The DoD’s Cybersecurity Maturity Model Certification Draws a Line in the Sand for Third Party Risk

Federal technology contractors hold the keys to our nation’s security in their networks, servers, and databases. Yet, recent incidents point to worrisome vulnerabilities that indicate increased cyber risk to defense contractors and the supply chain.

Bloomberg’s editorial board’s provocatively-titled article, Contractors are Giving Away America’s Military Edge, highlights a laundry list of eye-opening security breaches that have beset Department of Defense (DoD) contractors in recent months. Noteworthy incidents included theft by China of highly sensitive information, the 2018 DoD breach that exposed the personal information of 30,000 military and civilian personnel, and more. The article also quotes a recent BitSight report that found that 5.6 percent of aerospace and defense contractors reported at least one data breach since 2016.

Now, the DoD has apparently had enough of the status quo. In September, the DoD issued a public draft of Version 0.4 of its Cybersecurity Maturity Model Certification (CMMC), which establishes a tiered framework that outlines specific criteria for defense contractor risk management.

With the CMMC, the DoD has laid down an ultimatum to its contractors: up your cyber defenses, or we simply will not do business with you.

What is the Cybersecurity Maturity Model Certification?

The model clearly articulates several requirements that contractors must meet to qualify for various maturity certifications. Those certifications range from Level 1, ”Basic cybersecurity,” to Level 5, “Highly advanced cybersecurity practices.”

The CMMC employs a complex and comprehensive matrix that encompasses 18 different cybersecurity best practices, from “Access Control” to “System and Information Integrity.” The amount of detail contained within the model takes it beyond the popular NIST Cybersecurity Framework, although it incorporates parts of that risk management framework and other sources.

You can learn more about the CMMC by reading the draft framework, which is scheduled to be finalized in January 2020.

What does the CMMC Mean for Third Party Contractors?

Upon finalization, the CMMC will require contractors to partner with an independent third party agency, which will schedule an assessment. Contractors can select the level of certification they’re applying for, and will be required to demonstrate their cybersecurity maturity to the assessor. There is no self-certification allowed.

Once the assessment is complete, the certification level (though not specific results) will be made available to the DoD and the public. That means that anyone will be able to easily determine the contractor’s cybersecurity maturity, which could potentially impact any business dealings the organization has even beyond the federal government.

Using Security Performance Management to Validate Cybersecurity Standards

The DoD’s new cybersecurity maturity model makes it critically important for both the defense agency and its contractors to strengthen and validate their respective security postures. There are differences in the ways that these groups can approach this challenge.

Although the CMMC prohibits self-assessments, it’s still imperative that contractors assess their operations on a continual basis to ensure that they are maintaining high security standards. Contractors can use ongoing security performance management (SPM), including continuous monitoring and security ratings, to assess their overall security levels. These processes can be done quickly and effectively, and provide a more accurate, day-to-day picture of an organization’s security posture than a quarterly “point-in-time” snapshot. When an independent auditor performs their assessment, the contractors that consistently employ these techniques will likely have a better chance of meeting the requirements set forth by the CMMC.

The need for comprehensive SPM is just as important, if not more so, for the DoD. The DoD works with tens of thousands of contractors on a daily basis. Many of those contractors likely work with their own vendors. The sheer number of vendors accounted for makes it difficult for the DoD to effectively monitor security throughout its supply chain. This large-scale challenge was undoubtedly one of the reasons why the DoD created a framework that was more robust and all-encompassing than those that were already available.

It’s worth noting that BitSight’s SPM solutions collect security data that can be mapped to any risk management framework, including the CMMC. The quantitative performance data provided by these solutions can help the DoD understand how, or if, their contractors are meeting the requirements presented by the CMMC.

Working Together to Minimize Cyber Risk

With the introduction of the CMMC, the DoD has made it clear that it will no longer tolerate lax cybersecurity standards among its contractors. Contractors need to step up their games if they are to continue to do business with the DoD. Conversely, the DoD must take steps to validate their contractors to ensure that they are in compliance with the CMMC. If all parties can work together to minimize vulnerabilities, we may see fewer breaches and incidents in 2020 and beyond.