Department of Defense (DoD) requirements mean contractors must ensure CMMC compliance within their own organizations, and throughout their supply chains. With multi-million dollar contracts at stake, the cost of non-compliance – and even small mistakes with suppliers – is significant.
Late last year, the largest data breach in US history occurred, with a cyber attack against the US government resulting in breaches across six US Government departments. Together with other notable names, the National Nuclear Security Administration and Department of Homeland Security were amongst those effected.
In many ways, it’s equally concerning to know that the origins of that breach appear to run back to March of the same year, when a supplier to Government – SolarWinds – had malicious code injected into its internal systems. Several months later, it was this code that ultimately enabled the breach to occur.
With fallout from last year’s events expected to take many more months, if not years, to fully play though, the challenges of cybersecurity and risk of data breaches via an organisation’s supply chain continue to increase. And at an exponential rate.
Prior to data breaches such as SolarWinds, and dozens more that occurred over the preceding years, DoD contractors could attest to their own compliance against a standard known as NIST SP 800-171 – the requirement that any non-Federal computer system needs to follow, in order to store, process, or transmit Controlled Unclassified Information (also known as CUI), or to provide security protection for such systems.
Today, in one of many steps to increase cybersecurity capability, the CMMC requires an approved third-party organization – known as a Certified Third Party Assessor Organizations (or CTPAO) – to assess and certify that contractors have met their cybersecurity requirements. This includes the security of their supply chains. The penalties for those found to be non-compliant can be significant, with termination of a contractor’s DoD agreement a very real possibility.
The implications of not meeting strict CMMC requirements can be daunting, to say the least. Equally daunting is the myriad of information that can be found by a DoD contractor – or would be contractor – when researching the steps they need to take in order to ensure compliance across their business, and throughout what can often be an extensive supply chain.
With a growing number of CTPAOs, and a small but powerful range of compliant solutions available, the good news is that significant steps towards CMMC for contractors, and their supply chain partners, can be less complex than people may think.
The following, simple steps are just a few of the ways in which any contractor can progress their compliance journey, starting today;
Of all the points on our checklist, and of all of the obligations placed upon contractors to DoD and Government more broadly, the onus on securing an organisation’s entire supply chain can understandably feel like the most challenging.
Simple steps and the consistent utilisation of chosen systems across the supplier base can help dramatically ease the road to compliance. And, while the cost of extending in-house data management software to suppliers may feel concerning, the costs of auditing and reviewing your suppliers' own choice of software will almost inevitably be greater. And the costs of losing a precious and hard-fought Government contract? Greater still.
For more insight, advice and guidance as to how to build to CMMC compliance, both internally and across your supply chain, reach out to us via the link below.
Book a call