By Matthew Titcombe, CISSP, CMMC Provisional Assessor Lvl 1-3, CISO, Gigit; CEO, Peak InfoSec

Definition of pincer movement
1: a military attack by two coordinated forces that close in on an enemy position from different directions
2: a combination of two forces acting against an opposing force[i]

The United States Department of Defense (DoD) has laid a trap for the Defense Industrial Base (DIB).

It is brilliant and EVERY contractor that is a part of the DIB is already in the trap.

Bottom Line Up Front

  • DoD is letting you voluntarily report your potential non-compliance so the Department of Justice can bring your organization up on charges under the False Claims Act
  • Primes will only want to use certified vendors on all of their contracts—self-attestation won’t matter in the long run
  • Don’t procrastinate. DoD already set this trap into motion

Pincer Movement Fundamentals

CMMC 1.02 was an “in your face” combat tactic much like two boxers in a ring duking it out.  This tactic was simply every DIB company must get compliant or get out.

A pincer movement splits the attackers’ forces in order to envelope and attack the target on multiple fronts.  The attacker maintains a core majority of their force to attack the target face on but also splits their forces to also attack from both the left (left flanker) and right (right flanker).  By attacking from concurrently from the target’s front and both sides the attacker achieves the following effects:

  • They force the target to weaken its forward-facing commitment of forces to deal with the two flanks.
  • The two flanks sow confusion and generate possible target-on-target self-inflicted damages.

While DoD is not out to decimate the DIB in combat, their goal has not changed—get the DIB to NIST SP 800-171 compliance.  They are willing to have non-compliant portions of the DIB drop out.

The Left Flanker:  Your Self-Attestations

The Left Flanker is going to attack DIB companies with a one-two punch.

Plans of Actions & Milestones (POA&M)

The first punch are your POA&Ms.

Yes.  DoD is going to use your POA&Ms against you.  When the new Defense Federal Acquisition Rule Supplement (DFARS) clauses come out on POA&Ms, your organizations should be ready to:

  • Have NO open POA&M items for the 5-point NIST SP 800-171 requirements per the DoD Assessment Methodology (DoDAM)—otherwise you won’t be able to compete. Expect this requirement to be a flow down for the Prime’s entire supply chain.
  • Report your open POA&M items as a part of the solicitation.
  • If selected, expect a POA&M reporting requirement, completion timelines, and possible validations as a part of the contract.
  • Fail to meet your POA&M timelines, get ready for negative Contractor Performance Assessment Reporting System (CPARS) reports on your firm.

If you really want to get worried and if you haven’t reported your open POA&M items already to DoD, DoD could simply expect your firm to be fully compliant the moment they do a no cost mod to your contract because you already have the DFARS -7012 clause in your contract.  There is a chance DoD could do this and I don’t expect it as it would be too disruptive to their contracts.

Supplier Performance Risk System (SPRS)

The second punch is your submission of your SPRS score.

Expect SPRS to change in the near-term.  DoD is going to require an executive from your organization to sign a letter attesting the score is true.  Expect DoD to require your organization to provide information on your open POA&Ms and possibly formal documents like your System Security Plan (SSP).

Left Flanker Mission Orders

The left flanker has been tasked to make you report on your organization’s compliance in order to make it easier for the main force to win.

The Main Force:  Department of Justice

The Department of Justice (DoJ) is the main body, and, yes, DoD brought in outside forces to the equation.

On October 6th, Deputy Attorney General Lisa O. Monaco announced their new Civil Cyber-Fraud Initiative.  This initiative will use the False Claims Act to hold accountable organizations or individuals that:

  • Put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services;
  • Knowingly misrepresenting their cybersecurity practices or protocols; or
  • Knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

Remember from above, “The left flanker has been tasked to make you report on your organization’s compliance in order to make it easier for the main force to win.”

Did you catch the “individuals” above?  Yes, whoever signs the letter may be subject to personal liability for falsely attesting to the Federal government.  By the way, this is exactly what the Securities and Exchange Commission did when Sorbanes-Oxley took effect for publicly traded firms…

Yep, they will use your reported information to successfully prosecute firms that “Knowingly misrepresenting their cybersecurity practices or protocols.”

Main Force Mission Orders for DoJ

Publicly drive non-compliant firms out of the sector by fining them to death.

The Right Flanker:  Attack of the Zombies

On the right flank, DoD is going to juke one way and then hit hard with a surprise sucker punch.

