Cybersecurity hacks across US cause small- to mid-size companies to reexamine processes

As cybersecurity issues continue across the nation, the Defense Department has implemented new cybersecurity requirements for contractors, resulting in many small- to medium-sized companies scrambling to meet those requirements.

The department has one of the largest vendor bases of any organization, and many department contracts require vendors to handle information that must not be accessible to others. Vendors currently only have to agree to meet certain cybersecurity requirements to assure the Defense Department-controlled information is being protected. Unfortunately, we have all seen the consequences when organizations have not assessed or verified the security practices of their vendors. The SolarWinds and Kaseya breaches are an example of failures in vendor management processes. When the Defense Department doesn’t have control over vendors, the consequences can directly affect those who defend our nation. Information leaked by vendors can provide details such as troop movements, weapons systems designs, or even insights into critical infrastructure such as water systems.

The department's answer to this challenge is the Cybersecurity Maturity Model Certification. CMMC is a framework of cybersecurity practices and procedures, the scope of which must be implemented by vendors according to the type of Defense Department data they handle. Over the next five years, all Defense Department contracts will require contractors and subcontractors to have an independent certification of their compliance with CMMC.

Becoming CMMC-compliant and passing a third-party assessment can be a huge hurdle for companies. CMMC is an emerging program, and there is currently no opportunity for vendors to implement alternative practices or reduce risk in other ways. The framework also requires a great deal of documentation, including evidence that required processes are taking place. Many contractors have been preparing for this eventuality, while others have taken a wait-and-see approach. There has been criticism of the framework and calls for improvement to the approach, including everything from the cost to the lack of a risk-based approach, but it is a certainty that CMMC in some form will soon be a reality for organizations that contract or subcontract to the Defense Department.

A CMMC assessment must be performed by certified experts working for a company that is a CMMC third-party assessor organization, or C3PAO. As the Defense Department begins implementation of the CMMC framework, it has designated a group of “provisional assessors” based on their industry experience.

There are a few ways companies can alleviate these hurdles, which may start with looking at your IT support arrangements, a gap analysis or readiness assessment. Many small- to medium-size companies use IT support companies to handle the bulk of their IT, and in turn are responsible for many of the practices under CMMC. Not all of these companies are prepared to help their clients with becoming CMMC-compliant. Some are using products like Kaseya and SolarWinds to support their clients. This is the reason an independent evaluation of your cybersecurity might be considered.

While businesses manage day-to-day operations, cybersecurity may not seem significant until these companies experience a breach of their own. All businesses, especially any Defense Department contractors, should make cybersecurity a priority to protect their bottom line, supply and consumers while ensuring resiliency.

Originally posted by The Oklahoman.