Why The DOD Is Making Cybersecurity Maturity Evaluation Mandatory (And Why You Should Too)

Why The DOD Is Making Cybersecurity Maturity Evaluation Mandatory (And Why You Should Too)

Government agencies in the United States are yet again suffering from a widespread data hack, this time originating from Microsoft Exchange servers. This breach comes less than five months after the SolarWinds breach exposed vulnerabilities across dozens of industries, including government agencies. How is the government pivoting to protect their network from these increasingly widespread attacks?

A potential protection mechanism is being tested in the form of the Cybersecurity Maturity Model Certification, a Department of Defense (DOD) creation to help regulate the cybersecurity practices of the third parties working with government agencies. In the wake of the recent breaches, the DOD has implemented more stringent guidelines on how contractors and third parties need to meet cybersecurity maturity requirements before working within the department’s network.

What is included in the DOD’s Cybersecurity Maturity Model Certification, and what pieces of it should your organization include in your own vendor management strategies? 

What is the Cybersecurity Maturity Model Certification?

Originally created in 2019, the Cybersecurity Maturity Model helped place contractors into different categories based on their cybersecurity maturity. The model required independent verification from a third party evaluator to a rank contractor in various cybersecurity categories. While a low cybersecurity maturity model score didn’t immediately mean an organization was prevented from doing business with the DOD, the public access to the cybersecurity maturity model certification results did mean all of their current and future business partners now could see the inherent risk associated with them as a contractor. 

To give a sense of what’s included for each level of maturity, here is what’s written for what the DOD considers lowest to highest in terms of cybersecurity maturity model rankings:

  • Level 1: Basic cybersecurity, limited resistance against data exfiltration
    • Practices are performed at least in ad-hoc manner
  • Level 2: Inclusive of universally accepted cybersecurity best practices and are resilient against unskilled threat actors.
    • Practices are documented
  • Level 3: Coverage of all NIST SP 800-171 rev 1 controls, moderate resistance against data exfiltration with comprehensive knowledge of cyber assets.
    • Processes are maintained and followed
  • Level 4: Advanced and sophisticated cybersecurity practices that are resilient against threat actors, defenses responses approach machine speed. 
    • Processes are properly reviewed, resources, and improved across the enterprise
  • Level 5: Highly advanced cybersecurity practices, machine performed analytics and defensive actions.
    • Continuous improvement of processes across the enterprise

What’s Changed Recently?

With cybersecurity risk currently at the forefront of many headlines and government conversations, the Department of Defense has made it mandatory for each of their third parties to be certified using the Cybersecurity Maturity Model framework, ensuring that vendors are meeting compliance standards with different processes and practices before they are integrated into the DODs network. 

Instead of just measuring their third parties maturity, the DOD is now focused on preventing further exploitations by requiring levels of cybersecurity program maintenance and processes. 

It’s Not Just A Government Agency Problem

It should come as no surprise to us that if cybersecurity threats are present on well-funded and tended-to government networks, then there are also bad actors lurking on the networks of most industries. Whether or not we all can afford to be selective enough to require each organization in our vendor network to meet cybersecurity maturity model requirements through external audits is a large task. 

There are key points raised by the DOD’s cybersecurity maturity model that can be applied to your third-party risk management strategy to reduce risk across your vendor ecosystem. 

  • Set risk-based thresholds - Your most critical vendors should be held to tighter standards because they are closest to your most sensitive data. Setting the proper risk-thresholds for vendors based on the risk they bring to your organization is similar to deciding what level of maturity should be required for a vendor. 

Establishing different tiers of maturity needed for each vendor will allow you to prioritize your resources on the third parties that matter the most. Bitsight’s Third Party Risk Management platform offers a tier recommendation for new and current vendors to help you prioritize efforts to have the most impact.

Cybersecurity Risk Rating Solutions Buyers Guide & Recommendations

Not all security ratings are created equal. From the reliability of their data, to the transparency of the ratings process, to the dispute resolution process, you need to be selective about who you choose as your ratings partner. Here's what you should look for when choosing a cyber security ratings partner.

Independently verify vendor information.

One of the key pieces of the DOD’s Cybersecurity Maturity Model Certification is that the contractors must use a third party evaluation to determine their level of program maturity. Gaining an external viewpoint of your vendors, as well as your own program is critical to obtaining an accurate picture of your cybersecurity landscape. Security ratings are a usable, external view of your organization, and can also effectively represent a third-party’s network. 

Include cybersecurity in vendor contracts.

An easy-to-implement starting point for increasing the maturity requirement of your vendors is to include cybersecurity in your vendor contracts. Requiring a few key points, like an established remediation plan or proven historical cybersecurity performance, are an easy way to gauge your vendor’s risk up front, and potentially save your organization from choosing a riskier vendor.