Why Security Can’t be the 4th Procurement Pillar
The Department of Defense (DoD) traditionally has evaluated contractor proposals and program execution against 3 pillars: cost, schedule, and performance. As the volume and complexity of cyber threats launched against DoD contractors continue to rise, compromise of sensitive data and intellectual property through the most vulnerable points in the contractor supply chain has become increasingly commonplace – elevating the DoD’s profile and priority of security for all types of information.
The question had been raised: should security become a 4th procurement pillar, balanced against cost, schedule, and performance, or should security be the foundation, an absolute requirement before considering the existing 3 procurement pillars?
The possibility of trading security for cost, schedule, or performance has serious consequences. In a sense, the choice between foundation or 4th pillar is a choice between “the level of security that is necessary at whatever it costs” versus “the level of security a bid can support and still remain competitive.” Given DoD’s determination to eliminate the leakage of controlled unclassified information (CUI) across its supply chain, “the security that is necessary” seems the only choice. Security can’t be traded for cost, schedule, or performance if the elimination of CUI leakage is the overarching goal.
Looked at another way, without a carrot or a stick as the incentive to invest in security, contractor system vulnerabilities will go unchecked and the likelihood of compromise will increase. As noted in MITRE’s report, Deliver Uncompromised1, “DoD needs to retain the trust of its contractors, who will not invest as needed in security (or in new technologies) without assurance of opportunity for return through a fair competitive process.”
Without adequate investment in security, without “the level of security that is necessary at whatever it costs,” the risk of compromise increases. The cost of remediating a compromise will certainly overshadow the cost of “the security that was necessary.” Similarly, as the MITRE report concludes, “Products free of compromise represent more value than compromised products and have reduced total cost of ownership.” MITRE further asserts that security concerns need to be transformed from a cost center to a profit center.
Placing security as the foundation unequivocally makes it a mandatory prerequisite to bid and work on DoD contracts, not an option. As the DoD moves to adopt the “security as the foundation” approach, it must determine how to define, measure, and confirm adequate contractor security measures that will dictate whether contractors and their supply chains qualify for contract awards and extensions.
The DoD’s solution is the Cybersecurity Maturity Model Certification (CMMC), an initiative that likely will take effect in 2020. It will bring dramatic change to the procurement process once clauses like 252.204-7012 of the Defense Federal Acquisition Regulation Supplement are updated to incorporate it.
CMMC will affect every company throughout the DoD contractor supply chain, regardless of role or the type of information accessed or handled. Future posts to this blog will offer insight into CMMC, the questions contractors should be asking, the latest CMMC updates and their impacts on contractor security requirements, and how to best prepare for this sea change in the DoD procurement process.
1 Deliver Uncompromised A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War. Chris Nissen, John Gronager, Ph.D., Robert Metzger, J.D., Harvey Rishikof, J.D., MITRE CORPORATION, 2018.