The SolarWinds event has caused intense scrutiny of the exposure of commercial enterprises as well as government agencies to supply chain cyber threats. Well before SolarWinds was publicized, the federal government had increased its regulatory focus on strengthening and securing the federal supply chain with the Cybersecurity Maturity Model Certification (CMMC) framework, which will require companies to have a third-party assessor conduct a cybersecurity audit and issue them the appropriate CMMC certification by 2025 in order to do business with the Department of Defense (DoD).
Given that virtually every DoD contract involves some information that will need to be protected, the CMMC framework will be far reaching, McCarter & English partner Alexander Major told the Cybersecurity Law Report, and all contractors need to “recognize this, and start to implement these minimum safeguard requirements if they have not already,” he advised.
“Pretty much every single contract is going to generate or create FCI,” which will require the contractor to obtain at least CMMC Level 1 certification, noted Major. “What’s fortunate is that those requirements aren’t much different than what a lot of people do to protect their Wi-Fi from their neighbors, but it will still take some time for them to make sure all of their systems are protected in this minimal way.” A Level 3 certification will be needed by the majority of contractors, however, he added.