Everything you need to know about the Cybersecurity Maturity Model  Certification (CMMC)

In June, Reuters published an article indicating that cyber spies used LinkedIn to hack European defense firms. The hackers, who posed as U.S. Defense Industrial Base (DIB) recruiters from General Dynamics and Collins Aerospace, sent private messages over the platform containing malicious links. Once the victims clicked on the links, their systems were infected with malicious code, giving hackers access to sensitive information of the defense companies. While this may seem alarming, it is not a new concept in the world of hacking.

The CMMC and Effects to Small to Medium Businesses (SMBs)

The cyber challenges facing the small and mid-size DIB businesses are similar to those that non-DIB small companies suffer from. In addition to these threats, U.S. DIB companies face advanced persistent threats (APT) and Nation-State actors. These hackers are focused on accessing and stealing government and defense contractors Intellectual Property (IP) and secrets by utilizing stealthy and significantly more sophisticated attacks from both inside and out.

To proactively prevent attacks, the U.S. Government is currently in the process of implementing and enforcing the new Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) standard. The new CMMC is coming into full force in September 2020, meaning all DIB companies will be required to respond whether they are compliant or not to work with the government.

Other reasons for the CMMC standard include years of risk in supply chain management within DoD, which dates back to the 1990s.  While major Prime contractors have accepted responsibility of this threat and adjusted their risk modeling to address supply chain management challenges, very little currently supports the subcontracting entities within the DIB who are still high risk and vulnerable to Nation-State cyber threats.  This was never more apparent until the National Defense Industrial Association (NDIA) ran a survey in 2018 and found that fewer than 60 percent of small and medium-sized defense contractors had actually READ the DFAR mandate (Clause 7012) that identifies the minimum security standards necessary for subcontractors to continue working with DoD.  Even fewer fully understood the DFAR regulation altogether.  Many saw the DFAR as just another ‘check the box’ list to win government business. 

With CMMC, the ‘check the box’ approach will no longer suffice.  All businesses who have contractual involvement with DoD, either directly as a prime or indirectly through a prime, will need to meet some level of standard as directed in future Request for Proposals (RFPs) pushed out from Department of Defense program offices.  And this may be costly for SMBs: anywhere from $10,000 and higher just to get ready for a pre-assessment before a third party assessor gets involved.

How Does This Affect You as a Defense Contractor?

What does this mean for the 300,000 organizations that have identified as being a part of the DIB?

It means more security planning and implementing controls to assess and manage risk, protect systems, and maintain information integrity.

Usually, for this level of protection, companies will look to hire subject matters experts, buy a SIEM or expensive network appliance and try to keep up with the alert fatigue. What generally happens is the IT managers and specialists also become the security experts.  While this is a standard model for small businesses, it leaves a large part of the network, critical systems, and infrastructure exposed to more sophisticated attacks that IT generalists aren’t familiar with detecting and remediating.

How Can Digital Lantern Help?

Partnering with Digital Lantern Federal and our Advanced Next-Generation Automated Security Operation Center, Cyber Lantern, will give your team access to experts, who become your full-time SOC Operations Center. Cyber Lantern works with your IT operations to seamlessly become your 24×7 continuing monitoring and risk scoring partner to protect your infrastructure, assets, and IP, while also giving you a tool that will help increase your CMMC compliance level.

We truly believe our National Security is in the hands of the DIBNET community and our mission drives us to protect those that can’t afford the best enterprise level protection but will need that level of support to enhance national security. Therefore, Cyber Lantern starts by protecting some of the most valuable assets our Nation’s Security relies on: securing the DIB at the SMB level which provides some of the most critical elements within the DIB supply chain.  Cyber Lantern does this by providing Enterprise+ protection for a cost that won’t even blip on your monthly profit and loss report.

For more information on the CMMC and how to get started on your certification journey, read our CMMC FAQ, or contact us and get your 30 minute free assessment today.