Back in the days there were basically three parameters to bear in mind when procuring for the defence industry: production cost, performance and scheduling. Now, make sure to add cyber security as well, a fourth and vital pillar, as cyber crime and cyber espionage is the new forefront of escalation and confrontation.
Elmatica has as a trusted partner to the defence industry over the last thirty years, been first hand involved in defense compliance control. If you are in this industry, and a supplier to US DoD or involved in any dual-use product to the US DoD, the only word on your mind these days should be: CMMC, or Cybersecurity Maturity Model Certification – a new regulation for defence contracts in the US.
Last week we attended a Seminar on CMMC Certification arranged by danish FAD, together with several key players in the Danish Defence Industry. Senior Advisor at the Confederation of Danish Industries (DI), Peter Bay Kirkegaard held an interesting presentation about the current trade environment in the US, discussing the shift in the US trade policy, the tightening of rules of foreign direct investments, stricter expert control and not at least, sanctions.
The Danish Department for Cyber Analysis (DDIS) was present and continued by setting the context for the seminar in relation to strategies and aspects such as
- How is your organization rigged for an attack?
- How do you perform a threat assessment?
- Are hackers able to do an attack on your company?
- What could be the motive for such an attack?
The threat of cyber attack is high and DDIS has lately seen a switch from simple to more sophisticated attacks. The well known phishing campaigns are still running and one needs to continuously train once employees to be able to recognise and reject such attempts. The more advanced and complex attacks are focusing on familiar and unexpected channels as industry associations or even exhibitions, where once guard is lower and where one is not expecting a cyber attack.
However, all the attacks has one element in common and that is that the consequences can be severe, however with various motives:
- Politically motivated
- Financially motivated
- Military motivated
- Government motivated
The only element to halt the negative trend of an increasing amount of successful cyber attacks is: “Good IT hygiene”! Meaning a continuous focus on prevention, detection, locking down and securing once data by applying adequate human and financial resources to secure it.
We have all recognised that cyber espionage or cyber attacks is something we will have to learn to live with, which leads us to the main topic of the seminar; CMMC – The Cybersecurity Maturity Model Certification.
To analyse this model further in relation to its purpose and context, Group Chief Security Officer from Systematic, Kim Larsen and Security Manager from Terma, René Hedegaard Hansen presented the legislation and its why, how and when.
What is CMMC?
The CMMC is intended to serve as a verification mechanism to ensure that an appropriate level of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect Controlled Unclassified Information (CUI) that resides on the Department’s industry partners’ networks.
Why is CMMC implemented?
The US is implementing this framework to increase national security, reduce risk against cyber attacks, and reduce the risk of loss of controlled unclassified information in the entire supply chain. It is applicable to all subcontractors on a DoD contract, irrespectively of where you are located in the supply chain. The level of the CMMC certificate required is dependent on the type and nature of information flowed down from your prime contractor.
How does it work?
Put very simply, CMMC is a set of parameters that decide at which level of certification you are applicable as a prime or sub-contractor to US DoD. There are five levels of certification, and one needs to be audited by a third party auditor to get the Certificate. In order to be awarded the approval, there are a fixed amount of practises you need to be approved for, this will decide which of the five levels you are in compliance with.
Level 1 parallels the FAR 52.204-21 requirements, which all federal contractors must meet. If your contracts or delivery of products include any governmental data, it’s assumed you also hold Federal Contract Information (FCI) and most likely also hold Controlled Unclassified Information (CUI). Storing, handling and processing CUI data, makes you applicable for minimum Level 3. The same applies if you handle export controlled data, as ITAR data, that is considered CUI, you will be subject to at least Level 3 in plus of the already existing ITAR-related rules.
Do we actually have to do it or follow the regulations?
During the seminar, there was a discussion on the continuous risk of someone in the supply chain adjusting or ignoring to follow parts of the requirements, to make their offer more appealing. This is where the CMMC kicks back dramatically. With a pre-set certification level and following regulations, all contractors bid and play by the same rules in the same playing field. Providing more security towards who can access the data and more certainty that you get what you order with total transparency towards where it’s produced. Imagine the cost if a PCB produced in China is found in a piece of electronics sold to the US Army?
As a trusted partner in the defence industry for decades, we welcome these regulations as they clarify what to do and a third party to enforce and ensure that the regulations are followed. If you do not have adequate cybersecurity protection in place, you will not be allowed to quote for new business and you will later lose existing contracts, as it later will be backward applicable to all existing and running contracts with the USDoD.
One can summarise the seminar with three key points to remember:
- Good IT hygiene is crucial
- Learn the CMMC regulation and identify, which level you are aiming for
- This is not a regulation for your compliance department, but a framework for your entire company with specific focus on your purchasing department. They must be trained in CMMC to ensure that all your sub-contractors on every level are able to meet the CMMC level required for the product they deliver to you. If you are not compliant you will not be a supplier to USDoD, everybody needs to know about CMMC – if not you risk that one single person can put the entire acquisition or company at risk. Thanks to Frank Bill, Susanne Bruun Sørensen and the rest of the team at FAD for a day packed with learning and networking – sometimes seminars can be a monologue from the presenters, but FAD absolutely managed to bring out the best in us all, creating interesting dialogues despite COVID-19 restrictions.
Read our previous article about CMMC.