The Department of Defense is ushering in a strict new set of guidelines to bring contractors into compliance to protect critical information from rival nation states and other bad actors. The new Cybersecurity Maturity Model Certification regulations, which go into effect Nov. 30, are designed to ensure the defense industry supply chain can shore up cybersecurity while competing for business.
Companies need to provide adequate security to protect information that travels through internal unclassified systems and also adhere to other rules.
The DOD has more than 300,000 contractors, however the new implementation calls for more stringent requirements for companies that require a medium or high assessment. Organizations will be subject to stricter compliance standards depending on the sensitivity of the information they handle.
"The CMMC is one piece of a much bigger puzzle of how do we create a cyber-hardened supply chain for the enduring capabilities," Katie Arrington, CISO A&S at the Department of Defense, said during the Federal Publication Seminars virtual Cybersecurity Summit last week.
Engaging with prime or subcontractors is key to helping address concerns about whether the supply chain members and primary contractors can reach a level of comfort with each other that each side is prepared to meet the new requirements, according to several panelists.
"I think there's a lot of angst on both sides," Jeff Trinidad, head of supply chain risk mitigation at L3 Harris said. "Not only are small businesses questioning what do I need to do, but as a lead in aerospace and defense, my question is, is my supply chain ready?"
When you provide clear, concise information about the expectations and guidelines to comply with the program, Arrington said prime contractors and smaller subcontractors will be able to meet the demands.
The CMMC requirements include five levels of control that will rank contractors from being capable of basic cyber hygiene at Level 1 to advanced/progressive at Level 5. Companies at higher levels handle more sensitive levels of information and have to meet a more stringent set of requirements, which measure everything from access controls and incident response to personnel security to how remote access is measured.
Companies anticipating an award starting next month with a DFARS Clause 252.204-7012 need to go into the Supplier Performance Risk System and do a self-assessment on their implementation of the National Institute of Standards and Technology Special Publication 800-171, Arrington said.
Companies need to understand the most important thing is protecting the data, which requires a holistic approach to managing the data, Michael Baker, CISO of General Dynamics Information Technology, said during the presentation. "Our number one mission here is to protect the data that we've been entrusted with across the board."
Baker wants to make sure his small business partners and the business ecosystem remains intact, allowing General Dynamics IT to bid with existing partners.
Subcontractors often are the target of foreign actors looking for an access point in the supply chain, according to officials on the panel. They will target lower-level partner companies because they have access to the systems of prime contractors.
Companies have different experience levels in making sure they are in compliance with the regulations and some are more prepared than others if they should face an audit, Neal Beggan, principal of risk assurance & compliance at Cherry Bekaert said.
"Despite the potential change in administration, despite an ongoing pandemic, this is coming," he said. "No longer can companies stick their heads in the sand, no longer can they think, hey I'm a little too small, nobody's ever going to bother me or come and audit me or really check in on me, that's really going away."
Asked why the DOD is making contractors go through a process like this, Arrington noted the importance of understanding that the various partners in the process have to be accountable to one another and deter a common adversary.
"Because you're everything . . . right?" she asked. "I go to sleep at night knowing that there are good people like you that work together to protect our democracy."
"I don't care what administration takes over, I really know that the adversary doesn't want you around," Arrington said.