The Cybersecurity Maturity Model Certification (CMMC) program is in the home stretch. The final rule has been cleared by the Office of Information and Regulatory Affairs and is headed to Congress for imminent implementation. At the fourth annual CMMC CON, we brought together industry experts, government officials, and defense contractors to discuss the critical importance of cybersecurity in the defense industrial base (DIB) and what contractors can do to prepare for CMMC.
The conference addressed the challenges faced by small businesses in the DIB, which make up over 70% of the sector. Bailey Bickley, Chief of DIB Defense at NSA’s Cybersecurity Collaboration Center, noted the steep learning curve for many of these companies.
“What I’ve found is that cyber is still new for a lot of folks,” Bickley said. “They didn’t grow up in it. They are predominantly in manufacturing or a second- or third-tier supplier to the DOD, and so they’re really, really, really good at what they do, at making a widget or a component that goes into a weapons system, but cyber is brand new. There’s a lot of education that has to happen in terms of the threats those companies face and the steps they need to do to bolster their networks. It’s been an exciting year. We’ve seen enrollment in our programs skyrocket, but we have a long way to go to securing the defense industrial base at scale.”
CMMC CON unveiled Merrill Research’s annual report on the DIB’s cybersecurity posture at the event, quantifying what Bickley shared anecdotally. According to the report, only 4% of defense contractors surveyed say they’re ready for CMMC, even though 75% claim to be compliant via a self assessment. The average Supplier Performance Risk System (SPRS) score among respondents was a woeful -12, far from the 110 required by CMMC.
“You have to bring everything together relative to IT, security, and regulatory compliance. And you have to solve the whole problem,” said Eric Noonan, CEO and Co-Founder of CyberSheath, in a session about the report’s findings. “It’s 110 to solve the whole problem. It’s not 109. It’s not -12. It’s not anything other than that. Think about the problem holistically and how do I solve the whole problem.”
It’s a problem that lobbyists have been trying to avoid for years. They’ve claimed CMMC is too difficult or too expensive to implement, but that only kicks the can down the road. Implementing robust cybersecurity controls is a lot less expensive than the average cost of a data breach, which is nearly $4.9 million, according to IBM.
Keynote speaker Nicole Perlroth, cybersecurity journalist, author, and member of the CISA Cybersecurity Advisory Committee (CSAC), recounted her reporting of the U.S. Chamber of Commerce facing a cyberattack from China after lobbying against mandatory minimum cybersecurity standards.
“They thought they’d kicked everyone out and said six months later, a thermostat in one of their corporate apartments was all over the place, and they investigated, and it was still communicating with an IP address in China,” Perlroth said. “Then their printer in the office just occasionally would just start printing out random documents filled with Mandarin characters. That’s when they realized, like, ‘OK, we need to actually kick them out or they came back in.’ And so, to me, it was just this ridiculous freeze frame of the very people who are saying this is too hard to do and we shouldn’t do it are so badly hacked they can’t even figure out how to make sure their printer is not printing out these hackers’ Mandarin documents.”
The anecdote underscores the importance of contractors at every level of the DIB having the right security measures in place. Many don’t believe they have enough sensitive information that a nation-state would find interesting, but even a small vendor in a large supply chain is important.
“CUI (controlled unclassified information), when aggregated, can provide real intelligence and real actionable steps for foreign adversaries on how to re-create some of our innovative products and services that we provide to our war fighters, and the war fighters of our allies,” Amy Williams, Vice President of CMMC at Coalfire Federal, said in her session on how threat actors infiltrate networks.
Contractors across the DIB must prioritize their cybersecurity efforts to protect their ability to win future contracts with the Department of Defense and our national security interests.
Kelly Mullins, Vice President of Global Operations at Edge Case Research, shared her company’s experience in tackling CMMC compliance: “Whether it was compliance itself, security itself, or even IT and needed to supplement what we had in-house, I knew we couldn’t do it ourselves. It was just too big of an undertaking and the cost of putting together a big enough team to do what CyberSheath can do for us was just out of our scope completely from a budgetary perspective.”
As CMMC implementation approaches in early 2025, contractors need a trusted partner to navigate the complexities of compliance. CyberSheath offers the expertise and tools necessary to achieve and maintain CMMC compliance efficiently and cost-effectively. Learn more about how CyberSheath can help you prepare for CMMC and strengthen your cybersecurity posture. If you missed the event, watch the recordings of every session from CMMC CON 2024.