by Haidon Storro

2021 The Year of CMMC

New year, new business contracts, right? Ever since the Department of Defense (DoD) introduced its new Cybersecurity Maturity Model Certification (CMMC) program there has been a ton of uncertainty. Many contractors are idling in a learning mode to see how it plays out. Unfortunately, those who still want to do business with the federal government will find themselves at a crossroads in 2021. Venture into the uncharted CMMC territory? Or let other businesses go first and learn from their mistakes? Take it from us at Silent Sector, the trajectory of cyberattacks we have seen in 2020 has led us to believe that CMMC certification will become the key to attaining and maintaining DoD contracts.

COVID-19 brought on a Cyber Pandemic

If you ask anyone what the most shocking event of 2020 was, they will tell you the global pandemic. However, a lesser-known but quite appalling event is the exponential increase of cyber-attacks. Headline after headline a new breach or ransomware outbreak looms. So, while people are tired of wearing masks, they are also tired of discovering yet another cyberattack. Breach fatigue is real!

A simple Google search reveals 27 million cyber headlines related to COVID-19 cybersecurity

The DoD developed the CMMC framework to help formalize cybersecurity as non-negotiable for future acquisitions. You might be asking, "why now?" Well, the onslaught of breaches from COVID-19 was a stark wake-up call to finally address the information carelessly lost every year from espionage, theft, and data mishandling. So, while there is nothing inherently special about the pandemic related attacks, it’s the critical information lost that is of concern.

Unlike a human attacking virus, there is no vaccine for cyber-attacks. That is to say, there are millions of malware variants, attack campaigns, scams, etc., and that just because a security product protects against one malicious actor, several more are already brewing. 2020 has shown us that critical players of the pandemic relief efforts such as the World Health Organization (WHO) are under increased susceptibility as they have seen a fivefold increase of attacks since April. Whether or not this is related to nation-states trying to steal intellectual property or vaccine information, what’s clear is these adversaries have the means and opportunity to infiltrate organizations of all sizes.

Business Opportunity

Despite most DoD contractors not being subject to the WHO level of attack upsurge, they are just as likely to become victim to one. This is in part due to supply chain attacks, but also simplicity. Take the Solar Winds attack for example. This was an ingenious way to get to the true targets by going through their associates. In addition, smaller companies tend to have tight budgets and scarce security resources making them incredibly vulnerable. The DoD is aware that this coupled with little in-house cybersecurity experts makes it unrealistic to expect a strong security posture. What makes CMMC very feasible is it comes in 5 flavors. Level 3 also happens to be pretty much identical to NIST SP 800-171 which was previously made mandatory via self-attestation. In other words, if your organization already aligned with this compliance there will not be a ton of extra hoops to jump through to also achieve CMMC certification. For more about CMMC levels click here.

Statistics indicate that $600 billion is lost annually to cybercrime across all industries. Not a lot is known about whether CMMC certification has a material impact on data breaches in the long run, but in the short run, CMMC compliance reveals many near-term benefits to businesses intent on doing business with the DoD. First off, contractors may have until 2025 to implement CMMC requirements, depending on the demands of their clients/prime contractors. That being said, getting certified in 2021 puts your business at an immense advantage. If your organization is bidding on a contract and you have or are in the process of CMMC consulting this is a great competitive advantage and will undoubtedly enable you to win business contracts.

Second, business disruption due to a cyberattack can cause grave damage to your company, its reputation, and customers. Some attacks like ransomware could even put you out of business if you don’t have appropriate backups or enough funds to cover the ransom (for multiple reasons, we strongly advise against paying ransoms). Third, even though CMMC certification sounds like you are being forced to implement security (which you should have already been doing - NIST SP 800-171a) it might just be a necessary evil to help bolster small business and subsequently national security.

Is your organization ready to commit to building a formalized cybersecurity program? Or maybe you are not sure what direction to take? Call Silent Sector today to speak with one of our security experts. We'll give you clarity and help your business get to its desired level of security so you can focus on your core objectives instead of worrying about compliance.

About the Author

Written by Haidon Storro

Cybersecurity Research & Content Manager, Silent Sector -- Haidon Storro is a Cyber Security Analyst for CVS Health. She has her BS in IT Cyber Security as well as security certifications like CompTIA Security+ and ISC2. While Haidon is newer to the security community, she has dedicated herself to learning as much as she can through internships, online courses, and conventions like DefCon. In her free time, she enjoys reading about new advancements in technology, going to security meetups and participating in cyber defense competitions. One of Haidon’s goals is to make the connected world safer by bridging the human aspect with technology.