Getting Started with CMMC: Why Cybersecurity Maturity Levels for Defense Contractors Will Shine in 2020
The struggle is real. How can the US Department of Defense (DoD) reasonably secure data of their supply chain that supports $716B in congressional funds? With over 300,000 companies holding defense contracts, there’s significant risk associated with sizable user groups managing controlled unclassified information (CUI). This is why the Office of the Under Secretary of Defense for Acquisition & Sustainment now provides a digestible framework with infosec best practices for prime and subprime contractors.
- Unclassified information is a national security risk, too. A data bunker may be overkill, but proper care is critical for any contactor with operational system access and personally identifiable information
- A breach in the defense supply chain will have a cascading effect - potentially halting mission-critical operations
- Not all contractors are made equal. Some have DFARS swagger, others do not
DoD Contractors Will Need A Third-Party Audit
With the recent release of Cybersecurity Maturity Model Certification (CMMC), a third-party audit is required for any contractor responding to DoD bids. Audits will confirm and document the implementation of security practices pursuant to DFARS & NIST SP800-171 - a significant change from the status quo of contractor self-assessment and an insufficient verification process.
CMMC is a game-changer with its concise summary of security controls and a newly found accreditation body. The necessary controls are outlined in five levels (L1-5) to accommodate varying degrees of CUI management. This simultaneously helps contractors identify their vulnerabilities, while maintaining audit-ready work streams for a competitive advantage when bidding.
Majority of the defense industry base will need L3 certification, wherein multi-factor authentication (MFA) is the first line of defense. Herein lies a challenge for contractors to elegantly verify employee identities in a remote, mobile, SCIF, and air-gapped universe. These hybrid environments beg for a zero-trust approach toward application access; modern networks must consider smart security practices for their workforce, workplace, and workloads.
Throughout my time with Duo, I’ve quickly realized that MFA doesn’t need to be a poor user experience, cumbersome to deploy, and/or costly. Contractors with BYOD now have an accessible FedRAMP tool built for SP800-171 requirements to secure their application suites in a way users appreciate, and without exhausting their budget.
How Duo Helps DoD Contractors Stay Compliant
There’s tons of resources available for beginner and expert contractors alike to prepare themselves for a healthy security greenlight. The hard part is doing the assessment, and building a strategy that best suits the business.
For those just getting started - or pros looking for additional resources - Duo offers free tools and activities for security awareness, training, and password party tips that’ll impress your friends!
Kudos to John Hopkins Applied Physics Lab, Carnegie Mellon University, and OUSD (A&S) for their dedicated collaboration in assembling a program that not only helps contractors identify their security gaps, but standardizes protection of unclassified data.