The DoD’s Cybersecurity Maturity Model Certification Draws a Line in the Sand for Third Party Risk

Jake Olcott | November 25, 2019 | tag: Third Party Risk Management

Federal technology contractors hold the keys to our nation’s security in their networks, servers, and databases. Yet, recent incidents point to worrisome vulnerabilities that indicate increased cyber risk to defense contractors and the supply chain. 

Bloomberg’s editorial board’s provocatively-titled article, Contractors are Giving Away America’s Military Edge, highlights a laundry list of eye-opening security breaches that have beset Department of Defense (DoD) contractors in recent months. Noteworthy incidents included theft by China of highly sensitive information, the 2018 DoD breach that exposed the personal information of 30,000 military and civilian personnel, and more. The article also quotes a recent BitSight report that found that 5.6 percent of aerospace and defense contractors reported at least one data breach since 2016. 

Now, the DoD has apparently had enough of the status quo. In September, the DoD issued a public draft of Version 0.4 of its Cybersecurity Maturity Model Certification (CMMC), which establishes a tiered framework that outlines specific criteria for defense contractor risk management. 

With the CMMC, the DoD has laid down an ultimatum to its contractors: up your cyber defenses, or we simply will not do business with you.

What is the Cybersecurity Maturity Model Certification?

The model clearly articulates several requirements that contractors must meet to qualify for various maturity certifications. Those certifications range from Level 1, ”Basic cybersecurity,” to Level 5, “Highly advanced cybersecurity practices.” 

The CMMC employs a complex and comprehensive matrix that encompasses 18 different cybersecurity best practices, from “Access Control” to “System and Information Integrity.” The amount of detail contained within the model takes it beyond the popular NIST Cybersecurity Framework, although it incorporates parts of that risk management framework and other sources.

You can learn more about the CMMC by reading the draft framework, which is scheduled to be finalized in January 2020.

What does the CMMC Mean for Third Party Contractors?

Upon finalization, the CMMC will require contractors to partner with an independent third party agency, which will schedule an assessment. Contractors can select the level of certification they’re applying for, and will be required to demonstrate their cybersecurity maturity to the assessor. There is no self-certification allowed.

Once the assessment is complete, the certification level (though not specific results) will be made available to the DoD and the public. That means that anyone will be able to easily determine the contractor’s cybersecurity maturity, which could potentially impact any business dealings the organization has even beyond the federal government.

Using Security Performance Management to Validate Cybersecurity Standards

The DoD’s new cybersecurity maturity model makes it critically important for both the defense agency and its contractors to strengthen and validate their respective security postures. There are differences in the ways that these groups can approach this challenge.

Although the CMMC prohibits self-assessments, it’s still imperative that contractors assess their operations on a continual basis to ensure that they are maintaining high security standards. Contractors can use ongoing security performance management (SPM), including continuous monitoring and security ratings, to assess their overall security levels. These processes can be done quickly and effectively, and provide a more accurate, day-to-day picture of an organization’s security posture than a quarterly “point-in-time” snapshot. When an independent auditor performs their assessment, the contractors that consistently employ these techniques will likely have a better chance of meeting the requirements set forth by the CMMC. 

The need for comprehensive SPM is just as important, if not more so, for the DoD. The DoD works with tens of thousands of contractors on a daily basis. Many of those contractors likely work with their own vendors. The sheer number of vendors accounted for makes it difficult for the DoD to effectively monitor security throughout its supply chain. This large-scale challenge was undoubtedly one of the reasons why the DoD created a framework that was more robust and all-encompassing than those that were already available.

It’s worth noting that BitSight’s SPM solutions collect security data that can be mapped to any risk management framework, including the CMMC. The quantitative performance data provided by these solutions can help the DoD understand how, or if, their contractors are meeting the requirements presented by the CMMC.

Working Together to Minimize Cyber Risk

With the introduction of the CMMC, the DoD has made it clear that it will no longer tolerate lax cybersecurity standards among its contractors. Contractors need to step up their games if they are to continue to do business with the DoD. Conversely, the DoD must take steps to validate their contractors to ensure that they are in compliance with the CMMC. If all parties can work together to minimize vulnerabilities, we may see fewer breaches and incidents in 2020 and beyond.

Third Party Risk Management

Suggested Posts

4 Tips for Reducing Your Company’s Cyber Exposure

If your organization is like many others, its cyber exposure continues to grow over time. During the pandemic, as attackers sought to exploit unprecedented changes in work environments, 35% of cyberattacks used previously unseen malware...

READ MORE »

How to Set a Cybersecurity Baseline for Your Vendors – and Hold Them to It

Your supply chain is more critical now than ever. Vendors and third parties are essential to helping your organization scale to meet demand, gain access to greater resources, respond to new work models, and remain competitive.

But...

READ MORE »

Template: Everything you Need to Craft a Supplier Risk Management Plan

Third-party vendors are a vital part of your business ecosystem. But if you’re not careful, these companies can introduce cyber risk. The SolarWinds supply chain hack is a notable example of the jeopardy that even the most trusted...

READ MORE »

Get the Weekly Cybersecurity Newsletter.