« Return to Newsletter

Featured Article: The Advent of the Cybersecurity Maturity Model Certification (CMMC)

The Threat

The time to improve and fortify your cybersecurity system is now! Ever-present threats from hackers, bad actors, and foreign powers threaten cybersecurity in countless ways. Developing a secure cybersecurity infrastructure will mitigate this threat. Ever-changing technological advances have led to an unprecedented amount of data breaches and, in case you haven’t been paying attention to recent trends, it’s only going to get worse. Statistics from the past decade indicate a clear increase in data breaches1,2,3, most of which stem from a combination of poorly trained personnel4 and poorly implemented security controls5, most often the former eclipsing the latter. Technological advancements and cybersecurity threats are unfortunately moving at a pace that is forcing organizations into a state of never-ending cybersecurity-catch-up. The recent Colonial Pipeline cyberattack is a startling reminder of just how vulnerable some systems can be.

The Response

In response to increased cyber threats and data breaches witnessed throughout the first half of the past decade, in October 2016 the U.S. Government’s Office of the Under Secretary of Defense for Acquisition & Sustainment published new contractual requirements centered around cybersecurity, which rapidly became the new norm for defense contractors doing business with the U.S. Government.  The specific contractual requirements are listed in the form of Defense Federal Acquisitions Regulation Supplement6 (DFARS) clause 252.204-70127, and, among many things, infers that proof of compliance is handled at the discretion of the organization through a combination of self-assessment and get-well plans. While defense contractors claim success in implementing and assessing their own security postures, they are being put in a position where the accuracy of said assessment can easily be under or overrepresented for various reasons including little or no verification enforcement, leaving a crucial gap in the overall compliance process.  

The Plan

We welcomed 2020 with a new construct that will change the defense industry for years to come: the Cybersecurity Maturity Model Certification5 (CMMC). This process employs certified independent third-party organizations to conduct cybersecurity control audits, gather and report insight in the context of risk, and issue cumulative certification levels ranging from 1 (lowest) to 5 (highest) to other defense contractors based on cybersecurity hygiene, audit results, and comprehensive risk assessments. This new mandate from the Office of the Under Secretary of Defense for Acquisition & Sustainment is meant to introduce a new cybersecurity defensive layer by assuring that defense contractor organizations are held to a higher standard and are accountable when claiming security control compliance. A group of approved, certified cyber watch dogs, serving as authorized CMMC assessors, will offer organizations with compliance verification of security requirements including those related to DFARS 252.204-7012 direction and NIST SP 800-1718,9 among other industry standards.

The Focus

For 2021, reinforcement efforts in cybersecurity infrastructure and data protection must be the main focus for all companies operating in the cyberverse. The CMMC process provides verifications and auditing, closing gaps in past processes. Additionally, consistent, and timely evaluations of potential security risks mitigate weaknesses that lead to breaches. Proactive reinforcement of your cybersecurity infrastructure will safeguard against costly hacks and attacks. Elevating your cybersecurity systems to CMMC levels requires expertise in measuring preparedness and recommending mitigation strategies. Join the VSRA Cybersecurity Committee to stay informed about taking the next step in your cybersecurity defensive position.



01 https://www.marketwatch.com/story/how-the-number-of-data-breaches-is-soaring-in-one-chart-2018-02-26

02 https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/

03 https://www.forbes.com/sites/forrester/2019/12/18/decade-retrospective-cybersecurity-from-2010-to-2019/#29267b984d51

04 https://attack.mitre.org/

05 https://www.acq.osd.mil/cmmc/

06 https://www.federalregister.gov/defense-federal-acquisition-regulation-supplement-dfars-

07 https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

08 https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

09 https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final

« Return to Newsletter