Part 2: Cyber Hygiene Made Public – A Necessary Evil?
In part one of this series, I addressed what DoD contractors could be doing to prepare for the CMMC security level rating. In part two of the series, I want to discuss our customers’ concerns about the possible impacts of having their company’s security rating made public. According to the CMMC FAQ, all companies conducting business with the DoD must be certified (not just those who handle CUI), and the level of certification for each company will be made public. How will the public disclosure of cyber hygiene ratings change the way companies do business? Will this be a motivating factor for contractors to improve their security posture or a demotivator to pursue government business? I personally believe that this will be a motivation for companies to improve their security posture – and if it is not, it should be. Whether you are pursuing business from the government or from a commercial entity, being able to produce a third-party assessment of your organization’s cyber hygiene will likely become an essential requirement of doing business. As enterprises adopt cloud services and create complex integrations to deliver products and services, awareness of the security of their supply chain is going to be critical. When an organization looks to add new products and services to their supply chain, they are going to want to know how secure they are. When a vendor is breached, organizations will quickly need to find out if that vendor is part of their supply chain. Cyber insurance providers are going to look to measure cyber hygiene in order to determine premiums. Of course, the size of the company must be taken into consideration when it comes to the burden an organization is able to bear in order to achieve a higher cyber hygiene rating. Will the larger prime contractors be the last ones standing after CMMC-certified organizations are established? Likely not. https://twitter.com/TripwireInc/status/1176144829430075398 The CMMC is designed to have varying degrees of compliance (e.g. low, medium, high). However, the level required for compliance will be determined by the CUI the organization handles or processes, not by size. Obviously, these requirements will be more of a burden to a small sub-contractor that handles the same level of CUI as a large prime. However, the DoD has said that cybersecurity costs will become an “allowable expense” that will hopefully relieve some of the burden for small businesses. Since past behavior is the best predictor of future behavior, it’s best to take a look back at the history of security compliance requirements in order to predict how companies will be impacted by the new CMMC requirements. When PCI DSS became a requirement to process cardholder data, companies large and small used one of two approaches to becoming compliant. They either 1) defined the parts of their network that process or store cardholder data and took actions to become compliant or 2) eliminated cardholder data from their network by relying on third parties to process and store that data for them. Similarly, when NERC CIP compliance became a requirement for utilities, companies evolved to become compliant. CMMC will likely have the same impact. So, how will the public disclosure of cyber hygiene ratings change the way companies do business? In general, it will eventually be a necessary “evil” of doing business – period. Those organizations that sell to the government might just be the ones to go through hell before their commercial counterparts do. Those who have concerns about obtaining the CMMC should review the listening tour webinars and/or attend a live gathering. The CMMC FAQ website is also a good resource of clarification. Learn more about how Tripwire helps secure government agencies against cyberattacks and meet evolving compliance requirements here. Read Part 1 here.
