Federal technology contractors hold the keys to our nation’s security in their networks, servers, and databases. Yet, recent incidents point to worrisome vulnerabilities that indicate increased cyber risk to defense contractors and the supply chain.
Bloomberg’s editorial board’s provocatively-titled article, Contractors are Giving Away America’s Military Edge, highlights a laundry list of eye-opening security breaches that have beset Department of Defense (DoD) contractors in recent months. Noteworthy incidents included theft by China of highly sensitive information, the 2018 DoD breach that exposed the personal information of 30,000 military and civilian personnel, and more. The article also quotes a recent BitSight report that found that 5.6 percent of aerospace and defense contractors reported at least one data breach since 2016.
Now, the DoD has apparently had enough of the status quo. In September, the DoD issued a public draft of Version 0.4 of its Cybersecurity Maturity Model Certification (CMMC), which establishes a tiered framework that outlines specific criteria for defense contractor risk management.
With the CMMC, the DoD has laid down an ultimatum to its contractors: up your cyber defenses, or we simply will not do business with you.
The model clearly articulates several requirements that contractors must meet to qualify for various maturity certifications. Those certifications range from Level 1, ”Basic cybersecurity,” to Level 5, “Highly advanced cybersecurity practices.”
The CMMC employs a complex and comprehensive matrix that encompasses 18 different cybersecurity best practices, from “Access Control” to “System and Information Integrity.” The amount of detail contained within the model takes it beyond the popular NIST Cybersecurity Framework, although it incorporates parts of that risk management framework and other sources.
You can learn more about the CMMC by reading the draft framework, which is scheduled to be finalized in January 2020.
Upon finalization, the CMMC will require contractors to partner with an independent third party agency, which will schedule an assessment. Contractors can select the level of certification they’re applying for, and will be required to demonstrate their cybersecurity maturity to the assessor. There is no self-certification allowed.
Once the assessment is complete, the certification level (though not specific results) will be made available to the DoD and the public. That means that anyone will be able to easily determine the contractor’s cybersecurity maturity, which could potentially impact any business dealings the organization has even beyond the federal government.
The DoD’s new cybersecurity maturity model makes it critically important for both the defense agency and its contractors to strengthen and validate their respective security postures. There are differences in the ways that these groups can approach this challenge.
Although the CMMC prohibits self-assessments, it’s still imperative that contractors assess their operations on a continual basis to ensure that they are maintaining high security standards. Contractors can use ongoing security performance management (SPM), including continuous monitoring and security ratings, to assess their overall security levels. These processes can be done quickly and effectively, and provide a more accurate, day-to-day picture of an organization’s security posture than a quarterly “point-in-time” snapshot. When an independent auditor performs their assessment, the contractors that consistently employ these techniques will likely have a better chance of meeting the requirements set forth by the CMMC.
The need for comprehensive SPM is just as important, if not more so, for the DoD. The DoD works with tens of thousands of contractors on a daily basis. Many of those contractors likely work with their own vendors. The sheer number of vendors accounted for makes it difficult for the DoD to effectively monitor security throughout its supply chain. This large-scale challenge was undoubtedly one of the reasons why the DoD created a framework that was more robust and all-encompassing than those that were already available.
It’s worth noting that BitSight’s SPM solutions collect security data that can be mapped to any risk management framework, including the CMMC. The quantitative performance data provided by these solutions can help the DoD understand how, or if, their contractors are meeting the requirements presented by the CMMC.
With the introduction of the CMMC, the DoD has made it clear that it will no longer tolerate lax cybersecurity standards among its contractors. Contractors need to step up their games if they are to continue to do business with the DoD. Conversely, the DoD must take steps to validate their contractors to ensure that they are in compliance with the CMMC. If all parties can work together to minimize vulnerabilities, we may see fewer breaches and incidents in 2020.
Cyber risk is everywhere. As organizations become increasingly interconnected — across business units, geographies, subsidiaries, remote offices, and third-party networks — the digital ecosystem is expanding rapidly. And this increased ...
Recently we wrote about the top cybersecurity frameworks to reduce cybersecurity risk, and the Federal Information Security Management Act (FISMA) certainly belongs in that list. But what is FISMA? Who does it apply to? Why is it so...
Properly managing third party risk and preventing damaging outcomes that result from gaps in your vendor ecosystem can be difficult and costly. With the recent SolarWinds data breach wreaking havoc on thousands of organizations globally,...
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469