Insight by KPMG

Rules and standards are multiplying for cyber contractors, but the threats without them are real

The Current State of Cyber

There is the NIST Cybersecurity Framework, the risk management framework and now you’re going to have the Cybersecurity Maturity Model Certification (CMMC) effort. It is difficult as a federal contractor to make sure you are checking all those boxes and having controls in place to satisfy that.

Supply Chain Challenges

There are so many areas in cybersecurity that can be automated whether you’re looking at things such as audit trail review, account management, threat management, threat intelligence analysis and management. A lot of those processes are very manual right now and require a lot of research by analysts, but they can be automated and I’m excited about that opportunity to automate these processes.

How Cloud Helps Government

If somebody wants us bad enough they’re going to get us in some kind of way. So now the discussion isn’t so much about preventing the breach, but now the conversation turns to have do we manage the risk around that? How do we make sure from a technology architecture perspective we’ve segmented our crown jewels, our highest priority data elements into a place where they are harder to get?

With a constant barrage of cyber attacks hitting the government and industry, federal contractors need to stay dynamic and fluid in the way they approach the cyber world and how they interact with federal agencies.

There are an increasing amount of hoops contractors working in cyber need to jump through to partner with the government, but Tony Hubbard, government cybersecurity lead at KPMG, says that is the reality of the world today.

“There is the NIST Cybersecurity Framework, the risk management framework and now you’re going to have the Cybersecurity Maturity Model Certification (CMMC) effort,” Hubbard said during a Federal Insights: Cyber interview sponsored by KPMG. “It is difficult as a federal contractor to make sure you are checking all those boxes and having controls in place to satisfy that.”

Of course, those rules are in place for good reason – to protect important government data and functions. So contractors must adapt.

While the NIST standards have been in place long enough for some contractors to get used to them, CMMC will be a new ballgame.

CMMC makes the NIST standards more stringent, and the Defense Department plans to release the first version in January 2020.

The framework assesses the cybersecurity posture from a supply chain standpoint and ensures every company that wants to work with DoD, not just the defense industrial base, has proper cyber hygiene.

Hubbard said the supply chain issue is complex, but hygiene is paramount.

“There’s so many moving parts and so many vendors in programs,” Hubbard said. “I heard recently that the F-35 has over 1,000 vendors involved. How do you manage the security and risk around that? There’s no silver bullet or an easy answer, but a lot of it gets back to some of these basic hygiene topics. If you look at some of the major breaches that have occurred over the last several years, a lot of them have been supply chain, third-party vendor type of issues.”

Keeping in line with all the standards and ones to come may seem daunting, but Hubbard says it’s not as frightening as it may seem.

“There are so many areas in cybersecurity that can be automated whether you’re looking at things such as audit trail review, account management, threat management, threat intelligence analysis and management,” Hubbard said. “A lot of those processes are very manual right now and require a lot of research by analysts, but they can be automated and I’m excited about that opportunity to automate these processes.”

No one is perfect and even the military will admit there will be cyber attacks that make it into networks.

Hubbard said what’s most important is being able to detect those attacks as fast as possible and to limit areas where hackers can attack.

“If somebody wants us bad enough they’re going to get us in some kind of way,” Hubbard said. “So now the discussion isn’t so much about preventing the breach, but now the conversation turns to have do we manage the risk around that? How do we make sure from a technology architecture perspective we’ve segmented our crown jewels, our highest priority data elements into a place where they are harder to get?”

Listen to the full show:

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.