Wed, Nov 6, 2019

CMMC and Building a Third-Party Cyber Risk Program

The draft guidance on CMMC to serve as a verification mechanism to ensure appropriate levels of cybersecurity practice and cyber hygiene.

The Department of Defense (DoD) recently announced highly anticipated draft guidance around their forthcoming Cybersecurity Maturity Model Certification (CMMC). This guidance is “[I]ntended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.” The DoD is reacting to the evolving threats in its supply chain, as malicious actors leverage weaknesses in the cyber security posture of contractors to gain access to critical defense information and systems.

Today, cyber security guidance for DoD contractors is primarily sourced from the National Institute of Standards and Technology (NIST) Special Publication 800-171, written specifically to protect Controlled Unclassified Information (CUI) in nonfederal information systems and organizations. This standard, driven by the Defense Federal Acquisition Regulation Supplement (DFARS), has served as an excellent starting point for contractors and others that do business with the government and need to be build their cyber security program. Unfortunately, cyber threats have grown and evolved, and as a result, the government seeks to ensure the appropriate  level of maturity across its defense supply chain by introducing the CMMC.

The CMMC assessment process will rely on a framework that identifies specific controls that serve as maturity benchmarks ranging from one (the least mature) to five (the most mature). These maturity levels have been pulled from several different, but widely accepted, frameworks, guidance documents and other resources, including: NIST SP 800-171, NIST SP 800-53, NIST Cyber Security Framework (CSF), the Carnegie Mellon Risk Management Model, the Center for Internet Security Controls and ISO 27001.

Kroll has deep expertise assessing the cyber maturity of both individual organizations and of an organization’s entire supply chain. We work daily to address challenges similar to the one the DoD is trying to solve, namely how to understand if an organization you share information with has the capability to appropriately protect what is shared. Our CyberClarity360 team has developed a platform that allows organizations to collect, validate, analyze, remediate and ultimately monitor the strength of their third-party cyber risk. In preparation for the future rollout of CMMC, there is much that companies within the defense industrial base can do to assess and strengthen their third-party cyber security risk. We encourage clients to follow the below guidance as they seek to understand the cyber security maturity of either their own enterprise or their supply chain:

  • Focus on governance and how an organization approaches cyber risk. How an organization identifies and tackles its risk is an excellent barometer of its overall cyber security maturity.
  • Use technical controls and ask process questions to understand the capability of the organization. Maturity will tell you how they will approach a problem; understanding their capabilities will tell you how successful they will be in resolving it. 
  • Ask questions that require clear and distinct answers. Open-ended questions leave too much to interpretation and slow down the analysis, while yes/no answers limit the ability to fully understand the maturity level. 
  • Ensure that each level of maturity has a reference point to assist the assessed in evaluating their status. Some organizations may have no dedicated cyber security staff and will require examples of what the DoD expects for each level of maturity. 
  • Additional guidance and insights are available in our vendor cyber risk management guide

While the process of assessing third-party vendors is a challenge for many organizations, 73% of executives identified reputational damages caused by third-parties as a risk priority and nearly 30% reported that third-party incidents significantly affected their organizations in the last year, according to Kroll’s 2019/20 Global Fraud and Risk Report. Strong assessment capabilities help ensure third-party vendors, and their associated risks, are accurately understood. Assessment findings should inspire vendors to make maturing their cyber security capabilities a priority. Above all, managing third-party cyber risk should focus on one common goal: ensuring the ongoing protection of sensitive data.


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Supply Chain Investigations

Creating a detailed portrait of a supplier’s financial stability, operations, compliance and culture.


Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.

Compliance Program Consulting

Kroll is trusted by companies worldwide to help establish policies and programs aimed toward preventing fraud and complying with anti-money laundering (AML) and anti-bribery and corruption regulations.

Contract Management

Capture the value of contracts through M&A due diligence, acquisition integration and daily contract management.

Background Screening and Due Diligence

Comprehensive spectrum of background checks, screening and due diligence services.