In November of 2023, following multiple troubling cyber attacks on key players in the defense industry, the federal government updated the Defense Federal Acquisition Regulation Supplement (DFARS). The DOD has implemented CMMC 2.0 in order to close some of the gaps it has found in compliance among the Defense Industrial Base.
Many organizations, both public and private, have been ringing the alarm bell about supply chain disruptions from malicious hacking. More and more of these attacks are originating from hostile foreign actors and more and more of them are successful.
Lori Janssen-Anessi wrote recently about her experience helping private companies assess their security risks after having worked in government roles for over twenty years, including helping to create the original CMMC framework.
“Now after seeing those rules in place, plus working on the other side of the fence helping enterprises scan for externally visible third-party cyber vulnerabilities, I see that the original CMMC framework did not go far enough when it came to validating the appropriate cyber defenses were in place, especially those deep in a contractor’s supply chain.”
She makes compelling points about the dangers that private contractors face as they go about daily operations, unaware of their vulnerabilities to cyber attack until it’s too late to protect themselves.
Janssen-Anessi’s assertions are well supported by research as well as the lived experience of many defense contractors. One of the key changes to the rules structure is a departure from self-assessment and self-reporting to the introduction of third party evaluation and reporting. This key component in CMMC 2.0 not only drastically improves individual companies’ protection from financially- and functionally-devastating attacks, it also makes a monumental difference in national security.
With the previous set up, each company bore the entire burden of liability for each subcontractor they used to complete their basic functions for the federal government, finding and responding to each vulnerability and attack. In its own investigation of compliance under the original CMMC, the Inspector General and DOD found that across the board, compliance was abysmal. The IG in its December 2023 report warned that the inaccuracies in self reporting could be violations of the False Claims Act. The financial liability in those cases might include treble damages and penalties of up to $27,018 per false claim.
Application of the original CMMC put defense contractors in a position where threats from cyberattack were too difficult for the typical business owner to fully guard against. It also positioned the federal government’s after-the-fact engagement with the problem as a second threat to the financial stability of its own contractors.
The new framework in CMMC 2.0 distributes the burden of compliance more evenly between contractors, subcontractors, and the DOD, gives contractors access to the high quality analysis and protection that they desperately need in the current cybersecurity landscape, and creates a more safe and effective bulwark against foreign threats.
We empower our clients with the knowledge and tools to sustain success in a rapidly changing business environment. Drawing on our deep expertise and years of experience, we guide your business along the path to best practices, efficiency, and compliance.
Copyright 2024 © All Rights Reserved | DBA of Queen Consulting & Technologies | Powered by Elegant Peak
