The Cost of Non-compliance with CMMC

According to a National Defense Industrial Association (NDIA) report card, they gave American Defense Contractors a “C” indicating there are serious troubles in cybersecurity, innovation, the supply-chain, and several other threaten areas. Additionally, the NDIA has estimated approximately $600 billion a year in losses as a result of cybercrime. Recent release of the Cybersecurity Maturity Model Certification (CMMC), which is a verification and validation process with a set of cybersecurity requirements is designed to try and fix these problems within the Defense Industrial Base (DIB).

Historical adversaries that have been involved in cybercrime motivated by financial gains has long been the trend, but the motivation is trending another direction over the past several years. Nation-state actors and terrorist organizations have actively been engaged in criminal activities to fund their activities. For instance, the United States has accused North Korea of using ransomware targeting Bangladesh Central Bank, Sony, and Lockheed Martin. The result was significant damage to the reputation and financials of Sony as well as robbing $81 million from the Bangladesh Central Bank. Another example was in 2016 when the Drug Enforcement Administration (DEA) uncovered money laundering schemes using the internet and other malicious activities that made a connection between the Colombian drug cartels and Lebanese Hezbollah. Other terrorist groups such as Hamas, Lashkar e-Taiba, Al Qaeda, and others have been discovered using cybercrime as a source to laundering money as well as to covertly raise and fund activities internationally.

Between the threat present threat, the increasing sophistication, and volume of attacks coupled with the state of cybersecurity of the DIB, their must be a movement to change and to do it quickly. The cost of doing nothing will not only put your business at risk from not competing on Government contracts; it also put our country at risk physically and economically. They say 60% of all small businesses go out of business within 6 months after they experience a cybersecurity breach. Therefore, small business has much more at stake and must get just as secure as large business to ensure their customers, employees, and livelihoods are protected. There are 323,000 new malware strains a day found that can put 30% of your total revenue at risk due to costs incurred for notifications, legal, incident response, recovery operations, downtime of IT, reputational, other direct and indirect costs.

Whether you are a small business or large business the stakes are high. With CMMC rollout in-progress organization must rethink how they execute IT services as well as how they secure those services without disrupting business operations. Some of the challenges we consistently find in small and large organizations are the following:

1. IT Management is an afterthought and control over the networks, systems, and endpoints is lacking significantly.
2. Too many privileged accounts affording an advanced threat actor many opportunities to move laterally within organizations.
3. Lacking basic security fundamentals such as patching operations systems and third-party applications, updating antivirus, device encryption, and most importantly multi-factor authentication.

Organizations needing to comply with CMMC must first begin to think more like an enterprise. Controlling IT assets is a must and first step in doing so is identify what needs to be secure. While I was in the Marines I did four combat tours in Iraq, Afghanistan, and several other locations. During every deployment we always considered what needed to be protected combined with the purpose of the mission first. It’s hard to protect something if you don’t know what it is and where is at. Therefore, an inventory is a must and should be the starting point for every company as they embark onto their CMMC journey. We actively see the adversaries attacking daily deliberately targeting the DIB with not general attack techniques, but with sophisticated and highly targeted methods to ensure their probability of success. Unfortunately, they are winning too many times and as an industry its time we fight back. Please continue to read our future blogs as we will demonstrate how you can prevent, detect, respond, and recover from cybersecurity incidents to not only comply with CMMC, but to protect national security and your companies most valuable assets.