With CMMC coming, is the DIB armed and ready? “Behind the Firewall: Assessing Cyber Resilience in U.S. Manufacturing”, published in June 2024 by the DoD, reveals that 76% of large manufacturers have moderately comprehensive cybersecurity policies. Only 42% of small to medium-sized businesses (SMBs) do.

This significant disparity highlights a critical vulnerability within smaller companies – the backbone of the Defense Industrial Base (DIB). The aerospace and defense sector includes large prime contractors such as Lockheed Martin, Boeing, Raytheon Technologies, Northrop Grumman, and General Dynamics. In contrast, other DIB suppliers are generally smaller companies. These SMBs make up the broader military supply chain, providing commercial off-the-shelf parts, logistics, specialized research and consulting, and support services.

One key factor that likely explains this gap is the presence of dedicated cybersecurity leadership. A staggering 88% of large manufacturers have appointed Chief Information Security Officers (CISOs). Most SMBs have not. Focused cybersecurity leadership plays an essential role in developing, implementing, and maintaining robust cybersecurity practices.

DIB companies can enhance their information security posture by appointing dedicated cybersecurity leaders, even fractional CISOs for SMBs. CISOs provide critical leadership for developing comprehensive policies and stringent supply chain security measures.

DFARS 252.204-7021, which will mandate CMMC audits for companies processing CUI, is not currently part of any DoD contract. But DFARS 7021 is expected to be authorized for inclusion in new DoD contracts starting in Q1 of 2025. Aerospace and defense companies are likely to start including it in contracts with their DIB suppliers within the next few months. This is necessary to prepare their supply chain in advance.

Is the DIB armed and ready? No. And with more than half of DIB companies still lacking comprehensive information security policies, there is a tremendous amount of work to be done. C3PAOs will not audit DIB companies until these policies are in place.

Categories: Uncategorized

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *