The original CMMC program was missing one key component — Here’s how the newly proposed rule should fix that

The proposed CMMC changes show the industry that the DoD is taking security, and this shared burden, seriously.

The Cybersecurity Maturity Model Certification (CMMC) program, an information security standard for DoD contractors and subcontractors, has aimed to make the Defense Industrial Base (DIB) more resilient to a cyberattack, but as the adversarial threats in cyberspace evolve, so too should the underpinning regulatory framework.

I spent more than two decades holding numerous roles in the U.S. government, including helping to write the initial implementation of the CMMC framework. Now after seeing those rules in place, plus working on the other side of the fence helping enterprises scan for externally visible third-party cyber vulnerabilities, I see that the original CMMC framework did not go far enough when it came to validating the appropriate cyber defenses were in place, especially those deep in a contractor’s supply chain. The reliance on self-assessments allowed for critical gaps in compliance.

To fully understand the changes and their expected impacts, it’s important to first understand the threats that drove them into existence.

Over the past decade, cyber threat actors have increasingly turned to third-party and supply chain ecosystems to reach high-value targets. Alarmingly, recent research shows a 26% increase in reported negative impacts from supply chain cyber breaches, disrupting operations, and highlights the growing threat. Even more alarmingly, the U.S. government is no exception. In fact, U.S. critical infrastructure and the DIB are key target networks for both nation-state actors, as well as independent hackers or hacking groups.

Despite the severity of these threats, systemic issues of non-compliance with CMMC remain, largely due to organizations self-assessing. According to a recent OIG report, in many cases, proper security requirements were not in place, which left entire ecosystems completely vulnerable. The cost of this kind of oversight is extremely high as compromises related to the organizations could deliver a negative effect on national security.

Translation: We’re ripe for improvement.

While DIB members have long been anticipating “CMMC 2.0,” compliance with related regulations, mainly DFARS 252.204-7012 (DFARS 7012), has been mandatory since 2017. DFARS 7012 aligns with the existing accepted regulatory framework, the National Institute of Standards and Technology’s 800-171 Rev 2, a requirement also mirrored by CMMC Level 2. However, the recently proposed CMMC rule change introduces third-party assessments, differing from DFARS 7012’s self-attestation and unverified self-reported scores.

Even more encouraging, the proposed rule specifies the type of required CMMC assessment at every tier of a defense supply chain. While there had previously been some ambiguity around how these requirements would “flow down” from a prime contractor to their subcontractors, the new CMMC model has established clear accountability mechanisms for upstream and downstream supply chain cyber risk.

That said, any regulatory framework can only go so far. The path to cyber resilience is ultimately a shared burden between the Defense Department and its suppliers. Many of the critical vulnerabilities susceptible to attack are often hiding in plain sight; ensuring direct and swift communication between DoD and DIB security teams is often the hardest, but most important, operational hurdle to overcome.

The proposed CMMC changes show the industry that the DoD is taking security, and this shared burden, seriously. There is a long road ahead, but with it comes meaningful improvement that will effectively reduce cybersecurity risk and increase industrial base resilience in the long term. Once the final CMMC rule is in effect, these changes will go a long way to make the DIB more secure.

Lorri Janssen-Anessi is director of external assessments at BlueVoyant.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories