defense contractors and subcontractors nationwide.

“There are lots of small businesses out there that still need help,” said Tony Lopez, vice president of business development with Indus Technology Inc., a small defense contractor in Old Town.

Change is coming, said Terry McKearney of The Ranger Group, another small San Diego defense contractor. “We do anticipate it will take some work on our part.”

Companies will risk losing defense business by not adhering to new cybersecurity audit rules, according to National Defense, the publication of the National Defense Industrial Association or NDIA.

The NDIA magazine article noted that cybersecurity certification might become a burden to the smallest of companies, and suggested the certification could push people out of defense contracting altogether.

From Self-Assessment to Auditors

The new rules were still being drawn up as of this writing. They relate to the safekeeping of information that is unclassified. If gathered in significant amounts, certain unclassified information can tip an adversary off to classified secrets.

Going forward, the cybersecurity rules will evolve, the National Defense article said.

Previously contractors could self-assess, and then certify to the government that they met cybersecurity requirements. There was no middleman involved.

In the future, contractors will have to be audited. They will be accredited at one of five levels, ranging from 5 (having very sophisticated cybersecurity) to 1 (having basic cybersecurity). All businesses will have to be certified to at least level 1.

Boot lace vendors will need at least basic cyber hygiene, according to the story circulating among Pentagon suppliers.

The new certification regulations go by the acronym CMMC, short for cybersecurity maturity model certification.

Some people see the new rules as a business opportunity. The Defense Department might decide to hire outside firms to audit its other contractors.

The Money Issue

The NDIA, the industry organization, has taken the lead in bringing contractor concerns to the Defense Department.

There is definitely a need for cybersecurity. “We get it,” said McKearney, a former military officer. The executive said the new way of doing things will cost money, and he was not sure whether a contractor will have to add it to his overhead cost.

Jim Lasswell, onetime chief executive at Indus Technology and now senior adviser to its president, said his business put a lot of money into cybersecurity hardware and software at the government’s urging in 2017. “We took it very seriously,” Lasswell said. “We got out in front of this.”

In hindsight, he said, the timing was good because Indus was in a growth spurt and able to fund its project.

More recently, Indus landed work presenting classes in cooperation with the South County Economic Development Council, teaching other businesses how to improve their cybersecurity. A federal grant is funding the classes.

A contractor reviewing the new rules might react like a deer in the headlights, said Indus’ Lopez. The intent of the five-session class is to make it manageable. “It doesn’t have to be overwhelming.”

There are several resources out there to help companies comply, Lasswell said.