RESEARCH, GUIDANCE and KNOWLEDGE
White papers and presentations
Providing leaders with expert knowledge and information
Cybersecurity Maturity Model Certification (CMMC)
NATO Life Cycle Management Group – January 26th 2021 (Public release)
The management of the Life cycle (LCM) of defence systems, from the drawing board through manufacture, deployment, maintenance and removal from service requires careful consideration for the defence industry base (DIB) and the end user. US DoD Cyber security requirements defined by the Cyber Security Maturity Model (CMMC) impact how CUI data is managed by the DIB. For LCM it has an impact on the creation, storage and usage of CUI through the whole life of ‘any’ component part of a US defence system.
Requiring the implementation of NIST SP 800 – 171 and CMMC cyber security practices and certification to the required CMMC Level (level 1 to Level 5).
The challenges and opportunities for companies complying with the US DoDs requirements
The international Defence Industry Base (DIB) is an important contributor to the US DoD and the CMMC programme will have an impact on the international supply chain. In this paper we discuss the Interim Final Ruling which came into effect on the 1st December 2020. The 2 part approach adopted by the DoD for the deployment of NIST and CMMC, and the implications for companies across the DIB. With some practical examples on what to do to start the compliance process.
The DFARS Balancing Act
An important read if you are interested in cyber regulation and supply chain security. CMMC has been on the radar for many months and with the release last week of the interim ruling and the ‘Unpublished’ release by the Federal Government of DFARS: Assessing Contractor Implementation of Cybersecurity Requirements for public comment; is a pivotal moment for deployment of cyber security standards within the US DoD supply chain and in general. Pulling together some of the salient points raised by the Interim Final Ruling and bridging the gap between CMMC deployment and regulation.
CMMC an international perspective
It won’t be long before the draft DFARS text for the US DoD CMMC programme is released for public consultation. Whilst no one knows what it will say, the MoU between the Department of Defence and the CMMC AB is in the public domain. The first round of training for CMMC provisional assessors has taken place and deployment of the standard is widely discussed in the US. For international contractors the standard will have a profound effect on how trade, specifically procurement takes place with the US. Whilst the first phase of CMMC regulation is firmly focused upon the Department of Defence, other Federal Agencies have added CMMC requirements into their own procurement requirements. It is expected that it will gain momentum over the coming months and CMMC requirements will make their way into procurement policies.
The paper outlines the history of CMMC and some of the opportunities and potential issues which companies will face, as the model is deployed.
The Elephant in the board room
Cyber is one of the biggest non-financial risk’s boards deal with today. By any measure it has been shown to have a significant impact on an organisation’s financial statements. Cyber has both significant upside and down side costs. Cost to secure the organisation from the attack and costs to remediate a successful attack. Cyber is an enterprise wide risk, wherever data is created, transmitted and consumed, cyber is a risk. Whether that is CUI, FCI, PII or corporate IP its damage, loss or destruction has a cost. A risk requiring board oversight and assurance?
Securing the corporate balance sheet
Cyber security has evolved, for many years it has been seen as the responsibility of the IT department and CIO. Cyber is an enterprise wide business risk, which is demonstrated through the impact of an attack on corporate financial statements. Costs to deploy security solutions and costs to remediate incidents impact P&L, Cash flow and the balance sheet. The conversation around the board table has traditionally been a technology conversation. This has to change to be a business conversation, managing a risk which touches the physical and logical foot bring of any organisation.
Setting professional standards for cyber security