Defense firms can take steps now to comply with enhanced cyber standards, industry officials say

As nefarious actors increasingly target the defense industrial base to undermine U.S. national security interests, enhanced cybersecurity standards for Defense Department-aligned firms will enforce stricter safeguards around government data — and companies should take steps now to ensure compliance with the soon-to-be released requirements, industry officials said during an event hosted by Washington Technology on Wednesday.

DOD’s Cybersecurity Maturity Model Certification — or CMMC — program, which first went into effect in 2020, established baseline security requirements for the more than 70,000 firms that do business with the Pentagon. The proposed final rule for the more rigorous cyber requirements, known as CMMC 2.0, is expected to be released later this month for public comment. 

Bob Metzger, chair of the Cybersecurity and Privacy Practice Group, said CMMC 2.0 is reportedly “long and complex,” applying to large and small companies across the defense industrial base that he noted “are different in many, if not incalculable, ways.”

Metzger said complying with the new requirements will likely be difficult for some smaller firms, noting that “I think that the drafters have concluded that it's better to set the bar higher and expect more from the [defense industrial base] to protect itself.” 

But he added that threats from China and other global adversaries to disrupt DOD’s supply chain underscore the fact that smaller companies “are especially tempting targets” when it comes to U.S. national security. 

“This rule is protecting national defense capabilities and you as national defense assets,” Metzger said.

To help meet CMMC 2.0’s requirements, industry representatives at Wednesday’s event said companies — particularly smaller firms with fewer employees and less cybersecurity-specific funding than their competitors — can take steps now to strengthen their relationships with federal agencies and ensure that they are in compliance with best-practice cyber standards. 

Jack Wilmer — CEO of cybersecurity firm Core4ce — said his company’s approach has been to ensure compliance with minimum cyber standards “that represent the level we want to go after,” so if “there is a contract that I'm going to want to go after in some fashion that's going to require that certification, that we will get ourselves right in line to get certified.”

But beyond ensuring compliance with publicly released cybersecurity standards, Wilmer said it’s also important for companies “to look at the breadth of the things that the government is doing to actually try and help companies.” 

This includes taking advantage of federal agencies’ industry-focused initiatives that are designed to boost cyber practices and threat sharing efforts for companies across the defense industrial base.

Wilmer said the NSA Cybersecurity Collaboration Center, for instance, offers “freely available protections that cost nothing,” such as attack surface monitoring. 

“Some of those NSA services, we get some pretty interesting reports about vulnerabilities that are found, things like that, and really focusing on patching and mitigating those as soon as we identify them,” he added.

Wilmer said DOD’s Cyber Crime Center is another great resource for firms “in terms of working with industry and helping to train and certify them” when it comes to cyber practices.

“At the end of the day, I think everyone has the same objective, which is how do we up-gun the cybersecurity of the [defense industrial base],” Wilmer said. “That is true for companies; none of us want to be the next one compromised. And it's true for the government, where the whole point is we're trying to just patch holes in the cybersecurity of the ecosystem.”