How New Cybersecurity Rules Could Shape DoD Contractor M&A

Cyber threats continue to pose a major risk to international security, and companies that fail to heed these threats may be at a significant advantage when bidding for contracts with the Department of Defense. Whether you’re contracting directly or as a subcontractor, all manufacturers must be mindful of the new rule, which went into effect in November 2020. This new rule mandates that DoD subcontractors and contractors complete detailed cybersecurity self-assessments. Ultimately, this rule could affect M&A activity in the sector. 

The interim rule amends Defense Federal Acquisition Regulation Supplement (DFARS) to require the addition of a DoD Assessment Methodology and Cybersecurity Maturity Model Certification (CMMC) framework. The goal here is to protect the security of unclassified data at all points in the DoD supply chain. 

As of November 30, all prime contractors and subcontractors must complete an assessment before renewing their DoD contract. As contract renewals approach, more and more companies will be doing this. Specifically, under DFARS clause 252.202-7012, companies must implement 110 security controls the National Institute of Standards and Technology Special Publication 800-171 outlines. There is also a new assessment requirement for any DoD procurements awarded after November 30 with values in excess of $10,000. 

This marks the first year of a give-year roll-out for the CMMC. Eventually, the CMMC framework will apply to all DoD subcontractors, suppliers, and contractors. Third-party assessment organizations will eventually perform cybersecurity assessments under the rule. 

The goal here is to reduce intellectual property theft, which the Federal Register estimates to cost $570 billion to $1.09 trillion. This theft is a major threat to U.S. industry and security, yet many A&D contractors have not kept on top of the threat nor implemented appropriate cybersecurity controls to mitigate the risk. 

We are already seeing how this new DoD requirement could impact M&A. The costs of implementing these new requirements is not small, particularly for small contractors and subcontractors. Moreover, these businesses will lose clients if they do not comply. Thus many are opting to put their companies on the market rather than invest in a cybersecurity strategy that may not increase revenues. Larger companies are gobbling up these smaller entities in an attempt to expand their portfolios, streamline operations, and otherwise become more competitive. 

We anticipate this will continue as the full requirements of CMMC continue to expand. Sellers may have attractive businesses that can easily be brought into compliance with the help of larger entitles. And buyers may be able to get access to new IP and other valuable property when smaller competitors simply can’t keep up with increasing cybersecurity requirements.