Ever-changing technological advances have led to an unprecedented amount of data breaches and, in case you haven’t been paying attention to recent trends, it’s only going to get worse. Statistics from the past decade indicate a clear increase in data breaches1,2,3 most of which stem from a combination of poorly trained personnel4 and poorly implemented security controls5, most often times the former eclipsing the latter. Technological advancements and cybersecurity threats are unfortunately moving at a pace that is forcing organizations into a state of never-ending cybersecurity-catch-up.
In response to said increased cyber threats and data breaches witnessed throughout the first half of the past decade, in October 2016 the U.S. Government’s Office of the Under Secretary of Defense for Acquisition & Sustainment published new contractual requirements centered about cybersecurity, which rapidly became a new norm for defense contractors doing business with the U.S. Government. The specific contractual requirements are listed in the form of Defense Federal Acquisitions Regulation Supplement6 (DFARS) clause 252.204-70127, and, among many things, infers that proof of compliance is handled at the discretion of the organization through a combination of self-assessment and get-well plans. However, the self-assessment portion, I believe, has been a major flaw and hinderance in the otherwise noble implementation that the DFARS clause had originally intended. It is my opinion and genuine concern that, while defense contractors claim success in implementing and assessing their own security postures, they are being put in a position where the accuracy of said assessment can easily be under or overrepresented for various reasons including little or no verification enforcement, therefore leaving a crucial gap in the overall compliance process. Put in other words, would you let a fox guard your hen house?
We welcome this new year 2020 with a new construct that will change the defense industry for years to come: the Cybersecurity Maturity Model Certification5 (CMMC), a process in which certified independent third-party organizations are to conduct cybersecurity control audits, gather and report insight in the context of risk, and will issue cumulative certification levels ranging from 1 (lowest) to 5 (highest) to other defense contractors based on cybersecurity hygiene, audit results, and comprehensive risk assessments. This new mandate from the Office of the Under Secretary of Defense for Acquisition & Sustainment is meant to introduce a new cybersecurity defensive layer by assuring that defense contractor organizations are further held accountable when claiming security control compliance. No longer will the fox be guarding the hen house, but rather a group of approved and certified cyber watch dogs, or authorized CMMC assessors, will offer organizations with compliance verification of security requirements including those related to DFARS 252.204-7012 direction and NIST SP 800-1718,9 among other industry standards. The CMMC process now presents defense contractors with interesting challenges and important opportunities, given that it provides a much-needed closure to the gap in past processes by virtue of third-party verifications and auditing, while having an inevitable effect of increasing overall cost of doing business to ensure regulatory compliance. Fortunately, since being CMMC is now going to be required for all new defense contracts, the process also presents those who have achieved or are working towards achieving a CMMC level with an advantageous opportunity to dramatically boost reputation and credibility which will inevitably lead towards increase in their marketability and value.
In conclusion, moving forward, leadership teams should take a moment or two to update their short and long term goals accordingly, if not done already, to not only focus on demonstrating compliance, rather also in hiring the right (not just sufficient) cybersecurity-minded talent, increasing the training budget to at least account for these new changes, and consider introducing organizational restructuring by adding or growing a dedicated department that can support working closely with both CMMC auditors and communicating with executives regarding business impacts towards achieving certification goals. As with most major process changes, it’s not going to be easy getting there and it will take time for the dust to settle, but as the saying goes (paraphrasing): every long journey starts with a single step. Let’s continue to welcome this new year and this new direction by proactively being on the forefront of this new movement knowing that in doing so we are further protecting our information systems and data.
References:
01 https://www.marketwatch.com/story/how-the-number-of-data-breaches-is-soaring-in-one-chart-2018-02-26
05 https://www.acq.osd.mil/cmmc/
06 https://www.federalregister.gov/defense-federal-acquisition-regulation-supplement-dfars-
07 https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
08 https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf
09 https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final