With a number of high-profile security hacks involving widely used software, government agencies are retraining their focus on their organization's security measures and those of the vendors and service providers that work with them. This shift in focus was actually on the rise before the recent hacks in anticipation of cyberattacks just like the ones we've recently seen.
In January of 2020, the Defense Department implemented the Cybersecurity Maturity Model Certification (CMMC), a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. Contractors have always been held responsible for implementing and documenting their IT systems' security that touch sensitive government data. Under CMMC, this continues, but adds the need for a third party to assess the contractor's compliance.
The CMMC established five certification levels that reflect the maturity and reliability of a company's cybersecurity infrastructure to safeguard sensitive government information on contractors' information systems. A year into the program, the governing board has been formalized with a full-time professional staff to oversee the CMMC requirements as they begin to be included in RFPs.
Similarly, the Cybersecurity and Infrastructure Agency (CISA) is re-prioritizing how and where they look for threats. The agency had been operating the EINSTEIN program which was implemented to track and examine incoming traffic, with the idea of keeping threats out of networks. Many of today's threats, however, would not have been identified with this approach. To respond to the reality of the threat landscape, CISA is putting more focus on detecting anomalous activity on unencrypted workstations and servers to respond to supply chain attacks faster.
To stay up to date on the rapidly evolving security practices in government, check out these events and resources:
- CDM Central: The Age of Cyber Defenders (May 12, 2021; webcast) -- How is the CDM program working with agencies to accelerate the path to better security? And how should agencies engage the CDM program to inoculate against current and future hack impacts? This event will cover the expanding role of CDM, new faces, funding outlooks, and, importantly, how agency cyber defenders are gearing up to protect and mitigate against future hacks.
- RSA Conference 2021 (May 17-20, 2021; virtual) -- A marquee show of the cybersecurity industry, this year's virtual event will include hundreds of informative sessions to attend, inspiring keynotes, opportunities to engage with sponsors and explore their solutions, and a chance to network with peers and speakers.
- Moving CMMC Forward (May 19, 2021; virtual) -- Learn the latest on what is required and what may be ahead for acquisition and contracting executives concerning cyber certifications and audits as government and industry experts share their insights and lessons learned.
- Building a Trusted ICT Supply Chain (white paper) -- This paper outlines a five-pillar strategy for meeting supply chain security challenges, including identifying key technologies and equipment, ensuring minimum viable manufacturing capacity, protecting supply chains from compromise, stimulating a domestic market, and ensuring global competitiveness.
- Strategic Guidance Survey: Cyber Operations (white paper) -- With agency threat surfaces expanding greatly with the remote workforce, cybersecurity must evolve to rely more on data, analytics, and automation and be able to tie it all together in a single platform.