Pentagon’s new cyber rules are ‘stifling’ foreign suppliers, advisors say

Foreign suppliers are having trouble complying with new Defense Department cybersecurity requirements, and the Pentagon should try to ease their pain, an advisory board says.

“We have partners like Germany and Japan that want to work with us, given what's going on in the world,” Charles Phillips, a member of the Defense Innovation Board, said Wednesday. “We make it hard to work well with the DOD.The compliance standards, things called CMMC and ITAR, export controls—even for U.S. companies sometimes take years to get approvals.”

CMMC—formally, Cybersecurity Maturity Model Certification—is the Pentagon’s years-long effort to get its contractors to improve their network defenses. Compliance is set to become a contract requirement by 2025, but some defense companies have already found the certification process to be difficult and expensive. And those sentiments extend across the pond.

Speaking to reporters on Wednesday, Phillips recalled a conference call the Board held with small and medium-sized companies from Norway and other countries. The common thread, he said, was: “We're willing to get compliant if that helps us get business. The problem is we don't know how to do that.”

The entities that certify companies’ CMMC readiness—and the consultants that can help firms get ready—are all in the United States, and are not easily found by companies in allied and partner nations, he said.  

“They don't exist over there,” said Phillips, who leads the tech investment firm Recognize. “It's just a process question right now...‘How do we comply with this if we're not part of that, we're not over there?’”

Moreover, complying with cybersecurity standards can come with a high price tag. 

“And what's the cost? So one vendor got on, and he said he was doing $30 million in revenue” and spending about $1 million a year to comply with CMMC. I said, ‘That can't be right.’ But that's what he said. So we’ve got to figure out a way to break that cost down as well,” Phillips continued.

The eight-year-old Pentagon advisory group was even more direct in its Wednesday report on improving cooperation with international partners.

“Properly training and integrating trusted partners is essential for ensuring the necessary scale and security within the defense industrial base,” it says. “The proposed [CMMC] ecosystem will be stifling to allies and partners and necessitates foundational changes in approach to certification.” 

The report said these changes should include Pentagon efforts to train and certify people and groups outside the United States as CMMC certifiers. As well, DOD should allow “allied and partner nation institutions to publish localized training materials and obtain formal recognition as a resource for CMMC compliance.”

Reverse the split

The board also had a recommendation for Congress: reverse its 2018 breakup of the Defense Department’s acquisitions, technology, and logistics office. 

Lawmakers forced the split over Pentagon leaders’ objections, saying that it would streamline upper-level management. The reorganization created a new defense undersecretary for acquisitions and sustainment, and another for research and engineering. This has made cooperating with foreign partners “byzantine and absurd in its bureaucratic complexity,” according to the report.

“We'd like to recombine those [under the] undersecretary of industrial and international cooperation. The reason is: we need integrated designs. We need integrated manufacturing capacity around the world. It's hard to do that in separate organizations,” Phillips said at the board’s quarterly meeting on Wednesday. 

The new organization would also be a single point of contact for foreign defense contractors and help centralize all of the Pentagon’s directorates, divisions, and resources devoted to international defense industrial cooperation, the report states. 

“They need a single point of contact who can make decisions, what are we building and how do we plan to design it, who's working on it, what research is happening. And trying to do that right now, it's far too difficult for partners. It's actually difficult internally as well,” Phillips said. 

If done right, the board believes the new organization could “conclusively mitigate supply chain vulnerabilities, address production limitations, and navigate the international industrial cooperation bureaucracy” and ultimately “free OSD A&S, R&E, Policy, and other relevant components to prioritize their core missions.” 

“I know that we broke it up because it got too large. We want to put it back together, of course streamline it…in terms of integrated design to work with partners, to make that the single point of entry for those partners,” Phillips told reporters.

But ultimately, for DOD to meet its innovation goals, there’s a need for culture change. 

“We just have a history of not using foreign technologies ourselves. We have a lot of technology here. We've been innovating for a long time. So it was like an afterthought. Why do we need technology from somewhere else?” Phillips said. “And that mentality has to change because we need to know what everybody's working on; we need to be coordinated.”