Small and mid-sized business leaders sometimes view federal mandates such as CMMC 2.0 as overreach and a nuance. It seems counterintuitive that sophisticated hackers funded by rival nations would invest time and energy into penetrating companies that perform sometimes marginal work in the military supply chain. In other words, don’t Russian and Chinese hackers have bigger fish to fry?
Truth be told, your business likely stores or transmits bits of Controlled Unclassified Information (CUI) these advanced persistent threats consider a piece in the larger national security puzzle. Once a foreign adversary gathers enough CUI from a military supply chain organization — like your small or mid-sized business — they employ it to launch major cyberattacks against the federal government.
In 2016, a Chinese National pleaded guilty to conspiring to hack a U.S. defense contractor’s system and “steal military technical data, including data relating to the C-17 strategic transport aircraft and certain fighter jets produced for the U.S. military,” according to the U.S. Department of Justice.
From 2019 through 2020, hackers reportedly funded by the Russian government exploited a software company loosely connected to the military-industrial base. Known as the SolarWinds hack, malware was slipped into software updates, tainting thousands of databases, including the U.S Treasury Department. The SolarWinds hack was orchestrated by using an intern’s login credentials. That strategy highlights the way foreign enemies will target small and mid-sized businesses connected to the military-industrial base and work their way to those bigger fish.
What is the CMMC 2.0 Update?
The Cybersecurity Maturity Model Certification, aka CMMC, brings together wide-reaching measures under one umbrella and mandates businesses involved in military activities to comply. Before the initial CMMC was conceived, companies met different standards and not everyone followed them consistently. This undermined national security and prompted the Department of Defense to re-imagine a robust security policy.
The original CMMC 1.0 policy was streamlined to reduce the number of cyber hygiene levels from five to three. Business leaders are now tasked with identifying which of the following three tiers apply to their organization and implementing the appropriate controls.
• Level 1: A small business that handles Federal Contract Information must meet 17 basic controls outlined in NIST 800-171. This information is typically not considered highly sensitive. The CMMC 2.0 update generally allows small and mid-sized businesses to conduct in-house assessments and submit the results to the Supplier Performance Risk System annually.
• Level 2: Considered “advanced” cyber hygiene, small and mid-sized companies that store or transmit CUI are tasked with meeting 110 NIST controls. The DoD mandate for Level 2 businesses has proven confusing to company administrators. Some outfits can self-test while others require an assessment from a Third Party Assessment Organization (C3PAO) every three years.
• Level 3: Reserved largely for direct military contractors, all 110 NIST controls come into play, as well as other to-be-determined measures. A C3PAO assessment is mandated.
The vast majority of small and, to some degree, mid-sized organizations will likely fall into the Level 2 or 3 standards. Understanding whether you require an accredited C3PAO or another cybersecurity expert is an important decision. Failing to properly comply with CMMC 2.0 could sideline your business from lucrative DoD contracts.
How Does CMMC 2.0 Benefit Small Businesses?
Entrepreneurs and other decision-makers must consider capital expenditures such as cybersecurity on an ongoing basis. As the CMMC 2.0 rollout nears, many will need to enlist the support of a cybersecurity firm with expertise in this niche area. That typically means partnering with an accredited C3PAO. Weighing the return on investment for CMMC compliance is something that requires thoughtful consideration.
It’s not uncommon for industry leaders to think in terms of a one-to-one correlation. You will invest X portion of your budget into managed IT and cybersecurity. The CMMC component involves a set dollar amount. Using straightforward math, CFOs may look at whether continuing to work in the military-industrial base is profitable.
The short answer is usually: Yes. The DoD has a massive discretionary budget that topped $722 billion in the Fiscal Year 2022, an increase of $17 billion over the previous year. These contracts pay top-dollar and continue to grow. Staying in the military-industrial base and peripheral supply chains calls for CMMC compliance. It’s also worthwhile to look at CMMC compliance through another lens.
Some modestly-sized business owners shrug off investing in cybersecurity measures because they don’t think hackers will target them. That mindset has resulted in small and mid-sized businesses ranking among the most vulnerable in terms of deficient cybersecurity. The following statistics demonstrate cybercriminals have noticed.
• More than 60 percent of small and mid-sized businesses suffer cyberattacks each year.
• Companies with fewer than 500 employees sustained an average loss of about $3 million.
• Nearly half of companies with less than 50 employees have no cybersecurity budget.
• More than half of business owners paid ransomware hackers to release their network.
• A quarter of small and mid-sized outfits that are hacked lose clients and customers.
• Upwards of 60 percent of organizations that get hacked fold within 6 months.
Because multi-million-dollar hacks garner splashy headlines, the average business owner remains unaware they are a primary target. Garden variety hackers, sitting in a café halfway around the world, troll the internet looking for easy marks. When a small or mid-sized organization is not well defended, it becomes low-hanging fruit. And cyber thieves are more than happy to steal credit card numbers, raid bank accounts, or sell your personal identity information on the dark web.
Although CMMC compliance is not necessarily designed to protect the integrity of small and mid-sized companies from financial and personal identity threats, it serves as a proactive deterrent. With CMMC protocols in place, your organization possesses determined cybersecurity. Hackers are unwilling to exhaust themselves trying to breach your system. They’ll move on to easy targets that failed to invest in themselves.
Contact Sedulous Consulting Services For CMMC 2.0 Compliance
Based in Triangle, Virginia, Sedulous Consulting Services ranks among the first 100 organizations to qualify as a Third-party Assessment Organization. We work diligently with small and mid-sized businesses to assess their cybersecurity vulnerabilities, secure their network defenses, and meet the stringent CMMC 2.0 requirements. If your company enjoys profits from a military contract or works in the supply chain, contact Sedulous Consulting Services.