Why All Businesses Should Care About Cybersecurity Changes to CMMC

President Joe Biden issued an Executive Order on Improving the Nation’s Cybersecurity on May 12, 2021, which has since led to a review of the Department of Defense’s Cybersecurity Maturity Model Certification program (CMMC). Developed back in 2019, CMMC’s goal has been two-pronged: protect government data, and evaluate the cyber compliance of government contractors. But even non-DoD contractors should keep an eye on CMMC developments, says DLA Piper, because “[o]ther agencies are closely watching the development of CMMC and may implement it in various forms.”

CMMC Changes to Expect

While the CMMC review is still in progress, DLA elaborates further on the changes we can expect:

• Establishing provisions and contract clauses related to how you collect, preserve, report, and share personally identifiable data.
• Having a system for promptly reporting cyber incidents involving the software, products, or services you provide.
• Ensuring critical software meets requirements from the National Institute of Standards and Technology (NIST).
• Reaching the requisite certification level before bidding on a contract.
• Verifying companies within your supply chain have also achieved the requisite certification level.
  
  

Currently, businesses that want to bid on government contracts will need to perform a self-assessment for how they process, store, and share covered defense information (CDI), and provide that to the DoD. But in order to minimize risk, DLA reports that it’s best to have this assessment performed “by an interdisciplinary team that includes IT, business, legal, and compliance, with a focus on accurate and complete reporting.”

What Your Team Can Do Now

Regardless of whether your business bids on government contracts or operates in the private sector, there are still several cybersecurity best practices that you can implement now in order to protect your network.

Passwords. Encourage your employees to create strong passwords, never share them with other colleagues, and never write them down.

Mobile Devices. The practice of BYOD (Bring Your Own Device) has become more widely accepted during the shift to remote-based work. Whether we’re talking smartphones, tablets, laptops, or desktops, all are potential vectors for hackers to exploit. It’s important to lay out the requirements for which devices may be used, what data they can access and share, and the permissions you allow the applications and programs that perform that sharing.

Training. Unfortunately, the weakest link against cyberattacks is often human error. Users may open emails or click links that allow code to infect their network, either sent by unknown sources or by bad actors impersonating legitimate sources. This is why cyber training is critical for all employees so that they’re aware of what’s expected of them when it comes to proper and secure data management.

Penetration Testing. Hire IT specialists who can assess how well your current infrastructure stands up against known cyber threats. These testers can either be part of your internal team or outsourced, but remember that third-party contractors should have their certification and experience verified for CMMC compliance.

Risks of Noncompliance

Don’t assume that only the big-name companies out there are the ones that are targeted. Small- to medium-sized businesses share in this risk and often have more to lose when their network is compromised, from their data and their customers to their brands’ reputations. It also leaves businesses open to potential lawsuits, depending on the type of personally identifiable information that’s accessed or stolen from them.

As we edge closer to the end of Q4, take the time now to evaluate your current cybersecurity, identify areas you need to improve, and lay out the best plan to implement those changes.