CMMC - Securing the Supply Chain

Cybercriminals and nation-state intruders are shifting their tactics away from traditional phishing and ransomware attacks and moving toward stealthier intrusions via websites and the software supply chain, according to a recent report.

In its annual report on internet security threats, the cybersecurity firm Symantec said online bad actors are increasingly exploiting vulnerabilities in commercial software and operating systems to launch cyberattacks. Supply chain attacks, which use loopholes in third-party services to strike a target, increased 78 percent between 2017 and 2018, and web attacks, which rely on malicious URLs and other online weapons, also spiked 56 percent. This follows the similar findings from Symantec which details a 200% surge in supply chain cyberattacks in 2017.

200%!

Couple this escalation in attacks on the supply chain with recent data showing that 56% of all cyber attacks in 2018 were launched against the public sector and an alarming trend is emerging. Our supply chain has become our nation’s most critical vulnerability.

In today’s hyperconnected 5G world, cybercriminals are finding new avenues and attack vector from which to exploit government contractors and agencies, and the Department of Defense is clamping down on the contractor base in a concerted effort to stop the threats before they enter Defense environments.

As a result, DoD is establishing a new standard of cyber accreditation called the Cybersecurity Maturity Model Certification (CMMC). For a given CMMC level, the associated controls and processes, when implemented, are intended to reduce risk against a specific set of cyber threats. Contracting and acquisition teams in concert with the technical community will assess which CMMC level is appropriate for a particular contract and incorporate that level into requests for proposals.

Government contractors that have not designed and implemented a formal security program will be unprepared to identify, prevent, detect, and report supply chain cyberattacks. They will lack the necessary security policies, processes, and controls for themselves much less their subcontractors. DoD will require written proof of a compliant security program throughout the full supply chain in RFP responses.

Another frequent deficiency is a lack of multifactor authentication, which is a critical requirement for DFARS compliance. An incident-response plan is also critical because the DoD requires that contractors and subcontractors establish processes to identify a cybersecurity incident and report the intrusion event within 72 hours of discovery.

Small Business contractors may not have the skillset to understand the compliance obligations required in DoD contracts, which can be inconsistently applied. To fill this gap, industry will need to implement solutions that can analyze the multitude of protocols and new attack vectors each day to identify breaches and anomalous behavior on the defense contractor network.

Even though the CMMC Accreditation Board has not certified industry Assessors. government contractors should begin working toward certification now. Start by assessing compliance with NIST SP 800-171, which lays out 110 security controls for contractors. Those that have implemented most or all of the controls will have a head start earning CMMC accreditation.