Confusion about deadlines, CMMC compliance, and the ramifications exist in the DoD supply chain. It’s crucial businesses get answers and take proactive measures.  

Department of Defense supply chain contractors are under considerable pressure to implement the Cybersecurity Maturity Model Certification (CMMC) mandate, but uncertainty looms about how it impacts their business.

There’s no denying the fact the federal government is wise to bring together elements of the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) under one cybersecurity roof. Foreign entities and cybercriminals recognize that the vast majority of Controlled Unclassified Information (CUI) is housed on private-sector networks. What is even more concerning is that too many DoD supply chain outfits were not in cybersecurity compliance.

“If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level-set because a good portion of our defense industrial base doesn’t have robust cyber hygiene,” DoD official Katie Arrington reportedly said. “Only 1 percent of DIB (Defense Industrial Base) companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation-state attacks.”

The CMMC aims to rectify these issues. Still, organizations that generate profits by providing the DoD and affiliates with goods and services are not asking the most pertinent questions. If you are a decision-maker for a DoD contractor or supply chain outfit, these are questions you may need to be answered.

1. Does CMMC Compliance Apply to Your Organization?

There has been some misunderstanding about which businesses are required to meet the new cybersecurity threshold. In the past, peripheral companies that were not fully immersed in DoD work may not have brought cybersecurity measures up to snuff. The conventional thinking was those stringent measures were just for direct DoD contractors. Those days are quite over.

The latest version of the CMMC creates five levels of cybersecurity controls. Depending on how sensitive the data your outfit maintains will determine which level you are required to meet. The DoD is far more determined to ensure that every operation that participates in the supply chain adheres. So, the short answer is: Yes, your organization must comply.

2. How Soon is CMMC Compliance Required?

If you own, operate, or lead a DoD supply chain operation and have not brought the cybersecurity into compliance, consider yourself behind the curve. The rollout officially began in January 2020, and there are several fast-approaching deadlines.

As of June, CMMC requirements are expected to be listed in Requests for Information (RFIs), and third-party audits are set to begin. By September, DoD contractors will have to be certified to submit bids. Perhaps the most significant challenge affected organizations will face is a log-jam of competitors enlisting the limited number of cybersecurity specialists that can help bring them into compliance on time.

3. How Do I Know Which CMMC to Meet?

It wouldn’t be surprising for the average company to at least meet the Level 1 threshold, which the mandate considers “Basic Cyber Hygiene.” But the deeper into the supply chain your products, goods, and services go, the more enhanced the controls. If your outfit stores, creates or transmits any government data, it is increasingly likely that Level 3 compliance is required, at minimum. The best way to know the appropriate compliance level is to have a third party assessment conducted by a cybersecurity expert.

4. Does CMMC Apply to Cloud Usage?

Again, the short answer is yes. Given the hot trending migration to the Cloud, supply chain operations may run into some difficulty in this area.

For supply chain outfits that use Software-as-a-Service (SaaS) solutions, it will fall on your shoulders to determine whether your utilization is considered “in-boundary.” After that, the question remains whether it meets the CMMC mandate. It’s not uncommon for the major providers to offer government-approved versions. It’s also in your best interest to check thoroughly that these options stand up to NIST 800-171 or NIST 800-53 scrutiny. Cloud platforms that do not pass muster could derail your CMMC audit.

5. What are the Ramifications for Not Complying on Time?

The DoD used to circle back and level high fines for contractors that engaged in work without meeting the standards. Such will not be the case going forward. Compliance is now a prerequisite for securing profitable DoD work. Those who are not CMMC certified will be cut off. Losing that lucrative work to competitors will undoubtedly prove painful.

Contact our IT experts today to get a professional service quote.

The growing risk of COVID-19 infection requires companies to operate remotely. Expanding Cloud access and cybersecurity measures could help avoid a downturn.  

The World Health Organization recently upgraded the coronavirus threat to a pandemic. This designation has global, community, and business implications. The outbreak has forced Italy to shutter wide-ranging business and services. In terms of American companies weathering the crisis, industry leaders must act decisively to maintain operational integrity, and that means determined IT strategies.

Brick-And-Mortar Coronavirus Strategies

It’s crucial for valued employees who travel to work to take precautions that minimize the threat of infection. The Novel Coronavirus, also known as COVID-19, can be transmitted from person-to-person contact or passed on through inanimate objects. Because symptoms may not manifest for weeks after contracting the contagion, it may remain active on things such as countertops, desktop computers, keyboards, doorknobs, elevator buttons, and many others. Staff members that are currently working at a facility are advised to sanitize high-traffic spaces, devices and practice washing hands with hot water and cleansers that enjoy a 60-percent or higher alcohol content, according to the Centers for Disease Prevention and Control.

COVID-19 Is Now A Cybersecurity Threat

It may be difficult to fathom, but hackers are leveraging public fear of the virus for profit. Since the first outbreak in Wuhan, China made international news. Disgraceful hackers have concocted phishing schemes. A sudden rise in coronavirus-themed websites and frightening direct emails are being laced with malicious applications.

“As the virus spreads across the globe, people are naturally searching online for the latest information and updates on how it might affect them, and what they can do to protect themselves and their families. And as you might expect, cyber-criminals are quick to take advantage of these concerns for their gain,” a Check Point report on COVID-19 cybercrime states. “Hackers around the globe have found the Coronavirus serving them well as an enabler for their activities and are still riding the wave of the epidemic. Our Global Threat Index for January 2020 shows cyber-criminals are exploiting interest in the global epidemic to spread malicious activity, with several spam campaigns relating to the outbreak of the virus.”

Heightened IT employee education and training about COVID-19 schemes are crucial in the coming weeks. Cybercriminals have reportedly been targeting areas that have even small outbreaks of the virus. Their strategy appears to be to manipulate unsuspecting people in a region with phony direct emails that appear to be from health agencies. Schemes include entering personal and credit card information to get a coronavirus test kit. Once you click on a link, digital bandits can take control of your device, penetrate a business network, and raid sensitive data.

IT Can Improve Business Continuity During COVID-19 Crisis

For companies that already allow employees remote access to data and profit-driving networks, taking the next steps to augment and expand this strategy could make a substantial difference. Critical next steps include working with a managed IT specialist to expand Cloud bandwidth and shift additional workers into virtual workspaces. Ranked among the more significant challenges will be increasing the bandwidth on the Cloud.

Fortunately, many providers are already readying for a flood of organizations undertaking this strategy. Along with augmentation, third-party IT experts can shorten the time it takes to supply workers with profiles that include appropriate levels of permissions and privileges.

Having personnel work remotely does come with a certain risk. Cybersecurity protocols can differ from in-house networks substantially when accessing the Cloud. Given hackers are working overtime to take advantage of the pandemic, new users may put your operation at increased risk. Along with adding employees to Cloud-based efforts, it is in every business’s best interest to proportionately increase cybersecurity oversight.

The COVID-19 outbreak has quickly taught the business community that incidents halfway around the world can cause local disruption. The silver lining is that health organizations, government leaders, and captains of industry are working diligently to combat the virus. It is also prompting many to change the way they manage day-to-day tasks by leaning on IT experts to mitigate risk going forward.