The Pentagon has finalized the long-anticipated cybersecurity standards contractors will have to follow before winning contracts from the Department of Defense (DoD), a new process called the Cybersecurity Maturity Model Certification (CMMC) 1.0, according to Fifth Domain.
The model is a tiered cybersecurity framework that grades companies on a scale of one to five based on the level of classification and security that is necessary for the work they are performing. A score of one designates basic hygiene, and a score of five represents advanced hygiene. The scale is flexible and will adapt over time.
“The government and the contractor community must keep working together to address real and growing cybersecurity threats, and we need a robust response to protect our infrastructure, information, and supply chains,” said David Berteau, president and chief executive of the Professional Services Council, a trade association for federal contractors. “With today’s announcement, DoD has achieved a significant milestone.”
For the first time, the DoD is demanding a set of transparency metrics for cybersecurity as a requirement for doing business. It is unsurprising that a security-centered organization like the DoD would lead the way to more structured and defined cyber governance transparency metrics and standards—metrics and standards that Cyberhedge considers both necessary and inevitable.
The article notes, “adversaries have discovered it is easier to target unsuspecting down tier suppliers, rather than prime contractors.” The new certification is partly a response to a growing recognition within the U. S. defense establishment that a contractor’s cybersecurity posture is only as strong as its weakest link. Such links often exist three to four steps removed from the “prime” contractor—an issue DoD CIO Dana Deasy highlighted a year ago.
Cyberhedge called attention to this issue in a September 2019 note on the proposed UTC-Raytheon (RTN) merger. Analysis of the deal through a cyber financial (CyFi) lens found that, in terms of cyber governance, not only are UTC and RTN both worst-in-class on important metrics, but many of UTC’s main supply chain partners are also worst-in-class. Furthermore, merging two companies that both have poor cyber governance exacerbates their cyber risk, as integrating IT systems and management introduces additional complexities and risks into an already weak ecosystem. This also presents additional risks to investors.
Three critical issues led to the DoD’s decision to require transparency metrics:
- The increasing complexity of both corporate networks and supply chains,
- Increasing security vulnerabilities prevalent in both, and
- The national security risks of poor cyber.
Though the national security calculus is different outside of the defense industry, the larger challenges and need for greater cyber transparency are the same.