FORT LEE, Va., May 26, 2020 — The Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center, or DIBCAC, partnered with Project Spectrum in early May to inform small businesses on their responsibility for information protection. Supported by the Defense Department’s Office of Small Business Programs, Project Spectrum provides resources and training to help improve cyber-readiness and compliance.
Together, DCMA and Project Spectrum conducted a webinar on protection of controlled unclassified information, or CUI, explaining the agency’s role and small businesses’ responsibility when performing DoD contracts. The event also covered how DCMA is doing business under the constraints of COVID-19.
Two of the agency’s most experienced cybersecurity assessors, Carley Salmon and Dana Mason, presented the basics of assessments and answered dozens of questions about the DIBCAC; the cybersecurity assessment methodology and requirements; and Defense Federal Acquisition Regulation Supplement, known as DFARS, clause 253.204-7012, which covers safeguarding of defense information.
John Ellis, acting executive director of DCMA’s Technical Directorate, provided insight on how the coronavirus has affected and changed DCMA’s mission.
“This was another great opportunity for the Tech Directorate to continue the DCMA mission while under the COVID-19 protection measures, and still help inform and educate the defense industrial base,” said Darren King, DCMA DIBCAC director.
Twenty-nineteen was a big year for establishing guidelines for protecting CUI in the defense acquisition process, and small businesses are now facing additional scrutiny regarding their role.
In order to bring consistency and a minimum level of protection to CUI, Ellen Lord, undersecretary of defense for acquisition and sustainment, issued a memo assigning an assessment role to DCMA in May 2019. This led to the creation of the DIBCAC, which looks closely at contractor and supplier information protection systems to provide their findings to DoD organizations so they can make informed decisions when entering contracts.
“Most contractors have proper protection for classified data, but there is a lot of CUI that is too easily accessible. Once aggregated, this information can show more of our defense capabilities than we want to make available,” said King.
Last year, DoD also began formulating its Cybersecurity Maturity Model Certification. Released in January 2019, the CMMC is a list of requirements that will be part of all defense contracts by 2026.
“I believe it is absolutely critical to be crystal clear as to what expectations for cybersecurity are, what our metrics are, and how we will audit for those expectations,” Lord said at the CMMC launch.
“Cybersecurity is essential at all levels,” said Salmon, one of the founding members of the DCMA DIBCAC. “We can’t focus solely on the large defense contractors, it’s important for even the smallest supplier to protect information.”
Since the creation of the DIBCAC over a year ago, the team has performed dozens of assessments at contractor facilities, as well as training more than 100 people from other defense organizations to conduct assessments.
Mason, who has also been with the DIBCAC since its inception, said small businesses don’t always have the same resources as their larger counterparts.
“Often these are ‘one-man shops,’ or a production facility with 100 or so employees,” Mason said. “They may not have a dedicated cybersecurity team, so they’re eager for information on how to meet requirements.”
The agency’s presentation is available at the Project Spectrum site.