Mandated 3rd Party Certifications

This is the juke.

An often-underestimated portion DIB prime contractors and numerous levels of their tier suppliers will need to be certified by CMMC 3rd Party Assessor Organizations (C3PAO) for the new Level 2 and an even smaller portion by the Defense Industrial Base Cybersecurity Assurance Center (DIBCAC) for Level 3.

If you are a firm that deals with warfighter topics like, Command, Control, Communications, Computers, & Intelligence (C4I), you may be one of the early ones who get tapped to be subject to mandated certifications.

Voluntary Certifications

“The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period.”[ii]

“Another area we are looking at is increasing the use of evaluation criteria for contracts where it doesn’t necessarily need to be a CMMC certification, but we will assess people’s network security as part of a source selection evaluation, so it would still be a factor in garnering an award prior to CMMC becoming effective through rulemaking,” [Stacy] Bostjanick [CMMC Program Management Office] said.[iii]

DoD is about to turn Primes into zombies who attack their own supply chains.

So, how does one “incentivize” a contractor to become compliant?  Increase their chances of winning a contract.  Sorry Stacey, ethically DoD can’t set up a contract to “possibly garner a higher profit margin” for a certified contractor.  But, if DoD could find a way to increase the Prime’s profit margin because they are certified, the zombie apocalypse will only spread faster–Think Fast Zombies.

The only way to do this is to use Technical Evaluation Criteria.  Oh wait, remember I said you will have to provide your SPRS scores and open POA&Ms as a part of the solicitation…

Let’s play this out.  We know from their web site that “DoD will establish a minimum score requirement to support certification with POA&Ms.”[iv]  Let’s assume this is also a minimal threshold for a contract where all of the 5 pointers are implemented using the DoDAM method, or a score of 17 out of 110 (remember the lowest score is -203).  In this set-up,

  • Less than 17—not even allowed to bid
  • 18-110 – Self Attested
  • 3rd Party Certified 110 – BONUS POINTS

Sorry, those aren’t just the scores for the Primes, that is the Average score for the Prime plus their teammates.

Suddenly, SPRS scores just went through the roof in criticality as a Technical Evaluation Criteria to assess cybersecurity risk.

  • Tied scores??—“Oh let’s go count the number or duration of open POA&M items for the teams…” the DoD PM suggests to the Contracting Officer.
  • Average score above 110???

DoD wants the Primes to start picking their teammates based first on the highest SPRS score, then highest Certified SPRS score, and eventually, a team that is certified at 110.

This is internally generated DIB market pressures on itself to increase competitive advantage amongst its peers.  We have seen the same thing done before with AICPA SOC 2 Type II certifications.

Do not underestimate the effect this will have.

Right Flanker Mission Orders

Convert as many of your supply chain vendors to certified vendors as soon as possible.

Pincer Movement Intended Effects

As I said earlier, DoD’s goal has not changed—get the DIB to NIST SP 800-171 compliance.

They are going to use the DoJ to punish firms that don’t get compliant and yet still try to play in the sector.

They are going to use the Primes as the “new zombified bad-guys” to bring their supply chain into compliance.  If you want a chance to be on a DoD contract within two years, you better have a SPRS score of greater than 59 (all 5 and 3 pointers implemented).  In three years, you’ll need to be certified with a POA&M.

What should your organization do?

  1. Recognize the trap you are in. Rule one of all forms of combat is to know the tactics your enemy is using and adapt.
  2. Get out of the game or get compliant.

That last one may be harsh, but it is where this current version of the “DIB Game” is about to go.  If you want to get compliant and keep playing in the DIB sector, your organization should:

  1. Don’t procrastinate because of DoD generated short-term confusion.
  2. Engage a firm that seriously understands CMMC. Authorized or committed Candidate C3PAO’s would be my starting point.
  3. Work your POA&M items by point values to increase your SPRS score as quickly as possible.
  4. Reduce your executive’s risk by getting your cybersecurity efforts validated by a C3PAO or a very knowledgeable Registered Practicioner Organization.
  5. Get certified by an Authorized C3PAO.

[i] https://www.merriam-webster.com/dictionary/pincer%20movement

[ii] https://www.acq.osd.mil/cmmc/about-us.html

[iii] https://insidecybersecurity.com/daily-news/pentagon-considers-options-contractor-incentives-increase-cmmc-adoption

[iv] https://www.acq.osd.mil/cmmc/implementation.html