Cyber Risk Maturity, the process of managing cyber threats better every day, is not as hard to implement as it sounds. In my experience as a Registered Practitioner (RP) working with a Registered Provider Organization (RPO), Maturity requires a good amount of trial and error followed by implementation and adaptation. Think about when you watch someone grab the wrong part of the hot coffee pot – you conclude that is not a process you want to emulate, and when you pour your cup of coffee, you don’t get burned. Any registered practitioner knows what not to do when building a network infrastructure and securing it, but it can be harder to figure out the right steps to take when there are so many moving variables and options on the marketplace.
My rule of thumb is this: Do Not Trust. For the same reason you wouldn’t get your medical examinations from your dry-cleaner, you should find certified professionals to lead you to compliance. It takes time and caution to find trustworthy and suitable suppliers. The Department of Defense (DoD) must verify that its Defense Supply Chain (DSC) shows Cyber Risk Maturity to some Level before awarding a contract, because the entire security ecosphere depends on the supply chain’s participation in top cybersecurity standards.
With this in mind, the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) has been tasked with overseeing the process for approving RPOs and their RPs.
Not only do these ensure the safety of the supply chain, but they give a competitive advantage when seeking new contracts. The NIST 800-series has been viewed as successful best practices by many businesses, even those not currently under any requirement, and there is talk of similar requirements soon going beyond the DSC.
Businesses need to comply with CMMC in order to be awarded Department of Defense (DoD) contracts – as a Prime or Subcontractor. (Courtesy of HumanTouch LLC). If you are like most of the industry and looking to meet Maturity Level (ML) 1-3, then you are likely asking how to meet the requirements of these levels, and probably getting some confusing answers.
That’s why I have been corresponding with business owners of small and micro small subcontractors, as well as executives at the big prime contractors – to understand the effects of the CMMC requirements already appearing in contracts and see how these requirements are playing out in real-time.
A lot of bigger contractors have Security Operation Centers (SOC) and other in-house capabilities that satisfy the requirements of CMMC. When I ask the primes how they are supporting their supply chain in the effort to mature Cyber Risk Management capabilities, most of them are simply providing education to small businesses.
I know that a good business owner will look at many options before making the best decision for their business, and that starts with better education in Cyber Risk Management. A lot of the questions about CMMC requirements are already being asked and answered across platforms that share it at no cost to you. Beyond just FAQs, there are so many additional resources available for free.
If you have not already, turn to your local Manufacturing Extension Partnership (MEP) for state funding to get your first phase of Cyber Risk Maturity in motion. Most organizations that have been through a Cyber Maturity process will likely recommend working with an RPO if you want to get your money’s worth.
To help with questions left unanswered, our partners at ECS have created a buyers guide that delves into translating the requirements and understanding the goals. There are also resources like CyberAssist under NDISAC that will make it much easier to fill out a self-assessment questionnaire for NIST SP 800-171.
(Learn More. The Defense Federal Acquisition Regulation Supplement (#DFARS) 252.204-7020 is one of the three newly released clauses and requires contractors to provide the Government access to its facilities, systems, and personnel any time the #DoD is renewing or conducting a Medium or High #cybersecurity assessment. This clause also includes a flowdown requirement that states a contractor is now required to ensure all tiered subcontractors have results of a current assessment in SPRS in accordance with the DFARS 7019 clause. Courtesy of Summit 7 Systems and YouTube. Posted on Nov 6, 2020.)
Most contracts requiring you to upload your score into Supplier Performance Risk Score (SPRS) are not requiring the incumbent or awardee to have the controls 100% satisfactory – this is simply an exercise to record progress and map maturity.
Cybersecurity used to be treated as a pillar of consideration for DoD contracts before the move towards CMMC – now it is the foundation.
Find a good partner to translate the controls and help maintain your business as an asset before it becomes a liability. There are great vendors that listen, understand your need, and then communicate a solution clearly and treat your problems like their own.
To make the process of finding solutions that are optimized for your needs, I advise OSCs to start with consultants and advisors that are listed in the CMMC-AB marketplace. They have all have signed off on the Code of Professional Conduct (CoPC), which holds them accountable as CMMC professionals.
Cyber Maturity needs to go into all business decisions going forward if that business plans on staying afloat.
Do whatever you can now to ensure that your organization is prepared for what will come down the pipeline from the DoD. It’ll pay off in the long-term, winning you more contracts and costing national security less in the fight against cybercrime.
You can read the original publication of James' article here at American Security Today: