Each new headline about a supply-chain attack has far-reaching consequences, especially when you consider the constant threat of a nation state attack. Department of Defense (DOD) contractors are being targeted, making the cybersecurity onus even more critical for the Defense Industrial Base (DIB) ahead of Cybersecurity Maturity Model Certification (CMMC) 2.0.
As we heard from investigative journalist Brian Krebs at CMMC CON 2022, the supply chain risk is one that many contractors may not actively consider up front.
“Each time a company has a ransomware or data ransom incident, pretty much every result is the same: The victim unplugs the entire network and so all their customers’ systems go off-line and all their partner networks suddenly are unreachable,” Krebs said. “All kinds of companies that never thought of themselves as part of anyone’s supply chain pretty quickly find out how many organizations they rely on and how many rely upon them.”
The urgency in the DIB goes beyond the operational considerations for supply chains. Federal contractors have sensitive data that adversaries are looking for, which is why the CMMC program exists in the first place. Even with 2.0 looming, the crux of CMMC isn’t changing: it’s based on NIST 800-171. Many companies have found that standard to be hard to implement and to understand why it’s so important.
Robert Beuerlein, Principal Consultant of Aerospace & Defense at Frost & Sullivan, put it this way at CMMC CON 2022 when talking about CEOs in the DIB: “(I want them to) take a look at the value they place on their product in relation to the data that they are holding and processing and using and generating in the performance of their duties and obligations. I would argue that that data is more valuable, potentially, than the product that they’re providing.”
The Department of Justice (DoJ) highlighted the importance of reporting on that data with the Civic-Cyber Fraud Initiative last October. It has already leveraged the False Claims Act to ensure companies are being truthful about their reporting when it comes to compliance. In early July, Aerojet Rocketdyne agreed to pay $9 million to resolve the first case under the initiative’s purview.
Attorney Greg Thyberg, who represented former Aerojet Chief Information Security Officer (CISO) Brian Markus, discussed the case at CMMC CON 2022 with CyberSheath vice president of security services Carl Herberger.
Still, federal contractors can be intimidated by the complexity of what’s coming in CMMC 2.0. A pre-decisional CMMC Assessment Process (CAP) was recently published by the Cyber AB, but the organization is considering whether it “can be pared down (to) make it more efficient.”
“I think a lot of it is kind of a mindset,” Cyber AB chairman Jeff Dalton said at CMMC CON 2022. “It’s like, (contractors) have projects and then there’s this other thing that we’re doing over here. It’s really just like any other and you can map it out and you can see the light at the end of the tunnel pretty easily when you do that. You’ll have success with it if you do it that way, probably.”
The tools are available for the DIB to secure itself, if not for the pending regulation, for the national security implications. Maryam Rahmani, Global Black Belt for the Microsoft 365 Government Cloud and CMMC at Microsoft, returned to CMMC CON to lay out Microsoft’s portfolio and how it can be implemented to registered attendees.
If you missed out on CMMC CON 2022, watch the recordings on CyberSheath’s Youtube channel.