October 3, 2024

Last Updated on October 5, 2024

In today’s interlaced business network, most organizations have little visibility or control over the numerous third-party systems they rely on. Successful cyber infiltrations of suppliers, vendors, partners, and other third parties can have wide-scale impacts on the client organizations that are often the primary target, including intellectual property (IP) exfiltration, data loss, operational disruption, and reputational harm.

To manage escalating third-party cyber risk, contractors in the US defense industrial base (DIB) and other global supply chains must extend their cybersecurity programs and cyber risk assessment to include third-party systems. The US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) standard specifically addresses this need with third-party risk management requirements, such as those within its risk assessment, vulnerability management, and continuous monitoring controls.

This article explains the CMMC requirements for third-party risk management (TPRM), why TPRM is so important for DIB contractors, and how CMMC compliance helps reduce third-party cyber risk and protect data across the global defense supply chain.

 

How prevalent is supply chain cyber risk?

Supply chain cyber attacks are one of the most widespread and costly cybercrime vectors, with 15% of businesses experiencing a data breach due to a supply chain compromise in 2023. 98% of companies have one or more vendors that have experienced a data breach—no surprise given that the average organization shares confidential or sensitive data with 583 third parties.

But despite the size of the third-party attack surface, only 36% of organizations acknowledge being highly effective at evaluating vendors’ cybersecurity postures. And just 24% of organizations say they are proactive in assessing and collaboratively improving their vendors’ cybersecurity postures.

 

What is supply chain cyber risk management?

Supply chain cyber risk management seeks to identify and address cyber risks within a supply chain. The National Institute of Standards and Technology (NIST) defines supply chain risk management as, “… the practice of maintaining security, quality, resilience, and integrity standards for the entire supply chain, including all relevant services and products.”

Supply chain cyber risk management is especially critical in the defense sector because successful attacks on DIB suppliers can compromise US military advantage and threaten national security. Exfiltration of product design data, for example, has allowed China to develop stealth jet fighters and other weapons systems that are near copies of advanced US technology representing billions of R&D dollars.

A supply chain cyber attack starts by breaching a company’s third-party software or service providers. The goal of these attacks is to gain unauthorized access to sensitive data held by the target organization through vulnerabilities in connected third-party systems.

These attacks can originate with vendors that provide almost any service, from window-washing to logistics to custom software development. Some of the most devastating recent supply chain attacks (e.g., MOVEit, Okta, SolarWinds) have involved infiltrating a SaaS provider’s development pipeline and seeding their solution with malware.

Common vulnerabilities in third-party systems that hackers routinely exploit include:

  • Compromised credentials that open the door to critical systems, possibly offering direct access to customer environments that might otherwise be well protected.
  • Unpatched vendor systems that contain known exploitable vulnerabilities, creating entry points for persistent, sophisticated attacks on customer systems.
  • Overall weak vendor cybersecurity and lack of basic controls, allowing attackers to compromise email communications, exfiltrate controlled unclassified information (CUI) and other sensitive data, and worse.
  • Vulnerabilities in supply chain management software, such as inventory management, order processing, logistics, or warehouse management tools.

Because they involve multiple organizations’ IT environments, supply chain cyber incidents on average cost 11.8% more and take 12.8% longer to detect and mitigate than other data breach types. Such incidents cost on average $7.5 million to remediate.

 

What is CMMC?

CMMC is the DoD’s latest framework and program for reducing cybersecurity risk across the DIB by ensuring contractors and subcontractors can adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC not only mandates robust cybersecurity controls for defense contractors, but also requires them to “flow down” these same cybersecurity requirements to their subcontractors and vendors.

Failure to achieve CMMC certification at the contractually specified maturity level can result in losing a contract, making CMMC compliance a competitive requirement for many DIB orgs. CMMC’s three maturity levels are:

  1. Level 1 “Foundational”—Ensures a company can safeguard FCI per Federal Acquisition Regulation (FAR) Clause 52.204-21. CMMC Level 1 specifies 17 controls and requires an annual self-assessment.
  2. Level 2 “Advanced”—Addresses CUI protection, including the information flow with subcontractors in a multi-tier supply chain. CMMC Level 2 has 110 requirements aligned with NIST SP 800-171 and requires a triennial third-party assessment for most companies.
  3. Level 3 “Expert”—Specifies 134 requirements based on NIST SP 800-171 and 800-172 and requires a triennial government-led assessment and annual affirmation from senior management.

CMMC has the goal of establishing uniform cybersecurity standards across the entire defense supply chain, not just individual businesses. As such, it requires contractors and their vendors to address supply chain risk as part of their own certification/compliance program. Not only must DIB companies attain their own CMMC certificates, but as part of that process they must ensure their third-party partners are also CMMC certified or have implemented the required controls.

 

How does CMMC secure the defense supply chain?

