Small, Mid-Sized Companies Face Top-Tier DoD Cybersecurity Certification
Contractors in the lucrative DoD supply chain are tasked with updating cybersecurity protocols. Failing to meet deadlines will result in lost revenues.
In an effort to enhance the cybersecurity posture within the supply chain, the U.S. Department of Defense recently called for an extensive overhaul initiative that will have a substantial impact on businesses.
The release of the latest Cybersecurity Maturity Model Certification (CMMC) version places stringent requirements on direct DoD contractors and supply chain operations that handle varying levels of sensitive data. The new version 0.7 outlines a 5-tier system that puts the most rigorous cybersecurity protocols on the top levels. This policy is designed to ensure heightened cybersecurity measures are in place to reflect and protect the sensitivity of a DoD contractor’s information.
“If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level-set because a good portion of our defense industrial base doesn’t have robust cyber hygiene,” DoD official Kate Arrington reportedly said of the CMMC rollout. “Only 1 percent of DIB (Defense Industrial Base) companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation-state attacks.”
Small, mid-sized, and large companies alike are required to meet the standards and earn third-party certification. Outfits that enjoy the benefits of lucrative DoD contracts should be aware that CMMC will reportedly be packaged into Requests for Information beginning in June 2020. It will also be a necessary factor in Requests for Proposals beginning in September 2020. As a business that relies on the profits generated from DoD work, it’s crucial to start updating cybersecurity. Operations that require top-tier certification would be wise to begin immediately.
Bottom-Tier CMMC Considerations
Companies engaged in work requiring only Level 1 or 2 certification are not being tasked with excessive cybersecurity overhauls. Many with a previous certification can simply show proof when bidding on work going forward. Because Level 1 and 2 only amount to what the DoD calls Basic and Intermediate Cyber Hygiene, your outfit could pull in a managed IT security specialist and cost-effectively earn certification with relative ease. It’s important to note that every organization will be champing at the bit to hire cybersecurity experts to comply on time. So, time is of the essence.
Top-Tier Takeaways from CMMC
Businesses that will need to complete upper-tier compliance could face substantial challenges. Level 3 has been deemed Good Cyber Hygiene by the DoD. Level 4 and 5 CMMC regulations mean earning Proactive and Advanced cybersecurity. These are some of the stringent controls decision-makers can anticipate.
- P1053: This control tasks contractors and supply chain outfits to improve or create a Security Incident Event Manager. This requirement adds automated network scanning and may call for a layer of artificial intelligence.
- P1060: This measure tasks organizations with enhanced cyber-threat awareness training. Staff education is expected to include knowledge of current and emerging threats, as well as conventional phishing techniques, among others. Outsourcing this type of cybersecurity training has proven effective for DoD supply chain companies and other sectors.
- P1101/1107: This may force small and mid-sized companies to take on a seemingly burdensome requirement of establishing a Security Operations Center during business hours to earn Level 4 certification. Level 5 requirements call for a 24/7 security center. This could prove cost-prohibitive for outfits that attempt to meet the standards using in-house IT teams.
- P1171: Top-tier CMMC requires companies to create and maintain an ability to proactive hunt cybersecurity threats. What distinguishes this capability from many cybersecurity capabilities is that DoD contractors and supply chain outfits are expected to go on the offensive to detect and disrupt intrusions that could penetrate existing controls. This goes to the heart of national security because industry leaders are well aware cybercriminals and rival nations work tirelessly to beat our defenses.
Take Proactive Measures to Meet CMMC Requirements
DoD official Kate Arrington has made it abundantly clear that companies deriving benefits from lucrative contracts must adhere to the updated cybersecurity protocols or be left behind. It may seem like an excessive burden on small and mid-sized outfits until you factor in the genuine threats to national security. The vast amount of sensitive defense data is housed on contractor and supply chain company networks.
As the run-up to certification nears, industry leaders who wait will undoubtedly find themselves scurrying to meet deadlines. It’s imperative to keep in mind that your competitors will proactively enlist the help of third-party cybersecurity experts to gain a competitive advantage. Waiting could cost your ability to earn profit-driving DoD work dearly.