Reducing the Cybersecurity Compliance Burden on the DoD Supply Chain

Posted by: Scott Armstrong March 31, 2021 CMMC

Because a supply chain is only as strong as its weakest link, the Department of Defense’s (DoD) resolve to improve the cybersecurity hygiene and maturity of companies throughout the Defense Industrial Base (DIB) makes perfect sense. The DoD simply should not and cannot tolerate the continued compromise of its industry partners and the resulting exfiltration of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that threaten national security.

The Interim Rule that took effect on November 30, 2020 adds 3 clauses to the Defense Federal Acquisition Regulation Supplement (DFARS) that reinforce the DoD’s commitment to better protecting FCI and CUI across its supply chain. These DFARS clauses strengthen audit and enforcement of the current DoD cybersecurity standard – the 110 security controls identified within Special Publication 800-171 from the National Institute of Standards and Technology (NIST SP 800-171). They also provide a definitive path to the next-generation of DoD cybersecurity requirements – the practices (a total of 171 of them) and their related processes (a total of 5 of them) defined across the 5 levels of the Cybersecurity Maturity Model Certification (CMMC) framework.

Compliance with NIST SP 800-171 applies to all organizations that create, receive, store, or handle CUI, while all of the estimated 300,000+ members of the DIB will need to acquire CMMC accreditation at 1 of its 5 maturity levels from an independent third-party auditor. Under the best of circumstances, both initiatives represent significant hurdles to clear, in terms of the necessary expertise, resources, time, and budget. Small-to-medium sized businesses (SMBs), many deeper in the DoD supply chain but no less critical, often face a particularly acute challenge, but one they must overcome in order to continue to engage on DoD contracts.

The DoD wants and needs every organization to succeed. Fortunately, SMBs and others can turn to commercially-available products like Exostar’s Certification Assistant and Exostar PolicyPro that make it easier to achieve the objective of NIST SP 800-171 compliance and accreditation at any of the 5 levels of CMMC. That said, the DoD, prime contractors, and larger upstream supply chain partners – as well as the SMBs themselves – have a role to play to mitigate the pain.

All participants and teammates on a contract – from the DoD agency on down – must be more judicious with respect to what information they share with whom. The path of least resistance says to exchange all information with every partner, but in reality, does every participant on a contract need access to all data, especially CUI? By limiting distribution of CUI to those companies that truly require it, many SMBs that otherwise would have to pursue a Level 3 CMMC accreditation may only have to achieve Level 1 – a much lower bar with fewer practices and no processes that emphasizes good, basic cyber hygiene. And, by keeping CUI where it belongs, the DoD supply chain becomes more resilient, with fewer points of exposure to sensitive data.

SMBs can help themselves, as well. If, after questioning their need to receive it at all, they must handle CUI, they should limit the number of locations within their IT infrastructure where they store it, as well as the number of individuals with permission and credentials to access it. With intelligent segmentation, SMBs can reduce the system footprint to which NIST SP 800-171 security controls and CMMC practices and processes apply, and thus the time, cost, and resources committed to ongoing security, compliance, and certification activities.

By creating, executing, and enforcing the right policies, members of the DIB can be more intelligent and intentional in how, when, and to whom they distribute CUI, and in what they do with it when they receive it. The DoD must continue pushing every company in its supply chain to improve its cybersecurity by fully-implementing NIST SP 800-171 controls for those with CUI today, and by gaining certification at the appropriate maturity level of CMMC tomorrow. Most companies will need help getting there. Products like Certification Assistant and Exostar PolicyPro represent a critical component of the solution, along with Exostar’s vetted CMMC partner community. The other component to reduce the cybersecurity compliance burden and ensure the successful CMMC accreditation of every DIB company, including SMBs, requires the DoD and its industry partners to be much more deliberate in their CUI distribution, storage, and access strategies. U.S. national security depends on it.