Wed, Nov 6, 2019
The Department of Defense (DoD) recently announced highly anticipated draft guidance around their forthcoming Cybersecurity Maturity Model Certification (CMMC). This guidance is “[I]ntended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.” The DoD is reacting to the evolving threats in its supply chain, as malicious actors leverage weaknesses in the cyber security posture of contractors to gain access to critical defense information and systems.
Today, cyber security guidance for DoD contractors is primarily sourced from the National Institute of Standards and Technology (NIST) Special Publication 800-171, written specifically to protect Controlled Unclassified Information (CUI) in nonfederal information systems and organizations. This standard, driven by the Defense Federal Acquisition Regulation Supplement (DFARS), has served as an excellent starting point for contractors and others that do business with the government and need to be build their cyber security program. Unfortunately, cyber threats have grown and evolved, and as a result, the government seeks to ensure the appropriate level of maturity across its defense supply chain by introducing the CMMC.
The CMMC assessment process will rely on a framework that identifies specific controls that serve as maturity benchmarks ranging from one (the least mature) to five (the most mature). These maturity levels have been pulled from several different, but widely accepted, frameworks, guidance documents and other resources, including: NIST SP 800-171, NIST SP 800-53, NIST Cyber Security Framework (CSF), the Carnegie Mellon Risk Management Model, the Center for Internet Security Controls and ISO 27001.
Kroll has deep expertise assessing the cyber maturity of both individual organizations and of an organization’s entire supply chain. We work daily to address challenges similar to the one the DoD is trying to solve, namely how to understand if an organization you share information with has the capability to appropriately protect what is shared. Our CyberClarity360 team has developed a platform that allows organizations to collect, validate, analyze, remediate and ultimately monitor the strength of their third-party cyber risk. In preparation for the future rollout of CMMC, there is much that companies within the defense industrial base can do to assess and strengthen their third-party cyber security risk. We encourage clients to follow the below guidance as they seek to understand the cyber security maturity of either their own enterprise or their supply chain:
While the process of assessing third-party vendors is a challenge for many organizations, 73% of executives identified reputational damages caused by third-parties as a risk priority and nearly 30% reported that third-party incidents significantly affected their organizations in the last year, according to Kroll’s 2019/20 Global Fraud and Risk Report. Strong assessment capabilities help ensure third-party vendors, and their associated risks, are accurately understood. Assessment findings should inspire vendors to make maturing their cyber security capabilities a priority. Above all, managing third-party cyber risk should focus on one common goal: ensuring the ongoing protection of sensitive data.
Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.
Creating a detailed portrait of a supplier’s financial stability, operations, compliance and culture.
Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.
Kroll is trusted by companies worldwide to help establish policies and programs aimed toward preventing fraud and complying with anti-money laundering (AML) and anti-bribery and corruption regulations.
Capture the value of contracts through M&A due diligence, acquisition integration and daily contract management.
Comprehensive spectrum of background checks, screening and due diligence services.