The upcoming SAP Aerospace & Defense Innovation Days provide a great opportunity to connect with the world’s leading A&D manufacturers. I am honored and excited to take the stage next Wednesday with my dear friend Anne Marie Columbo to help participants understand the impact and benefits of the new Cybersecurity Maturity Model Certification (CMMC) that will apply to thousands of companies that support the Defense supply chain.
CMMC’s introduction highlights the importance of the new program:
- The theft of IP and sensitive information from all industrial sectors due to malicious cyber activity threatens economic security and national security.
- Malicious cyber actors have targeted, and continue to target the Defense Industrial Base (DIB) sector and the supply chain of the Department of Defense (DoD), which consists of more than 300,000 companies.
Certifying the maturity of the cybersecurity program used by vendors in the supply chain is an important evolution in standard vendor risk management practices. Requiring independent verification of cybersecurity processes and practices at different maturity levels helps provide increased assurance that a contractor can protect sensitive information all the way down to its subcontractors in a multi-tier supply chain. The Department of Defense has 65,000 contractors and over a million contracts. CMMC raises awareness for everyone in the ecosystem that may tangentially support the DoD effort. It also affects more than 300,000 downstream subcontractors and vendors who also support commercial and non-defense organizations. In time, the new CMMC requirement can have a significant impact on the entire cybersecurity ecosystem.
These new requirements are obviously exciting for vendors. The threat of losing the opportunity to provide products and services to the defense marketplace will drive most vendors to take all reasonable steps required to comply with CMMC requirements. A marketplace with more than 300,000 potential customers who need support for training, advisory services, and certification from independent assessment organizations is compelling. The economic activity created in this marketplace is unimaginable.
Although I appreciate the economic incentives created by CMMC, it is hard to overlook the impact of strengthening the cybersecurity practices of everyone in the supply chain. Moving from compliance and “checking boxes” is always positive. According to NIST, many cyber breaches have been linked to supply chain risks. This includes notable events such as Operation ShadowHammer (2018), which affected up to a million users; the 2013 attack by the Dragonfly group, which targeted companies with industrial control systems; and Symantec’s 2019 Internet Security Threat Report, which found that supply chain attacks increased by 78 percent in 2018 and continue to rise.
As a veteran of the US Army, I am excited to promote a solution that is going to improve the safety of men and women who volunteer to serve the nation in our Armed Forces. Promoting cybersecurity maturity is one of the best mechanisms to increase trustworthiness and security in a supply chain that affects us all. For companies that don’t have the capability or the desire to adopt the CMMC practices and achieve certification, the NISTIR 8276 identifies established and emerging practices proven to be effective for identifying, defining, and communicating cyber supply chain risks.
Thanks for reading, thanks for sharing, and thanks for contributing to the conversation.