America’s defense industrial base has always been a target for nation-states. As great power competition heats up, America is preparing to defend against an increase in state-sponsored cyberattacks targeting its defense industry.
Massive defense contractors like Lockheed, Boeing, and Raytheon have strong cyber defenses. Attackers are aware of this and choose to attack the supply chain instead. Roughly 24% or $72 billion worth of DoD contracts go to small defense contractors. Many of them have limited cyber defenses. Most of them have access to “controlled unclassified information” and “federal contract information”, both lucrative targets for America’s adversaries.
The DoD tried to improve the cybersecurity posture of it’s defense industrial base by mandating the implementation of the NIST SP 800-171 set of security controls. The implementation of these cybersecurity controls by contractors was not audited. Many companies failed to implement them and the requirements did not cover the entire industrial base. Things are changing with the DoD’s new approach.
The Department of Defense’s Solution
The U.S. Department of Defense released the new cybersecurity maturity model certification (CMMC) program to help protect the defense industrial base from cyber threats. The CMMC program comes with a new cybersecurity framework that is built on older frameworks such as NIST SP 800-171 and 800-171B as well as several international frameworks. This new certification has five levels with one being the lowest, mandating basic cyber hygiene, and five being the highest requiring advanced cyber capabilities.
Implementing cybersecurity controls at the 300,000 companies making up the defense industrial base and having them undergo a third-party audit is no easy task. In coordination with the newly created CMMC Accreditation Board, an army of roughly ten thousand assessors will be trained and certified to accredit defense contractors. The DoD would like to have all 300,000 companies making up the defense industrial base CMMC certified within the next five years. The DoD also says that it will make the cost of the CMMC certification an “allowable cost” to alleviate this new financial burden.
Will CMMC Succeed?
I am optimistic that it will. Most companies will have level one CMMC requirements. Level one requirements are not terribly difficult to implement. Level two requirements are more difficult but shouldn’t be very costly. Due to COVID-19, we have seen a delay in CMMC and there will likely be bumps on the road to a more secure defense industrial base. The DoD is adamant about getting this done and contractors will need to comply if they wish to continue working with the DoD. In the future, America's defense industrial base will be more secure resulting in a reduction of stolen R&D and other sensitive information.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.