The entry barrier for doing business with the Federal Government is shifting again, and it is no surprise that it stems from a Cybersecurity point-of-view. The emerging Cybersecurity Maturity Model Certification (CMMC) initiative is raising the stakes for its Defense Industrial Base (DIB). The DoD will no longer accept a “self-certification” approach to how its vendors comply with DFARS requirements for adequate security and protecting CUI.
CMMC is conveying a clear message from the world’s largest employer to its supply-chain: “We will verify your cybersecurity capabilities prior to doing business with you.”
For many of the 300,000+ companies comprising the DIB, demonstrating compliance with CMMC is not merely conforming to a standard. It is a matter of staying in the DoD contracting business or, for many, staying in business – period. Talk about a wake-up call!
There is an on-going debate as to whether the current approach and roll-out of CMMC will be successful. A key issue revolves around the legal aspects of how the CMMC Accreditation Body (AB) can be empowered to determine whether a business may bid on a government contract. I will leave that debate for others to comment on, but it is sure to be contentious.
The underlying origin of CMMC grew from the challenge of cyber threats to the entire federal business ecosystem. The federal government, along with its federal contracting community, is inundated with constant, collective IT infrastructure cyberattacks. The COVID-19 outbreak and the surging telecommuting workforce reveal increased threats due to extensive remote access. This further underscores how unforeseen and quickly cyber incursions expand and change at a moment’s notice.
As an example, DDoS Attacks - cyber-attacks in which perpetrators seek to make machine or network resources unavailable to its intended users - have increased 542% from Q4 2019 to Q1 2020. Researchers suggest the spike may be linked to a parallel increase in malicious cyber activity during the COVID-19 pandemic. According to the FBI, instances of cybercrime appear to have jumped by as much as 300% in the same period. This is being attributed to America’s daily activities moving to a predominant online platform with newly remote workers unaware of basic security measures or companies struggling to keep externally accessed systems secure.
Verizon’s 2020 Data Breach Investigations Report indicates small businesses account for 58% of data breaches. The notion that “there is no such thing as bad publicity” does not hold true in the Age of Digital Transformation, as data breaches, spillages, and successful ransomware attacks are certain to cripple a company’s reputation.
Today’s reality is that there is a cyber cost for SMBs staying in business that cannot be delayed, circumvented, or ignored any longer. This includes those businesses that comprise the DIB because its supply-chain remains a target rich environment for cyberthreat actors and nation states.
The emergence of CMMC (and its precursor, DFARS 252.204-7012) feels different – and it should. For those of us who slogged through the early forms of DoD IA compliance such as DITSCAP, DIACAP, and “DIARMF” (the DoD’s adoption of NIST’s Risk Management Framework), that provided system by system “point-in-time” i.e. paper-based assurances, on the implementation of security controls. The DoD is putting an emphasis on cybersecurity and information assurance where it has always needed to go - on federal contractors. Each of us are important links in the federal supply chain; and accountable members of the federal government ecosystem.
While CMMC may seem daunting, its arrival serves as a perfect springboard for us to take stock in where we stand in managing our cyber risk. We need to begin embracing it as another corporate-sponsored element that must be effectively funded, implemented, and continually managed as another cost of doing business.
Start small but start now. Take the first step by evaluating where you stand today in managing your cyber risk, and then build a roadmap to develop a cyber risk management capability to address any gaps. The good news is that, as a member of this federal ecosystem, the availability of resources and tools, collaboration with our peers, and access to subject matter expertise is plentiful – no one needs to go CMMC alone.
Yes, CMMC represents a new level of compliance and certification that the DIB cannot ignore if it wants to do business with the DoD in the future. Yet this call to action serves as an ideal opportunity for the DIB to reinvigorate and bolster efforts to infuse cybersecurity awareness into our respective corporate cultures as a cost of doing business. In today’s digital world, implementing an effective cybersecurity and data protection capability is part of staying in business but also being a vital contributor and player in national security.