COVID-19 has added an element of supply chain disruption to an industry already contending with debilitating data breaches that cause billions of dollars of damage. As organizations around the world move to the cloud, network perimeters continue to disappear, and more attack surfaces are exposed. Supply chains across all industries become more vulnerable to cybercriminals and nation-state hackers and, therefore, more easily infected.
Commercial organizations, on average, have over 1,000 vendors in their supplier ecosystem, and 82% of those have suffered a data breach in the past year. This alarming statistic is underscored by the fact that a third of organizations lack the ability to know if or when their supply chain has been breached, leaving them exposed to deal with consequences in the aftermath, when it is often too late to mitigate the damages.
The supply chain to the U.S. Department of Defense is a case in point. After decades of fragmented compliance oversight, an emerging new standard for implementing DoD cybersecurity is about to change the way America does business across the entire defense industrial base (DIB) of more than 300,000 contractors. Despite years of mandating security standards for its supply chain, the DoD estimates that over $600 billion a year in sensitive data is stolen by foreign adversaries from supplier information systems. This has accelerated to the boiling point in just the last few months.
Financial damage compounded by substantial risk to the U.S. military’s technological advantage can result from incidents, like the recent Solar Winds breach and the leak of the U.S. classified Sea Dragon missile systems by Chinese hackers. That’s why the DoD is about to release its own “vaccine” in the form of the Cybersecurity Maturity Model Certification (CMMC) program, which aims to make security a requirement, not an afterthought.
CMMC takes a different approach toward supply chain cyber defense that requires organizations to achieve a minimum level of cyber maturity rather than simply comply with a set of requirements. Unlike compliance, a maturity model evaluates the efficacy of the controls in place and provides a road map for improving performance. CMMC’s goal is to unify cybersecurity standards within the tremendous cloud-connected contractor network. It can serve as a blueprint for industries and enterprises to follow as the industry moves further into the new multi-cloud ecosystem of remote workers, dispersed operations, expanding attack surfaces, and increasingly vulnerable third parties and supply chains.
CMMC Sets a New Standard
The CMMC framework was created to address the ongoing theft and unauthorized access to controlled unclassified information (CUI) by foreign adversaries through the enforcement of good cyber hygiene and best practices.
The new framework establishes five levels of cyber maturity. The level to which companies must certify is determined by the sensitivity of information they handle. All parties renewing and bidding on future defense contracts, as well as their subcontractors and suppliers, will be impacted by CMMC. The DoD announced the first contracts with CMMC requirements late last year, which will affect 1,500 primes and subcontractors in 2021. In time, all DIB organizations will need to certify at the CMMC maturity level defined in their governing contract.
As part of the CMMC program, a small, elite set of organizations, known as CMMC Third-Party Assessment Organizations (C3PAOs), has been created to verify and certify the growing galaxy of inter-related vendors, suppliers, and contract partners. These C3PAOs are the new guardians of the "cybergalaxy,” and their mission critical role is to ensure that organizations are capable of receiving, storing, and protecting sensitive defense information.
CMMC requirements are rigorous, and many DIB companies will be challenged. The third-party assessment function is there to ensure everyone achieves a required level of cybersecurity. It is critical that organizations preparing for CMMC choose partners with relevant experience and capabilities in addition to an intricate understanding of CMMC. After all, the operational resilience and the superiority of the U.S. military is at stake. Business operational resilience management (ORM) on this level, with this crucial third-party element to standardize and ensure compliance requirements, addresses a national security imperative and should be considered for adoption by all industries.
For DIB companies, it’s about being able to continue to participate in government contracts. For commercial companies, it’s about maintaining customer trust and protecting everything from privacy and personally identifiable information (PII) to trade secrets and intellectual property. For everyone, it’s about the integrity of the global supply chain itself.
The CMMC program defines a new security mentality that embraces the concept of continuous compliance and moves away from the traditional point-in-time, check-the-box requirement patterns of the past. Compliance is now on demand, all the time, and it must be overseen from the top levels of all organizations — from the Pentagon to the boardroom.
“Cybersecurity is foundational,” said Katie Arrington, CISO for the DoD acquisition policy. “It cannot be traded off for cost, schedule, or performance. In an effort to help incorporate cybersecurity at the base of what contractors do every single day, the CMMC framework seeks to ingrain cybersecurity best practices into every interaction with sensitive data.”
Her point is that, with today’s threat landscape, cybersecurity is now a process, not an event.
All industries and organizations — large and small — should take note and learn from the processes forming this new compliance framework because customers will soon come to require this same imperative of cyber maturity and assurance from all of their business partners and suppliers.
Bad actors only need to be right once. The guardians of the cybergalaxy — those defending sensitive data, customer relationships, and national security — need to be right every single time, all of the time. The path to next-generation cybersecurity is clear now, and CMMC is the first step in the right direction.