CMMC Looms: DIB SMBs Unprepared

Published by Brenda Harper on

With CMMC coming, is the DIB armed and ready? “Behind the Firewall: Assessing Cyber Resilience in U.S. Manufacturing”, published in June 2024 by the DoD, reveals that 76% of large manufacturers have moderately comprehensive cybersecurity policies. Only 42% of small to medium-sized businesses (SMBs) do.

This significant disparity highlights a critical vulnerability within smaller companies – the backbone of the Defense Industrial Base (DIB). The aerospace and defense sector includes large prime contractors such as Lockheed Martin, Boeing, Raytheon Technologies, Northrop Grumman, and General Dynamics. In contrast, other DIB suppliers are generally smaller companies. These SMBs make up the broader military supply chain, providing commercial off-the-shelf parts, logistics, specialized research and consulting, and support services.

One key factor that likely explains this gap is the presence of dedicated cybersecurity leadership. A staggering 88% of large manufacturers have appointed Chief Information Security Officers (CISOs). Most SMBs have not. Focused cybersecurity leadership plays an essential role in developing, implementing, and maintaining robust cybersecurity practices.

DIB companies can enhance their information security posture by appointing dedicated cybersecurity leaders, even fractional CISOs for SMBs. CISOs provide critical leadership for developing comprehensive policies and stringent supply chain security measures.

DFARS 252.204-7021, which will mandate CMMC audits for companies processing CUI, is not currently part of any DoD contract. But DFARS 7021 is expected to be authorized for inclusion in new DoD contracts starting in Q1 of 2025. Aerospace and defense companies are likely to start including it in contracts with their DIB suppliers within the next few months. This is necessary to prepare their supply chain in advance.

Is the DIB armed and ready? No. And with more than half of DIB companies still lacking comprehensive information security policies, there is a tremendous amount of work to be done. C3PAOs will not audit DIB companies until these policies are in place.

Categories: Uncategorized

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Uncategorized

Definitive Media Library

Securely managing software and system configurations is a challenge. But software and system configuration management is critical to information security. This is where a Definitive Media Library (DML) comes in. A DML is a secure, Read more…

Uncategorized

Unauthorized Vulnerability Scans

It’s Friday afternoon at Quantum Naval Solutions.  A network intrusion detection system has identified vulnerability scanning activity from an internal IP address. The activity stops, and the device using that IP address disappears from the Read more…

Uncategorized

Rogue WiFi: Plan of Action

Your technical sales support person is the most knowledgeable person in your company about WiFi. She discovers that problems with connections may be caused by two WiFi access points that have the same name. There Read more…