A potential protection mechanism is being tested in the form of the Cybersecurity Maturity Model Certification, a Department of Defense (DOD) creation to help regulate the cybersecurity practices of the third parties working with government agencies. In the wake of the recent breaches, the DOD has implemented more stringent guidelines on how contractors and third parties need to meet cybersecurity maturity requirements before working within the department’s network.
What is included in the DOD’s Cybersecurity Maturity Model Certification, and what pieces of it should your organization include in your own vendor management strategies?
Originally created in 2019, the Cybersecurity Maturity Model helped place contractors into different categories based on their cybersecurity maturity. The model required independent verification from a third party evaluator to a rank contractor in various cybersecurity categories. While a low cybersecurity maturity model score didn’t immediately mean an organization was prevented from doing business with the DOD, the public access to the cybersecurity maturity model certification results did mean all of their current and future business partners now could see the inherent risk associated with them as a contractor.
To give a sense of what’s included for each level of maturity, here is what’s written for what the DOD considers lowest to highest in terms of cybersecurity maturity model rankings:
With cybersecurity risk currently at the forefront of many headlines and government conversations, the Department of Defense has made it mandatory for each of their third parties to be certified using the Cybersecurity Maturity Model framework, ensuring that vendors are meeting compliance standards with different processes and practices before they are integrated into the DODs network.
Instead of just measuring their third parties maturity, the DOD is now focused on preventing further exploitations by requiring levels of cybersecurity program maintenance and processes.
It should come as no surprise to us that if cybersecurity threats are present on well-funded and tended-to government networks, then there are also bad actors lurking on the networks of most industries. Whether or not we all can afford to be selective enough to require each organization in our vendor network to meet cybersecurity maturity model requirements through external audits is a large task.
There are key points raised by the DOD’s cybersecurity maturity model that can be applied to your third-party risk management strategy to reduce risk across your vendor ecosystem.
Establishing different tiers of maturity needed for each vendor will allow you to prioritize your resources on the third parties that matter the most. BitSight’s Third Party Risk Management platform offers a tier recommendation for new and current vendors to help you prioritize efforts to have the most impact.
One of the key pieces of the DOD’s Cybersecurity Maturity Model Certification is that the contractors must use a third party evaluation to determine their level of program maturity. Gaining an external viewpoint of your vendors, as well as your own program is critical to obtaining an accurate picture of your cybersecurity landscape. Security ratings are a usable, external view of your organization, and can also effectively represent a third-party’s network.
An easy-to-implement starting point for increasing the maturity requirement of your vendors is to include cybersecurity in your vendor contracts. Requiring a few key points, like an established remediation plan or proven historical cybersecurity performance, are an easy way to gauge your vendor’s risk up front, and potentially save your organization from choosing a riskier vendor.
To serve your customers and realize efficiencies, your organization may work with dozens if not hundreds of third parties including partners, vendors, cloud service providers, and subcontractors.
But digital ties with these providers...
Facebook and the apps under its umbrella, including Instagram and WhatsApp, were inaccessible for hours on Monday. The outage hamstrung the communications of billions of people, businesses, and other organizations.
Though Facebook is...