In January, the Defense Department released version 1.0 of its 390-page Cybersecurity Maturity Model Certification (CMMC), which will require all DoD contractors later this year to demonstrate “at least a basic level of cybersecurity standards” when filling out requests for proposals (RFPs). The DoD will release 10 RFPs requiring CMMC certification upon contract reward by the end of the year, and by 2026 all DoD contracts will reportedly contain these requirements. The current coronavirus pandemic only highlights the need for government to move with speed and purpose on implementing these changes.
Government agencies know their technology supply chain purchases are vulnerable to infiltration and exploitation, but many agencies haven’t deployed the necessary rigor to buy computers, printers and software with regard to the critical threats they could pose. Every government buyer—like all consumers—often carry their personal purchasing habits into their jobs. At the same time, they are under intense pressure to hold down costs and stay within budget. So many of them default to a “lowest priced, technically acceptable” model, which stresses acquiring products that are good enough as opposed to those offering great quality. The CMMC is an important step for enabling a more secure government.
Accounting for human nature in security practices
The new guidelines don’t just have implications for hardware. IT organizations must also be increasingly wary of the software they allow government employees to use on the job. More than ever, employees are using their own smartphones and other devices for work and using mainstream apps from their personal lives on their work devices. The “gotcha!” is that some of the software carry the same level of risk the DoD has previously warned about. In fact, the Navy and Army have banned personnel from using TikTok on government-issued phones.
In the cybersecurity world, with federal, state and local governments under constant attack from nation state and entrepreneurial hackers, every agency must closely vet where their products come from and even spend a little more to assure they have the most secure technology money can buy and that employees are educated on best practices to avoid human error.
Thinking broadly to interagency and third-party partnerships
Those that haven’t already made a point to comply with earlier regulatory compliance guidelines, such as those from the National Institute of Standards and Technology (NIST), which advised CMMC, will quickly find themselves behind those that have taken these principles seriously. They will also likely start to lose opportunities with the DoD, which must constantly consider the potential impact to national security and military preparedness with every technology purchase it makes.
More to the point, however, vendors should also expect that CMMC could set the standard by which other agencies start to operate. We’ve seen this happen with other types of regulations. The European Union’s General Data Protection Regulation (GDPR), which sets rules for how private data is used by companies doing business in the EU, arguably helped pave the way for similar rules around the world, such as the California Consumer Privacy Act, which took effect in January.
Charting a new course for security norms
The key thing both government agencies and their contractors need to keep in mind is that the old ways of acquiring technology are all but gone. Supply chain attacks against private sector organizations nearly doubled in 2018, according to a Symantec report, and more than half of companies reportedly suffered a breach that year caused by one of their vendors.
Many of these organizations conduct business with government agencies, and they anticipate these attacks will keep coming because of it. In fact, before Covid-19 began to worsen, nearly 75% of IT leaders surveyed by Crowdstrike said that they viewed nation-state sponsored attacks as their single biggest potential threat this year. More than half (56%) said their close ties to U.S. government agencies could motivate such attacks. It’s a valid point—government agencies are extremely susceptible to these attacks, especially when reverting to the “lowest priced, technically acceptable” policy and not prioritizing supply chain vendor partnerships that ensure secure hardware and software.
With CMMC guiding government agencies and contractors alike, this will be a year of significant change in procurement procedures. Buyers will have to understand how requirements are evolving, pay close attention to the endpoint devices and software they allow into their enterprises, and take meaningful action to maximize their security postures against rising threats from home and abroad.
In this digital age, where nearly everyone and everything is online and connected—and, therefore, perpetually vulnerable—nothing short of maximum diligence to good cybersecurity practices will suffice.
Todd Gustafson is president and head of US Public Sector at HP Federal.