DoD officials frequently cite the enormous cost of cyber breaches on the US economy and the national security implications of IP theft from the US defense industrial base (DIB). Cyber hacks have resulted in the loss of DoD data related to high-grade weapon systems and platforms, reportedly including the F-35. These losses are unacceptable at any time, but the current US Administration has decided that it’s time to verify the trust it places in DIB contractors – cyber security must now underpin all DoD procurements.
In January 2020, the US Department of Defense published the first draft of the Cybersecurity Maturity Model Certification (CMMC), a new framework which the defense supply chain will now need to comply with. This reflects a significant shift in the DoD’s approach towards cyber security in the defense supply chain. Defense contractors can no longer self-assert that they are meeting contractual cyber security standards – now they have to prove it. The first RFPs to include a CMMC requirement are expected before the end of the year.
Starting this summer, the first DoD requests for information (RFIs) will include a CMMC Level that will reflect the level of cyber security required by the contractor to fulfil the contract. The levels range from 1 to 5 – basic cyber hygiene up to advanced, progressive cyber security. The overwhelming majority of contracts are expected to be awarded at Level 1 or 3, with Levels 4 and 5 set to apply to sensitive and classified contracts.
Despite concerns from industry these ‘new’ cyber security requirements will be cost-prohibitive, DoD officials are quick to point out that many companies currently contracting with the DoD are already subject to these standards through clauses in their contracts – they’re just not audited on their compliance with these clauses. So the expectation is that CMMC will not lead to significant additional costs for the DIB. Moreover, the DoD has accepted that these costs can even be rolled into proposals. It’s an additional cost of business that DoD is willing to incur.
An Accreditation Body (AB) has been stood up to train certified third party assessment organisations (C3PAOs) who will be charged with conducting audits of DIB companies for compliance against the CMMC framework. Following an audit, the AB will issue a CMMC certification that will last for two years.
Both large, multinationals and SMEs in the defense sector are adjusting to the reality of CMMC and the requirements that compliance demands. Some companies may only need to achieve CMMC Level 1, which consists of 17 controls biannually. However, for an SME subcontractor who has never directly dealt with the DoD, now being subject to DoD acquisition requirements could seem unnecessary and burdensome. Some companies may even need to assess CMMC on an ongoing basis, or they may require varying CMMC Levels for different divisions of the company. And C3PAOs will have a queue of hundreds of thousands of DIB companies requiring audits as CMMC is fully rolled out over the next few years (the goal is to have CMMC in all DoD contracts by 2025).
Moreover, DoD officials acknowledge that they have been in discussions with other US government departments about CMMC, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), fuelling speculation (expectation?) that CMMC could eventually become a requirement in all federal procurements. They will be keenly observing how the CMMC rollout goes, especially the impact on critical supply chains.
All of this may sound overwhelming and a time-consuming effort for network owners and C3PAOs alike, but this is where technology can help. Significant time and resource can be saved by automating the CMMC compliance checks using Titania Nipper, which can significantly contribute to demonstrating compliance in eight of the 17 CMMC Domains. Titania software also identifies otherwise-missed false negatives and includes recommendations and specific command line fixes for any issues found, helping to reduce internal teams’ mean time to remediation and ensure continuous cyber hygiene.
If all goes to plan, cyber security will become baked into all US government contracts by the end of the decade. And whilst And whilst no government wants to burden its supply chain, especially small business, with additional regulation, the economic and national security costs of poor cyber security in the defense supply chain has warranted the introduction of CMMC. Never again should US service men and women lose the technical advantage on the battlefield. And this starts with ensuring cyber hygiene at home.
Discover which security practice checks you can automate with Nipper:
Download the CMMC Mapping Summary >
Matt Malarkey