Want to do business with the Pentagon in the future?
If so, the days of "self-certifying" that you meet certain cybersecurity standards are over.
You will soon need to be on board with the latest U.S. Department of Defense plan to boost cybersecurity and lower third-party vendor risk.
It is called the Cybersecurity Maturity Model Certification program.
SecureWorld has written about this before, and now NextGov has an excellent write-up which reveals the Pentagon's determination to mandate the compliance of its third-party vendors or kiss them goodbye:
"We need to lower the barriers. We need to speed up acquisition. But we also need to secure the [defense industrial base]," Katie Arrington, chief information security officer for the assistant secretary for defense acquisition, said during a talk at the Charleston Defense Contractors Association 2019 Summit in Charleston, South Carolina. "With 70% to 80% of our data living on my contractors' networks, I don't have a choice but to worry about how they’re doing it."
"Companies that say, 'I'll never get certified, I don't want to, this is too high of a bar to reach to work with the Department of Defense. It's already cumbersome enough to work there.' Here's my thing: I love ya, but good riddance," she said. "We don't want to lose you. The companies that don't want to acquiesce: I don't want them to go, but they have a business decision to make."
The Cybersecurity Maturity Model Certification program requires 173 cybersecurity related practices and 43 security capabilities which link back to frameworks including NIST 171 and 171.b, among others.
The DoD will begin certifying compliance certification vendors in Q1 of 2020. These vendors will help monitor for continued compliance by third-party vendors.