Why Small Business Should be Paying Attention to New DOD Cybersecurity Rules

By Scott Dawson
January 3, 2020
Cybersecurity threats increase every day. As the Department of Defense (DOD) diligently works to set regulations for protection, they’ve identified the high levels of risk small businesses face as technology continuously advances. These risks can also make the DOD, and ultimately American warfighters, vulnerable due to the huge amounts of unclassified information shared throughout the defense industrial base. More and more often, American small businesses are the target of hackers, ransomware, and information breaches.

According to statements by the Office of the Under Secretary of Defense for Acquisition and Sustainment (USDAS), information attacks cost the country $600 billion annually. As the near-unlimited bandwidth of 5G becomes a reality, the new Cybersecurity Maturity Model Certification (CMMC) was designed specifically to aid small businesses in developing processes for protection of their most vital assets, including DoD designated Controlled Unclassified Information (CUI).

An improvement to the current DFARS regulation requiring compliance with NIST SP 800-171 standards, the tiered CMMC system levels the playing field by creating regulations and compliance requirements dependent on business type and industry. The one (least secure) to five (most secure) scale expands upon the existing NIST two-tiered system, providing a more comprehensive and effective defense against attackers. Instead of working through the known Plan of Actions and Milestones (POA&M) concept to become compliant with 110 controls over time, CMMC lays out exact requirements that must be met to achieve each level of certification.

For small businesses, the new regulations could pose challenges. Without the resources and sophistication to adhere to the required level of CMMC certification, they may fail to comply with the standard. They’re challenged to weigh the necessity for protection against the cost and effort to implement changes. Ultimately, by the fall of 2020, inability to comply to CMMC regulations could have major negative impacts when it comes to business opportunities with the DOD and the ability to bid on DOD contracts.

The Under Secretary’s representation stressed the importance of focus on small business cybersecurity. Remote work and the coffee-shop office are notable risk accelerators for companies, even when the information they’re dealing with isn’t classified or highly sensitive. The pipeline opens, the ability to self-defend is limited, and low-level vulnerabilities are suddenly easy targets for expensive exploitation. This is where the CMMC strengthens the infrastructure.

Regardless of industry, small businesses are functioning in a digital world. Customers use digital devices to connect with your brand, upload and download content, conduct transactions via app, send email, and share on social media. Your own employees – even if you’re a team of three – are functioning in a digital space in their professional and personal lives. Cybersecurity risk is now inherent. It’s deeper and more nuanced than old book and paper systems, and it’s unavoidable as companies grow in size and technology. CMMC can help mitigate that risk, whether related to DOD or other customer contracts.

CMMC will become an unavoidable requirement for small business success with the DOD. As we learn more about the details of the system and the positive impact it can have on American companies, we also recognize the potential for complication and challenges that will inevitably come with program implementation. Research for effective adoption is paramount – not only for success, but for long-term, dependable cybersecurity.

Contact us today about working toward compliance to NIST 800-171/CMMC.

Related Articles:

CMMC 2.0 Compliance Explained

CMMC 2.0 Compliance Explained

CMMC 2.0 Compliance Explained An Integrated, Layered Approach to CybersecurityAmid rising cyber threats, the Department of Defense (DoD) has developed a robust framework to ensure its contractors...

How to Simplify CMMC Compliance

How to Simplify CMMC Compliance

How to Simplify CMMC Compliance for Small BusinessThe Department of Defense (DoD) is stepping up its cybersecurity game, and it’s putting pressure on all its suppliers to do the same. If you're a...

Overview and Status of CMMC

Overview and Status of CMMC

The General Overview and Current Status of CMMC 32 CFR Part 170 (The CMMC Program Rule) This rule has been finalized and published. It officially establishes the Cybersecurity Maturity Model...