With CMMC 2.0, Cyber Security Tsunami Ahead for Thousands of Defense Firms (From RealClearDefense)
The full text is available below and on RealClearDefense here.
China’s cyber espionage is off the charts, and according to the FBI, Iran has been targeting the aerospace and defense industrial base, too. It’s not just top-secret programs; China, Russia, Iran and others are also going after vulnerable unclassified information and federal contract data. The threat is so severe that the government insists that Controlled Unclassified Information and Federal Contract Information meet higher standards.
That is why thousands of critical businesses face new cybersecurity standards for protecting unclassified information beginning in mid-2025. And many aren’t ready. In one recent survey, 96% of the 300 firms responding said they could not meet full compliance.
The standards known as Cybersecurity Maturity Model Certification 2.0 were first announced in late 2021. Major programs like aircraft carriers and the B-21 bomber depend on thousands of supplier companies. Some suppliers are already wrapped into classified programs. However, there are also numerous firms producing just a few critical parts for the defense sector, often nestled inside thriving commercial businesses.
Many vendors do not perform classified work. Yet, in this environment, they are at risk, too.
A classic horror story is the case of Lode-Tech, a small aircraft wiring harness company. Owner Stephen Su used the company to work with China’s People’s Liberation Army and steal 630,000 files on the U.S. Air Force C-17 in 2014. Although “much of the information stolen was not classified, sensitive or export controlled, in aggregate it allowed the Chinese to reverse engineer many aircraft components, thus saving much time and money in research, development and testing phases of technology production,” the Air Force’s Office of Special Investigations found.
Hence stiff encryption standards, data control, and a host of other measures will be mandatory under CMMC 2.0.
While no one doubts the need for tough new standards, just figuring out a plan of action burdens businesses. “These folks manufacture highly customized widgets for level 1 primes, and do it well. To their peril, they wouldn’t know an IP packet if they tripped over one; and why should they?” one expert pointed out after the CMMC 2.0 announcement.
Most agree there’s no choice about strengthening standards.
Back in March, the FBI unsealed a major Chinese hack that illustrates the type of vulnerabilities spurring CMMC 2.0. Over a 14-year period, APT31 used a combination of malicious emails and vulnerable routers to hack dozens of companies, including multiple cleared defense contractors and other service and telecom providers.
The problem is getting thousands of companies certified. It’s time for businesses and the government to look for ways to work through the transition.
CMMC stipulates three levels of compliance. At Level 1, access to potential federal contract information has 15 requirements and companies can self-certify compliance. Level 2, the minimum for businesses with controlled unclassified information, has 110 requirements. Businesses that must achieve Level 3 face an additional 24 requirements.
The government needs a strategy to ensure businesses can meet expectations. The U.S. Small Business Association’s Office of Advocacy weighed in on CMMC 2.0 earlier this year, raising concerns about the impact on companies.
But the government can’t handle the tsunami of certifications alone. Tapping solutions from successful defense companies with deep experience in cyber is essential. The Defense Industrial Base Cybersecurity Assessment Center has authorized third-party firms to certify other companies to deal with demand.
As a result, there’s a long menu of firms ready to help. Cybersecurity firms like Cyber Sheath, originators of the survey, offer CMMC 2.0 compliance assistance. So do big accounting, software and information providers like Deltek. However, vendors seeking certification will have to cope with choosing from a mixed bag of offerings.
Another option is to partner with companies which have long experience in both major government programs and cyber security is one option. For example, SNC, which just won the contract for the Air Force’s nuclear command and control Doomsday plane, grew its Defensible Security division from in-house work on highly classified contracts to cloud-based security as a service models. In particular, businesses looking for Level 2 and Level 3 compliance should seek to work with companies with advanced skill sets in federal cybersecurity.
Official defense policy calls for a vibrant defense industrial base. By some counts, the defense industrial base is shrinking. By the numbers, Defense Department “vendors are down 27.6% over the last decade or so from over 56,000 to about 41,000,” according to analyst Paul Murphy. In the effort to stave off China, it’s important not to let the complexity around new cybersecurity rules in CMMC 2.0 drive companies from working with the federal government.
Find Archived Articles: