In recent months, the Department of Defense declared a new initiative called “Deliver Uncompromised,” which aims to improve the private sector’s focus on security and established security as a fourth key evaluation pillar, alongside the other pillars: cost, schedule, and performance. This new initiative may have considerable changes in store for future DoD contractors including increased requirements for security and supply chain management. For a detailed examination of the potential initiative, review MITRE’s in depth report.
In an increasingly globalized economy, the DoD is facing significant threats to the security of its contracts and information. Understandably, the DoD wants to maintain secrecy of its information which is held on all levels of the supply chain. In order to achieve this, the Deliver Uncompromised initiative aims to incentivize private sector companies to properly secure these assets by establishing a higher minimum standard for security to work on any component of a DoD contract. For a contractor, this would cause security to become a differentiator instead of an overlooked overhead cost.
This initiative is especially important for prime and subcontractors that work on DoD contracts. In the future, higher levels of proven security will be necessary in order to feasibly win DoD contracts. Those prime and subcontractors that are not compliant with security standards will not be able to win business once a new standard is set. Additionally, because any contractor is responsible for all subcontractors it utilizes, contractors must take the time to properly assess each subcontractor to ensure their operations do not jeopardize the contractor’s ability to do business with the DoD.
In order to prepare for this transition, it is critical that organizations take the following steps:
- Prepare yourself: Apply any of the various National Institute of Standards and Technology (NIST) security frameworks.
- Although the DoD has not yet formally set out minimum standards for compliance, it is very likely their requirements will mirror those of industry standard frameworks, such as NIST 800-53 or NIST 800-171. To be better prepared for a change in regulation it is strongly recommended that contractors begin to adopt and apply these standards. Once a formal regulation is introduced, the organizations that already have the framework set will have a significant market advantage because their security posture will be more mature and in line with industry standard requirements.
- Prepare your subcontractors: Ensure all subcontractors are aligned with an industry framework, such as NIST.
- Contractors should ensure that each subcontractor it plans to utilize is aligned with an industry framework. Contractors take responsibility for the work done by their subcontractors and as a result, a subcontractor’s lack of security controls can inhibit the ability of the contractor to win and maintain work in the future.
- Prepare for the future: Establish policies, procedures, and implement controls to maintain alignment and quickly adapt to change.
- It is crucial that an organization invests resources to remain aligned with its chosen industry standard. This process involves continuous monitoring of internal operations as well as enhanced subcontractor selection processes to ensure future subcontractors are prepared by being aligned in an industry standard security framework (step 2).
The Deliver Uncompromised initiative is still in the proposal stages. However, recent legislation in the form of the National Defense Authorization Act has passed with the same themes present: further strengthening critical cybersecurity programs and initiatives within the DoD. It won’t be long before the Deliver Uncompromised initiative dominates the conversation for DoD contractors.
Look out for additional details regarding the Deliver Uncompromised initiative on our blog shortly. If you have further questions, please contact one of our risk advisory specialists at 301.231.6200.