The CMMC clock is ticking for the defense industrial base

Carraig Stanwyck, vice president and head of global cybersecurity and compliance at Avnet, explains why preparation for CMMC should start now.

While the Defense Department’s Cybersecurity Maturity Model Certification initiative is often viewed by entities as a compliance initiative for the defense industrial base (DIB), it is fundamentally a framework to better protect the government’s sensitive defense information from unauthorized disclosure.

In today’s world, cybercriminals seeking a substantial payoff will often start by launching a third-party attack. When targeting a well-fortified organization, such as a DoD entity, hackers may leverage an indirect approach by infiltrating less secure links in the DoD supply chain. By exploiting security weaknesses of less protected suppliers to gain unauthorized access, attackers not only access sensitive data within the supplier’s systems, but can also worm their way through interconnected systems and networks to compromise other high value targets across the DIB. This ultimately maximizes the potential impact and profit to serve their motives.

We have already seen several government agencies face breaches of commercial products, and these are getting more frequent and complex every day. Globally, at least 29% of breaches have third-party attack vectors, according to SecurityScorecard, and 75% of third-party breaches target software and technology supply chains.

Necessary but lengthy work

Given the importance of securing the defense supply chain, the clock is ticking on the DoD’s soon-to-be-finalized requirement that all suppliers in the DIB, estimated to be over 220,000 entities, successfully initiate and complete their CMMC self-assessments and certifications.

CMMC aims to protect controlled unclassified information (CUI) and federal contract information shared within the defense supply chain. When finalized, the rules will immediately launch a series of phases mandating the sourcing of goods and services only from suppliers who have been certified across one of the three CMMC certification levels.

During the initial phase, the DoD intends to include CMMC Level 1 or CMMC Level 2 self-assessments for contractors servicing awards that do not involve information critical to national security.

Six months later, the program will then include CMMC Level 2 certification assessment for all applicable contract awards, with CMMC Level 3 requirements incorporated in the subsequent two years. Those entities requiring a CMMC Level 2 or Level 3 certification — to implement contracts involving information critical to national security — will require an onsite assessment by an authorized assessment organization.

While CMMC certification demands considerable effort from a vendor, it is based on the NIST SP 800-171 Rev. 2  standard, which sets out a multitude of requirements for IT access control, training, auditing, configuration, identification/authentication, incident response, physical protection, information integrity and more. All security measures need to be assessed, attested to and thoroughly documented.

In Avnet’s case, based on the complexity of our processes and systems, our staff and external resources spent more than two years evaluating, creating, modifying and documenting best practices in our organization’s information security to prepare for a successful Joint Surveillance Voluntary Assessment (JSVA) that secured our provisional CMMC Level 2 certification. Similar initiatives will need to be undertaken by over 76,000 entities seeking their CMMC Level 2 certification.

Because the CMMC rules are not yet final, many DIB entities have slow-walked their efforts. We are told that fewer than 1% completed the required work to obtain provisional certification. Provisional certification is expected to become official certification when the proposed regulations are finalized by the DoD, anticipated in early 2025. If at that time the phased implementation of CMMC 2.0 kicks off — with CMMC expected to be implemented in all DoD contractor and subcontractor contracts by 2028 — we can expect a barrage of activity for the tens of thousands of suppliers within the DIB.

What CMMC certification shows

When a contractor or subcontractor in the DIB secures CMMC certification, it signals an understanding that supply chain security is only as strong as its weakest link. It also demonstrates to the DoD that vendors have done their part to secure their supply chains.

At a time when our nation’s cybersecurity is paramount, and cyberattacks will become increasingly potent, it has never been more important for DoD contractors to accelerate efforts to secure their provisional certifications.

For many suppliers, the journey to fully prepare for a CMMC assessment may take one to two years.

For those contractors who haven’t yet begun, now is the time to identify which CMMC Level (1, 2 or 3) is appropriate for their business to stay compliant with their contract awards.

With that determination, contractors should identify the CUI to be protected and the technical environment they plan to use. If it’s an existing environment, they should conduct a self-assessment of the CMMC practices for their respective level. If it will be a new environment, they should use the CMMC practices as a guide to selecting/designing their CUI landscape, making use of the available CMMC Assessment Guides as well as NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information (CUI), to identify and close gaps to complete their readiness.

If a contractor has started CMMC work, keep pushing. If they haven’t, get started now. To do business in defense and aerospace we all need to be secure, not only for our bottom line but for our customers and country.

Carraig Stanwyck is vice president and  head of global cybersecurity and compliance at Avnet. With more than two decades in military intelligence and cybersecurity program design, Stanwyck began his career as a human intelligence operator in the Army.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories