Nov 5, 2021
95 Views
0 0

Pentagon revamps CMMC program to help SMBs meet compliance standards

Written by

The streamlined CMMC 2.0 program is designed to cut red tape for small- to medium-sized businesses by making it easier for them to reach compliance. It also offers additional flexibility to reach goals through “plans of action and milestones” and allows officials to grant waivers in other cases, according to a DOD spokesperson. 
“The Department of Defense must do everything it can to protect the hard working, entrepreneurial companies and workers in the defense industrial base,” the spokesperson said. “Increasingly sophisticated and well-resourced cyberattacks, including state sponsored espionage, are threatening the U.S. and the rules based order on which the global economy relies. That’s why [defense industrial base] cybersecurity is and will remain a priority.”
The changes in the CMMC program would likely impact plans for civilian contracts in other federal agencies, as the General Services Administration had already prepared guidance to expand the cybersecurity standards program. The Department of Homeland Security more recently began moves to incorporate similar standards into its contracting process.
The CMMC Accreditation Body, an independent organization formed in January 2020, to help manage the certification process for defense contractors, welcomed the revisions made to the program. 
“The DOD approached this from the appropriate risk management perspective and delivered on what the internal review set out to accomplish, clarifying the standard, reducing the cost burden, improving scalability and instilling greater trust and accountability in the CMMC ecosystem,” Matthew Travis, CEO of the CMMC Accreditation Body, said in a prepared statement Thursday. 
The defense industrial base includes more than 300,000 companies of various sizes from small, independent family sized businesses to multibillion dollar industrial parts and weapons makers. 
From the earliest days of the CMMC program, there were concerns raised about whether the program as constructed would put too much pressure on the relationship between larger companies and their subcontractors, who might be forced out of the industry if they were unable to meet minimum standards.
Often, the smaller companies were entities targeted by nation-state and other threat actors as the weakest link in the chain. CISOs and other cybersecurity executives at large industry contractors have long been concerned about the ability of smaller partners to fall into compliance. 
“CMMC, as reviewed, was very complex and would have been difficult for the government to sustain,” said Mike Riecica, director, security strategy & risk at Rockwell Automation. “Smaller companies were starting to openly admit the cost of entry was a potential deterrent. As such, the DIB would have likely constricted as smaller companies walked away from opportunities.”
CMMC 2.0 will help create a more sustainable solution, which if correctly defined, will correct the ambiguities of the first attempt, Riecica said. As a company that sits squarely within a defined level, Rockwell Automation will not be significantly impacted, Riecica said. The controls defined in previous versions would still apply moving forward. 
However, Alla Valente, a senior analyst at Forrester Research, questioned whether the Pentagon was giving into concerns about burden sharing at the expense of security. 
“Should our goal be to [get] small contractors into compliance or is the goal to get smaller contractors to adopt some minimum standard of security best practices?” Valente asked. “Compliance is our floor, not our ceiling. If the goal is to protect our nation’s critical infrastructure, then it should be about the risk of small contractors not having the basic standards of security.”
Valente agreed that moving from five to three levels and allowing contractors to achieve best practices rather than align with National Institute of Standards and Technology (NIST) compliance levels would ease the barrier to entry. However, Valente questioned whether allowing companies at Levels 1 and Level 2 to self-certify rather than go through a third-party assessment was too risky without some way of independent verification.
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
Corporate boards are no longer rubber-stamping assurances from CIOs or CISOs but are bringing in outside experts, asking more questions and preparing for the risk of personal liability.
Subscribe to Cybersecurity Dive for top news, trends & analysis
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
Corporate boards are no longer rubber-stamping assurances from CIOs or CISOs but are bringing in outside experts, asking more questions and preparing for the risk of personal liability.
Get the free daily newsletter read by industry experts
The free newsletter covering the top industry headlines

source

Article Categories:
Cybersecurity News

Comments are closed.