CMMC improves cybersecurity throughout the DIB in multiple ways. These include:

  • Greater accountability for companies that handle CUI. The longstanding regime of self-attested compliance to the NIST 800-171 standard has failed to meaningfully improve DIB security. To attain CMMC Level 2 certification, most contractors will need to undergo a rigorous assessment by an accredited, independent third party—a much higher bar for ensuring the needed controls are in place.
  • Tiered requirements aligned with risk. Not only is the CMMC program more rigorous than today’s self-attestation approach, but also its three maturity levels align compliance requirements to the sensitivity of the data each supplier handles. For example, companies that handle only FCI but not CUI need only achieve CMMC Level 1.
  • Uniform security capabilities across the DIB. By establishing baseline cybersecurity standards that all DoD contractors and their subcontractors need to follow, CMMC reduces the third-party risk associated with “weak links” in the supply chain’s multi-tier cybersecurity. Businesses of all sizes from prime contractors to the smallest service firms are held to the same standards/maturity level and associated control requirements based on the reality of shared risk.
  • Stronger incident response and cyber resilience. CMMC requires every DIB org that handles CUI to have a robust incident response plan. This helps reduce the impact of a data breach or other cyber incident to all connected organizations. Further, CMMC supports cyber resilience by mandating continuous monitoring and improvement of cybersecurity processes.

CMMC will drive down the DoD’s cyber risk by ensuring the CUI and other sensitive data it entrusts to contractors and their suppliers is appropriately protected. Moreover, due to its sweeping impact across thousands of organizations, CMMC will uplift cybersecurity practices even beyond the DIB.

 

Why is protecting CUI beyond one company so important?

As the DoD’s global supply chain continues to grow, more CUI and other sensitive data flows downstream from government systems to those of its contractors and on to their subcontractors and so on, and increasingly in the cloud—escalating the military’s cybersecurity risk. In that progression, the weakest link limits the overall cyber defense capability.

Safeguarding CUI is critical for national security, economic stability, and individual privacy. With the CMMC program, the need to verifiably protect CUI and comply with strict new cybersecurity guidelines also flows downstream, impacting the entire DIB.

CMMC’s comprehensive, DIB-wide approach to cybersecurity ensures that each organization can chart a clear course to protect the CUI entrusted to it, thus upholding the defense supply chain’s overall cybersecurity posture.

 

What are top challenges and benefits for SMBs adopting CMMC?

While CMMC has tiered maturity levels commensurate with cybersecurity and privacy risk, smaller suppliers may still face challenges due to resource constraints, including a steep, complex implementation curve with significant technology costs.

How can DIB SMBs prepare for CMMC? Key steps include:

  • Identifying the correct CMMC certification level you need to comply with for your contract and/or business goals.
  • Defining your CMMC environment scope and boundaries based on the CMMC scoping guidance for your level.
  • Perform a gap analysis against the CMMC control requirements for your level using the CMMC assessment guidance.
  • Prioritize and holistically address identified gaps.

Leveraging internal training and/or seeking guidance from a CMMC Registered Practitioner (RP) or other external consultant are popular choices to address SMB resource and skills limitations and build a CMMC certification program aligned with business goals and demands.

Benefits of successfully pursuing CMMC certification include:

  • The ability to participate in DoD contracts
  • Improved customer trust and loyalty
  • A stronger competitive position for winning new business
  • Better cybersecurity posture leading to reduced data breach risks and impacts with associated potential cost savings
  • Reduced regulatory compliance risk
  • Potentially lower cyber liability insurance costs
  • Enhanced ability to attract and retain cybersecurity talent

 

How will CMMC influence the future of cybersecurity within and beyond the DIB?

Currently at release 2.0, CMMC will continue to evolve in response to cyber threats and new technology and best practices, ensuring the framework remains effective at protecting CUI and continuously improving cybersecurity across the DIB. Reassessment requirements will further ensure that DIB suppliers stay compliant with CMMC as it evolves.

Other US government agencies are also considering embracing CMMC as a starting point for improving their supply chain cybersecurity and third-party oversight—making CMMC compliance an even stronger competitive differentiator. Likewise, universities involved in defense R&D will also be required to achieve CMMC certification for their systems that handle CUI.

Companies across commercial segments can also apply CMMC best practices to safeguard sensitive data and reduce cyber risk. Voluntary public sector adoption may become widespread in response to customer cybersecurity concerns, to outflank competitors, and other drivers.

 

What’s next?

In today’s increasingly complex and cyber-aware defense supply chain, contractors that can demonstrate CMMC compliance will gain competitive advantage. Any company that wants to do business within the DIB needs a strategy to meet the CMMC requirements at the appropriate level for storing, transmitting, and processing CUI.

To speak with an expert about your CMMC compliance goals, contact CBIZ Pivot Point Security.