The United States’ Department of Defense have noted that small businesses are under threat, with foreign nation states targeting them in order to infiltrate. The DoD reported this recently, adding that there must be more security of small businesses, as well as contractors that deal with cyberthreats.
Katie Arrington, the Secretary of Defense for Acquisition for Cyber’s Special Assistant, said that the US is losing in terms of cyber security, when she spoke at an event hosted by the AFCEA. She says that these adversaries, and their attacks cost the US about $600bn annually, which she notes will multiply when 5G rolls around, thanks to its capability to handle near-unlimited bandwidth. Arlington reports that, in response, the DoD’s latest cyber security maturity model certification (CMMC), has small businesses in mind during its development.
The CMMC is the framework that the DoD uses to grade a company’s cyber-security level, on a five-point scale, with one being the least secure, and five being the most secure. The new framework will require small US businesses to get their system checked and graded by the DoD, based on the purpose of the system and the nature of their business.
Simply put, a business that works on janitorial services or the like will only need to comply with the first level of the CMMC, compared to level 3, which amounts to the NSIT 800-171, or level 4, which is only used for exquisite systems that deal with major information.
Arrington notes that, in the past, the system that the US’s small businesses had to comply with was only two-tiered, which allowed companies to get a Plan of Actions & Milestones (POA&Ms) after complying with only 80 controls. She says that the US’s adversaries could just intrude and invade systems while the POA&Ms were being worked on.
Some in the market have noted that these new requirements from the CMMC might help with external forces, it could damage smaller companies pretty hard, to their detriment, with some saying that it might create entry barriers in the markets, limiting them, and reducing the number of competitors, which always happen to the detriment of the businesses, as well as the customers.