{"id":23048,"date":"2024-04-24T09:25:00","date_gmt":"2024-04-24T08:25:00","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=23048"},"modified":"2024-05-07T08:03:51","modified_gmt":"2024-05-07T07:03:51","slug":"the-dod-strikes-back-enhancing-supply-chain-cybersecurity-with-cmmc-2-0","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/04\/the-dod-strikes-back-enhancing-supply-chain-cybersecurity-with-cmmc-2-0\/","title":{"rendered":"The DoD Strikes Back: Enhancing Supply Chain Cybersecurity with CMMC 2.0"},"content":{"rendered":"\n

In late October 2023, a third-party data breach incident<\/strong> <\/span>sent shockwaves through the business world, affecting over 57,000 entities<\/strong><\/span> engaged in business with Bank of America<\/strong>.<\/span> This breach exposed sensitive personal and financial information, underscoring the pivotal role that third-party suppliers play in an organization\u2019s cybersecurity infrastructure.<\/p>\n

These incidents, commonly referred to as \u201csupply-chain attacks<\/strong><\/span>\u201d, involve targeting an organization\u2019s downstream third parties<\/strong><\/span> (e.g., partners, vendors) to gain access to valuable systems. In the Bank of America case, the compromised third party responsible for this breach, was Infosys McCamish Systems (IMS), an insurance process management services provider.<\/p>\n

This breach resonates with the infamous SolarWinds<\/strong> <\/span>cyberattack, where Nobelium hackers inserted malicious code into the SolarWinds Orion platform, enabling them to infiltrate numerous government systems, including the U.S.\u2019 Homeland Security, State, Commerce, and Treasury, as well as private systems worldwide.<\/p>\n

As corporate IT architectures are arguably a mere reflection of a company\u2019s intricate web of business relationships, these events serve as a stark reminder that organizations are not isolated entities<\/strong> <\/span>but rather hubs of interconnected and co-dependent partners<\/strong> <\/span>and third parties. Achieving a robust cybersecurity posture requires more than individual efforts; it demands cultivating a secure ecosystem<\/strong><\/span> of thoroughly vetted trusted partners to effectively safeguard the entire supply chain required for product delivery (TPRM).<\/p>\n

However, building such an ecosystem poses challenges. Many companies lack the resources to exclusively select leading, cutting-edge, and trusted third parties or may lack the leverage to demand transparency from existing partners.<\/p>\n

Drawing lessons from the SolarWinds cyberattack, and amid heightened geopolitical tensions (see Chinese cyberattacks on U.S. infrastructure at an unprecedented scale<\/a>), the Department of Defense recognized this challenge and responded with the development of a solution for securing the supply-chain ecosystem of the Defense Industrial Base (DIB) called the CMMC<\/strong><\/span>.<\/p>\n

The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework <\/strong><\/span>designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)<\/strong><\/span>, that is shared with contractors and subcontractors of the Department of Defense (DoD) <\/span><\/strong>through acquisition programs.<\/p>\n

The CMMC 2.0 Proposed Rule Release, published on December 26, 2023, represents the latest evolution of the CMMC cybersecurity model, poised to supplant the preceding CMMC 1.0 with a more pragmatic approach<\/strong><\/span>. Following its release, the proposed policy underwent a 60-day open-comment period<\/strong><\/span>, which concluded on February 26, 2024<\/strong>.<\/span> The new regulation is anticipated to be finalized by late 2024 or early 2025<\/span>.<\/strong><\/span><\/p>\n

The CMMC 2.0 is aimed at safeguarding sensitive national security information<\/strong><\/span> by protecting the Defense Industrial Base’s (DIB) sensitive unclassified information from frequent and increasingly complex cyberattacks. It streamlines requirements to three levels <\/strong><\/span>of compliance and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards. The specific security requirements and assessment types (self-assessment, third-party assessment, or DoD assessment) vary based on the level.<\/p>\n