In recent times, the government has been promoting meaningful and potentially impactful regulation to drive private sector investment in cybersecurity across every part of the economy, including legislating incident reporting, information sharing, and mandatory minimum cybersecurity standards. Many of these issues have already been addressed by the public/private partnership of the Department of Defense (DOD) and the defense industrial base (DIB).
In a recent conversation at CMMC CON 2023 with Steve Shirley, Executive Director of the National Defense Information Sharing and Analysis Center (ND-ISAC), we discussed the history and importance of cybersecurity in the DIB. For decades, Steve has been a leader in efforts to protect DIB members, operations technologies, and partners from foreign adversaries and criminal threats.
The current landscape is a mixed picture
Ten years ago, Cybersecurity Maturity Model Certification (CMMC) did not exist. The DIB had a voluntary set of controls from NIST 853 that eventually evolved into DFARS 7012 and NIST 800-171. Given that the requirements have essentially stayed the same for the last eight years, we should have a highly secured defense industrial base that shares threat information, broadly reports cybersecurity incidents within 72 hours, and more because that’s the law today.
The reality is a bit different. “The DOD mandated DFARS 7012 on December 31, 2017. Those 110 controls are borrowed from NIST Special Pub 800-171. The larger companies in the DIB are arguably leaders in industry in America today and in how they understand threats from nation states and other cybersecurity aggressors. As you move down the supply chains, it becomes a more challenging circumstance for smaller companies to understand the mandate and make a decision about it,” states Steve.
Smaller companies are concerned most immediately with pushing product to their customers, the prime making payroll, and identifying and keeping skilled people. “Within the SMBs, some leaders acknowledge that while it might not be convenient, they have to find a way to become compliant if they want to remain defense contractors,” continues Steve. “But there are companies that do not realize that to be a contractor to the DOD, they’re going to have to step up and meet the requirements of CMMC that apply to them and prepare to undergo the assessment process.”
How to move the DIB toward cybersecurity
Most reasonable folks in industry see an important role for thoughtful, well-modulated regulation. However, the process of companies examining the proliferation of different cybersecurity requirements becomes a taxing process.
“It would be an enormous boon to industry if the federal government would create the Rosetta Stone of requirements to show how the various mandates compare to each other,” shares Steve. “That would save a huge amount of effort and cost within industry. All that attention of trying to navigate the requirements could be more usefully plowed into focusing on the cybersecurity implementation issues or trying to identify anomalies that may present within a network infrastructure.”
Indeed, a great deal of energy is being spent studying the problem instead of moving forward with a solution. Organizations should recognize that implementing the NIST 800-171 controls makes an entity and its data more secure.
Where SMBs should start
When you look past the major prime contractors, cybersecurity budgets become quite lean. Every company doing business or considering doing business with the DOD needs to become familiar with CMMC as it’s currently proposed.
“A small business owner or CEO of a mid-size company can undertake this process on their own, but as with any complicated project it is nice to have battle partners whom you can trust to only suggest actions and solutions that are good for your company,” says Steve. “That’s one of the values of the ISAC. Companies are among peers who are going through the same thing and they get the collective benefit of that knowledge base. Participating companies can learn how to make and allocate those scarce dollars with more precision than they would otherwise be able to do.”
The absolute precursor to any success in cybersecurity starts with the company’s leadership. “Whether you’re running a lemonade stand or a Fortune 500 company, the chief executive of the organization sets the tone in terms of saying this is ‘important to us’,” Steve states.
While it is true that companies that have access to more resources have a far greater range of options, smaller companies with a CEO or owner who prioritizes cybersecurity by allocating time and budget to the effort of complying with CMMC will come out ahead as well.
> Make the C-Suite take notice of CMMC with the CMMC C-Suite cheat sheet.
Cybersecurity is critical as the threat is real
Our nation’s advantages and differentiators have eroded dramatically. “If a nation-state actor pirates your key intellectual property that you spent time and dollars developing, and they operationalize it within a dirt cheap production infrastructure and ship it back to the United States and put it on a shelf for five bucks a unit cheaper, you’re out of business. But the right person, the right team, the right ideas can always make a difference,” concludes Steve.
If you have any questions about how to move your organization forward toward the goals of meeting the requirements of CMMC, contact the experts at CyberSheath. We’re here to help.