Our last post discussed the growing risk of supply chain cyberattacks that allow malicious actors to compromise hundreds or even thousands of organizations through a single attack on one supplier. The indirect path of such attacks means that even organizations with very strong defenses can be vulnerable.
It’s not only a private-sector problem. As government agencies have become increasingly reliant upon third-party suppliers, they’ve become prime targets for supply chain attacks. About a dozen government agencies were among those victimized in last year’s SolarWinds hack.
Supply chain security concerns prompted the Department of Defense (DoD) to issue a significant update to the Defense Federal Acquisition Regulation Supplement (DFARS), which spells out cybersecurity requirements for contractors and subcontractors. The amendment will require companies to achieve a Cybersecurity Maturity Model Certification (CMMC) to qualify for DoD contract awards.
CMMC Basics
The CMMC is meant to ensure that contractors and subcontractors have the security controls necessary to protect sensitive government information residing on their information systems. It is based on a collection of best practices from existing National Institute of Standards and Technology (NIST) guidelines, Federal Acquisition Regulations (FAR) and DFARS.
Although the DoD is already issuing some RFPs with CMMC requirements, it will take time to fully implement the standard. It is anticipated that CMMC certification will be a requirement for all DoD contract bids by 2026. The DoD will not modify existing contracts to include CMMC requirements.
Before the amendment, DFARS already had stringent contractor requirements covering data access, security training, audit controls, hardware and software configurations, physical security of the workplace, and much more. However, contractors only had to self-attest that they were in compliance. Under CMMC, contractors’ security measures will have to be verified and certified by a third-party auditor.
How Verteks Can Help
CMMC builds on DFARS requirements by establishing 171 controls and processes across five distinct maturity levels. However, many DoD contractors say they are struggling to understand the different levels, controls and changes.
Verteks is helping contractors cut through the confusion with our CMMC compliance consulting service. We offer guidance designed to help you prepare for a compliance audit and attain certification. Here are some of the ways we can help you fulfill CMMC requirements:
- Determine your required security level. We can help you identify which maturity level you need to attain. For example, all providers must be at least Level 1 compliant, but those who handle controlled unclassified information (CUI) such as personally identifiable information, military equipment specs or configuration documentation for government networks must meet Level 3 requirements.
- Risk assessments. Our certified cybersecurity consultants will perform an assessment to review your progress toward compliance and identify any areas of deficiency. As part of the assessment process, we will conduct vulnerability scanning and penetration testing and report our findings.
- Security planning. We can help you document your security policies and controls. If there are any deficiencies, we can provide a plan of action with benchmarks and milestones for attaining compliance.
- Incident management. In the event of a security incident, the DoD requires contractors to file an incident report within 72 hours. We can help you prepare for that possibility by crafting a comprehensive incident management plan. We can also help you test the plan regularly.
- Compliance monitoring. Because the threat landscape is constantly evolving, security standards and requirements can change frequently. We can provide ongoing monitoring to ensure continued compliance.
At first glance, CMMC requirements might seem overly complex. In truth, companies that have previously worked with the DoD probably have most of the necessary controls in place already. Working with Verteks can help ensure you’re not missing any new requirements that could create a compliance gap. Give us a call to learn more.
