Cyber-attacks and cybersecurity breachs are on the rise, incentivized by ransom potential and risk versus reward gambles. Whatever the driver, organizations across the world are increasingly being victimized by hackers.
There are various categories of cybersecurity violations that an organization could fall prey to. As defined by the National Institute of Standards and Technology (NIST), a cybersecurity incident is a violation of “an explicit or implied security policy.”
Incidents are further segmented into cyberattacks and data breaches, which include attempts to access systems without authorization, unauthorized changes to software, and many others. All are costly, for both the company’s bottom line and its public image. It is critical that federal contractors for the U.S. Department of Defense (DoD) comply with the new security protocals to protect the safety and security of our nation’s infrastructure.
It is estimated that cybersecurity incidents cost the American economy between $57 billion and $109 billion in 2016, and they only continue to gain prominence. In August 2021, T-Mobile suffered a breach in which the information for more than 40 million people was stolen. Names, birthdates, social security numbers and driver's license numbers were compromised, leaving users deeply concerned over the safety of their identities.
Though T-Mobile was also a victim, they paid a price for the incident. Besides incurring reputational damage, the company’s stock dropped about 5 percent between August 13 and August 26.
Cybersecurity has become increasingly worrisome in areas related to government and nation-state attacks. As recently as June 2021, iConstituent, a private company that offers communications tools to connect lawmakers to their constituents, was targeted by ransomware. The company provides a newsletter service that U.S. lawmakers use to contact their constituents, and nearly 60 offices in the United States Congress were targeted. Although no House data seemed to have been breached, the event piled on top of already mounting concerns over the U.S. Government’s cyber defenses.
Perhaps one of the most eye-opening incidents occurred in 2020 when hackers breached the systems of Solar Winds, a large information technology firm in Texas. In an attack so stealthy that hackers spent months spying on companies completely unnoticed, malicious code was snuck into Solar Winds’ software systems, which consequently affected thousands of people, companies and government entities. Among those targeted were Microsoft, Intel, Cisco, the Pentagon, the U.S. Department of Homeland Security, the U.S. Department of Energy and many others. The most fearsome part of such attacks is that many companies and their clients may never know they were breached.
Cyber capabilities are constantly evolving and gaining awareness in national security and international relations. Dr. Michael McGuire, a senior lecturer in Criminology at the University of Surrey, wrote in his report "Nation States, Cyberconflict, and the Web of Profit," that his studies point to “a merging of traditional international relations with the cybercrime economy and the tools and techniques which now drive the digital underground.”
In response to this merge, organizations — especially government entities — must be proactive in their cybersecurity efforts. With cybersecurity incidents becoming more common and concerning during this era of rapidly evolving technology, the U.S. government has taken notice and is seeking to implement more stringent cybersecurity policies.
Organizations — especially government entities — must be proactive in their cybersecurity efforts.
As these policies take shape, contractors bidding on federal contracts must take heed when it comes to managing sensitive data. In January 2020 the DoD issued initial guidelines for Cybersecurity Maturity Model Certification (CMMC) to combat the rise in cybersecurity incidences.
This series of processes and practices serve as a cybersecurity framework for those in the Defense Industrial Base (DIB). In short, the effort will attempt to secure the supply chain for the DIB. CMMC will expand NIST 800-171 security requirements by adding additional domains and controls in areas related to asset management, recovery and situational awareness.
Going forward, federal contractors and sub-contractors will need a certain level of CMMC to bid and execute federal contracts. Due to the additional requirements, compliance cannot be achieved through self-certification. Organizations must be certified by a CMMC Third Party Assessment Organization (C3PAO).
Black & Veatch can help. In response to the DoD’s new CMMC framework, Black & Veatch Management Consulting, LLC, has achieved accreditation as a Registered Provider Organization (RPO) from the CMMC Accreditation Body and has launched a new CMMC offering. Combining its more than 20 years of experience in cybersecurity with an expert team of CMMC – AB Registered Practitioners and Certified CMMC Professionals, Black & Veatch is best suited to assist any organization in preparing for Level 1 – 3 CMMC assessment.