Cybersecurity compliance checks loom for CISOs in the defense sector
The Department of Defense (DoD) is set to implement a new cybersecurity guideline called the Cybersecurity Maturity Model Certification (CMMC), with the regulations going into effect on Nov. 30, 2020. This move aims to bolster the cybersecurity of the defense industry supply chain.
Neal Beggan, principal of risk assurance & compliance at Cherry Bekaert, has stated that despite potential changes in administration or ongoing pandemics, the implementation of the CMMC is imminent. Companies can no longer ignore it. The CMMC assesses everything from access controls and incident response to personnel security and how remote access is measured.
The CMMC is designed to ensure the defense industry enhances its cybersecurity while competing for business. Companies will be subject to stricter compliance standards depending on the sensitivity of the information they handle. For instance, companies at higher levels that handle more sensitive levels of information will have to meet a more stringent set of requirements.
Lockheed Martin prioritizes protecting the data entrusted to them across the board, including their small business partners and the business ecosystem. The DoD has more than 300,000 contractors, and the new implementation calls for more stringent requirements for companies that require a medium or high assessment.
Arrington, from the Department of Defense, highlights the need for accountability among partners to deter a common adversary. He stated that the adversary does not want these partners around. This underscores the importance of protecting data, requiring a holistic approach to managing it.
Some companies have more experience and are better prepared for compliance audits compared to others. However, there is reportedly a lot of angst among prime contractors and smaller subcontractors about meeting the demands of the CMMC program.
Subcontractors are often targeted by foreign actors seeking access points in the supply chain, particularly lower-level partner companies due to their access to prime contractors' systems. Companies anticipating an award starting next month with a DFARS Clause 252.204-7012 are required to perform a self-assessment on their implementation of the National Institute of Standards and Technology Special Publication 800-171 in the Supplier Performance Risk System.
The specific organizations subject to the stricter clearance criteria of the CMMC under the Department of Defense (DoD) are Defense Industrial Base (DIB) contractors handling Controlled Unclassified Information (CUI), required to implement enhanced cybersecurity measures to protect sensitive defense information and comply with tiered maturity levels of cybersecurity practices. The CMMC requirements include five levels of control that rank contractors from basic cyber hygiene at Level 1 to advanced/progressive at Level 5.
The CMMC aims to safeguard democracy by ensuring the various partners in the defense industry supply chain are accountable to one another and can withstand cyber attacks, maintaining the integrity of the defense industry supply chain.
Read also:
- Strategies for Adhering to KYC/AML Regulations in India, a Leading Fintech Center (2024)
- Insecure coding practices permeate numerous businesses, potentially leading to significant future difficulties in ensuring system safety.
- North Korean hackers leveraged the AI model ChatGPT to create sophisticated deepfake identification documents.
- Allocating €33 million to combat cyber threats in Latvia
