𝐇𝐨𝐰 𝐥𝐨𝐧𝐠 𝐝𝐨𝐞𝐬 𝐢𝐭 𝐭𝐚𝐤𝐞 𝐚 𝐜𝐨𝐦𝐩𝐚𝐧𝐲 𝐭𝐨 𝐠𝐨 𝐛𝐚𝐧𝐤𝐫𝐮𝐩𝐭 𝐢𝐭 𝐰𝐡𝐞𝐧 𝐜𝐚𝐧’𝐭 𝐰𝐢𝐧 𝐰𝐨𝐫𝐤?
One year? Two? Three?
Let me tell you a story about how a system of perverse incentives caused our current cybersecurity situation in the Defense Industrial Base.
Back in 2017 (six years ago), new and renewing DoD contracts started including the DFARS 252.204-7012 clause. The intent of adding the 7012 clause to new contracts was to get defense contractors to increase their bid to account for increased cybersecurity costs (typically double or triple what a commercial company spends on IT).
So in 2018, a new contract comes out for bid. The contract asks for parts which costs roughly $1m to create. The contract also asks for cybersecurity, which would require an additional $500k to comply with.
Ten companies bid on this contract.
Five companies carefully read the contract, see the 7012 clause, contact a cybersecurity consultant to understand what it means, and adjust their bid from $1m to $1.5m.
The other five companies, for various reasons, disregard the 7012 clause. They bid only based on the cost to manufacture, which is $1m.
Who wins that contract?
Who wins the next contract?
And the one after that?
𝐇𝐨𝐰 𝐥𝐨𝐧𝐠 𝐝𝐨𝐞𝐬 𝐢𝐭 𝐭𝐚𝐤𝐞 𝐚 𝐜𝐨𝐦𝐩𝐚𝐧𝐲 𝐭𝐨 𝐠𝐨 𝐛𝐚𝐧𝐤𝐫𝐮𝐩𝐭 𝐰𝐡𝐞𝐧 𝐢𝐭 𝐜𝐚𝐧’𝐭 𝐰𝐢𝐧 𝐰𝐨𝐫𝐤?
Since 2017, because of this system of perverse incentives, it is my opinion that we’ve driven almost every compliant company out of the DIB.
Even today, with CMMC looming over us, the companies that are able to bid low are 𝘴𝘵𝘪𝘭𝘭 𝘸𝘪𝘯𝘯𝘪𝘯𝘨 𝘵𝘩𝘦 𝘸𝘰𝘳𝘬! I can’t even fault contractors for dragging their feet on cybersecurity. If they didn’t have that attitude, they would be GONE.
I have to give major respect to Katie Arrington, Stacy Bostjanick, and DoD A&S leader Ellen Lord for identifying the solution to this problem: mandatory verification of compliance as a prerequisite for contract award.
CMMC is the solution that will fix the perverse system which makes compliant defense contractors too expensive to win the work. We should be rewarding them, not driving them to bankruptcy.
In the meantime, is there any way to protest a contract award when you know your competitor isn’t performing cybersecurity? It is a fairly simple task for a systems administrator to look up DNS records for a company to see if they are using FedRAMP cloud providers. Could that be a strategy? Has anyone heard of this working?