How the CMMC Shows a Greater Focus on Third-Party Risk Management
CMMC & Third-Party Risk Management
Comply or Say Goodbye
If you’re not familiar with the Cybersecurity Maturity Model Certification (CMMC), you’re not alone—but for those of you working for US Department of Defense (DoD) contractors, we recommend reading up on it here. The CMMC is a recent initiative from the DoD that requires varying levels of cybersecurity for all DoD contractors. Any contracting firm, service provider, or systems integrator that wants to hold a DoD contract will be required to have this certification later this. In other words, contractors are required to comply or say goodbye. While rhyming can be fun, this requirement is no joke! The latest CMMC requirements were released at the end of January 2020, so it’s time to get to work.
CMMC also puts a higher importance on how DoD contractors deal with their third-party vendors. When organizations take on any vendor, they are inadvertently increasing risks to their organization. The easy solution to improve your security posture would be to stop using external vendors all together, but that’s just not a realistic solution. Businesses need third-party vendors to function on a daily basis, whether for outsourced payroll, CRM, billing, etc.
Rules That Aren’t Meant to be Broken
When security makes up your entire organization’s focus, like here at MindPoint Group, the need to assess third-party vendors quickly becomes a high priority when working with many of our customers. The definition of “security compliance” can vary greatly depending on who you’re talking to. It’s important to start by assessing your own internal needs and setting the guidelines for future and existing contracts early in the procurement cycle. For example, the CMMC is built on existing Risk Management Frameworks (RMF) such as NIST SP 800-171, NIST SP 800-53, and AIA NAS9933.
While some DoD contractors may attempt to resist the CMMC’s requirements, this will quickly become a major differentiating factor. Furthermore, contractors that use CMMC as an opportunity to take another look into their overall security posture will have a leg up. After all, being proactive with routine re-assessments is a great way to ensure you don’t have regret after-the-fact in the event of a breach. Ask any company that has been subject to a large breach within the last few years, and I can assure you the answer is they wish they had been more proactive with their approach. In order to get started assessing your vendors, you need a partner that knows the compliance landscape and is no stranger to the unique risk that third-party vendors can bring to an organization.
The Future of Compliance
Third-party vendor assessments help shine a light into areas of potential business risk. The CMMC highlights a trend toward increased security for third-party vendors—a trend that we know is not going away any time in the foreseeable future. I like to think that the CMMC is setting the stage for security to be a higher priority among all companies, especially b2b. This shift is causing teams to consider more rigorous onboarding and compliance requirements for all contractors, and subsequently, the vendors of those contractors are going to be exposed to increasingly stringent cybersecurity requirements.
What controls should be put in place for your third-party vendors? MindPoint Group specializes in helping you create a comprehensive program for your risk management. Whether your vendor assessments are part of an audit requirement or a business need, we help you put the proper RMF in place to ensure compliance and lower risk for existing and future third-party vendors.