Cybersecurity posture isn’t just compliance—it’s a strategic asset. The DoD’s June 2024 report, “Behind the Firewall: Assessing Cyber Resilience in U.S. Manufacturing,” highlights a fact: cybersecurity requirements in RFPs and contracts are now a competitive edge for DIB manufacturers.
74% of the DIB requires comprehensive cybersecurity adherence from their suppliers and vendors, compared to only 29% of SMBs and 41% of large businesses.
GOOD NEWS!
But I am skeptical. Remember that all of these numbers are self-reported. And only 33% of DIB companies report having comprehensive System Security Plans (SSPs). Without SSPs, governance is ad hoc and relies on tribal knowledge. Anecdotal evidence from my discussions with DIB companies suggests even 33% is optimistic. How can DIB companies require standards they don’t meet?
I agree that CMMC certification will appear first in supplier contracts, not directly from the DoD. Large aerospace and defense companies, nearly half of which have SSPs, are asking DIB companies to enter SPRS scores. They are preparing their supply chain. Large contractors need suppliers with CUI that pass audits as a prerequisite for their own certification.
After the CMMC program officially begins in a few months with the anticipated release of 32 CFR 170, SPRS score requests will turn into CMMC audit requirements. Unprepared companies will lose contracts to those who are. Preparing for an audit can take 9 to 18 months. Companies not ready now may scramble later, risking losing their contracts. Some, especially those with significant competition, may not even be given the chance to scramble. Why should a large prime wait for one of their suppliers to become compliant if they have others that are already compliant?
This shift prioritizes cybersecurity in RFPs and contracts, transforming the defense supply chain. Delivering on time and under budget is no longer enough; the DIB must have a robust cybersecurity framework to protect sensitive data and systems.
Let’s get ready!
With CMMC coming, is the DIB armed and ready? “Behind the Firewall: Assessing Cyber Resilience in U.S. Manufacturing”, published in June 2024 by the DoD, reveals that 76% of large manufacturers have moderately comprehensive cybersecurity policies. Only 42% of small to medium-sized businesses (SMBs) do.
This significant disparity highlights a critical vulnerability within smaller companies – the backbone of the Defense Industrial Base (DIB). The aerospace and defense sector includes large prime contractors such as Lockheed Martin, Boeing, Raytheon Technologies, Northrop Grumman, and General Dynamics. In contrast, other DIB suppliers are generally smaller companies. These SMBs make up the broader military supply chain, providing commercial off-the-shelf parts, logistics, specialized research and consulting, and support services.
One key factor that likely explains this gap is the presence of dedicated cybersecurity leadership. A staggering 88% of large manufacturers have appointed Chief Information Security Officers (CISOs). Most SMBs have not. Focused cybersecurity leadership plays an essential role in developing, implementing, and maintaining robust cybersecurity practices.
DIB companies can enhance their information security posture by appointing dedicated cybersecurity leaders, even fractional CISOs for SMBs. CISOs provide critical leadership for developing comprehensive policies and stringent supply chain security measures.
DFARS 252.204-7021, which will mandate CMMC audits for companies processing CUI, is not currently part of any DoD contract. But DFARS 7021 is expected to be authorized for inclusion in new DoD contracts starting in Q1 of 2025. Aerospace and defense companies are likely to start including it in contracts with their DIB suppliers within the next few months. This is necessary to prepare their supply chain in advance.
Is the DIB armed and ready? No. And with more than half of DIB companies still lacking comprehensive information security policies, there is a tremendous amount of work to be done. C3PAOs will not audit DIB companies until these policies are in place.
0 Comments