Defense Supply Chain and CMMC
Details
In March 2019 industry experts briefed Congress on the two chief issues of consequence regarding federal supply chain cyber security; poor awareness of federal cybersecurity contracting standards and contractors lacking visibility into their own supply chains. Congress was already well informed of these concerns, although it didn’t prevent experts from testifying once again on the seriousness of the matter. Something had to be done. The nations’ economic, proprietary, and national security secrets are at risk. The theft of such data by nation-state hackers is widespread and well documented - and continues to occur on a frightening, unprecedented level.
In July 2018 a survey was published by the National Defense Industrial Association examining how the supply chain within the Department of Defense (DoD) has responded to a Defense Federal Acquisition Regulation Supplement (DFARS) requirement (which provides the minimum-security standards for contractor information systems). The results were staggering; Less than 60% of respondents never read the DFARS, while another 45% stated that had never read the National Institute for Standards and Technology guidelines – otherwise known as NIST. Half of all respondents overall said the DFARS was too complex to understand. The research results were clear. It found that many small and mid-sized contractors have a lack of cybersecurity awareness and likely view the requirements as another benefactor in winning a government contract.
Enter the Cybersecurity Maturity Model Certification (CMMC). The primary goal of the CMMC is to protect the DoD supply chain by addressing the existing shortcomings that lie within the defense industrial mold. In order to achieve this goal, the CMMC model must continuously evolve, but while also adapting to evolving threat landscape.
The initial framework is scheduled to go public in January 2020. By June 2020, its requirements will start appearing in RFI’s - requests for information. By September 2020 the DoD hopes to have CMMC fully implemented, which means defense contractors will have less than a year to become compliant. Will they be ready?