Proper Cyber Hygiene is Good Practice for Every Business
Cybersecurity is nothing new to the business realm, but have we put enough focus on securing our greatest assets? In the wake of the Covid-19 pandemic, we’ve seen a paradigm shift in how businesses–at their very core–can and should function. There’s been a hard push for more virtual and digital services, and with the continued advancement of digital technologies we’re going to see a rise in associated risks. According to the Cybersecurity and Infrastructure Security Agency (CISA), “the COVID-19 pandemic has led critical infrastructure entities to increase their use of remote-based technologies for industrial control systems [which has] created a larger ‘attack surface’—that is, more points in a network that attackers can try to enter.” The advent of the digital age was only the tip of the iceberg as businesses shift more and more to a virtual and hybrid workplace model. “The convergence of cyber-physical technologies and systems that deliver our critical functions—from manufacturing to healthcare to transportation and beyond—means that single events can manifest in the loss or degradation of service across multiple industries,” reported CISA. There’s been a recent resurgence of interest in civil-cyber defense, as the pandemic shed light on many of the insecurities our supply chain faces. Essentially, what CISA is saying is that any breach in the supply-chain can cause catastrophic effects across many, if not all, industries.
With businesses shifting more and more toward remote and hybrid employment models, these areas offer the biggest opening to cyber threats, as employees use company devices on unsecured networks.
The Department of Justice (DOJ) reported that the FBI was actively investigating over 100 variants of ransomware responsible for causing over $1 billion in losses to victims, and in the previous calendar year the Internet Crime Complaint Center (IC3) received a total of 959,584 complaints [of internet crimes] with losses totaling over $21 billion–so the biggest threat to American businesses and manufacturers in 2023 is undoubtedly the threat of cyber crime.
Lisa O. Monaco, Deputy Attorney General, says that the cyber threat “has exploded. It has become more diffuse, more sophisticated, more dangerous than ever before.”–and for American businesses, it’s time to start taking real steps toward securing their enterprise.
WHAT IS CMMC 2.0?
Cybersecurity Maturity Model Certification (CMMC) 2.0 is the gold standard for ensuring your organization is secure against cyber threats. It’s a complex and rigorous process that determines how securely your organization creates, handles, and disseminates Controlled Unclassified Information (CUI). If your organization is certified as CMMC 2.0 compliant, then you have a competitive edge on your competition, not only in the Defense Industry but across most other industries as well. The perks of CMMC 2.0–as opposed to the original model–offers a simplified and streamlined version of compliance that truncates the original model from five levels to three levels. The new levels are Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Level 2 (Advanced) is similar to the original Level 3 in that businesses at this compliance level must securely store and share CUI—which is information that is created or owned by the government that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government-wide policies.
CUI is not classified information, and it’s not corporate intellectual property unless it was created under the umbrella of a government contract. If your company works for the DOD in a capacity that requires the handling of CUI–either as a prime or subcontractor–then you will be required to achieve at least a Level 2 certification. Meeting Level 2 requirements has been streamlined with CMMC 2.0, as the DOD has dropped the 20 security controls that were added with version 1.0 and aligned the standards in 2.0 with the 110 controls found in NIST 800-171 (National Institute of Standards and Technology, a subdivision of the U.S. Department of Commerce)–which is tasked with protecting CUI in Nonfederal Systems and Organizations.
WHY YOU NEED IT
Whether your business encompasses Food Processing, Life Sciences, Medical Devices, Chemical Manufacturing, or Department of Defense (DoD)–proper cyber hygiene is good practice for all businesses. Any threat to the supply chain will inevitably affect the ebb and flow of products and materials across the entire economy, so it’s important that every industry begin safeguarding its vital information and resources. Dave Visalli, Senior Account Manager and Cyber Security Specialist at the New Jersey Manufacturing Extension Program (NJMEP), weighed in on who is affected by cyber crime most:
“[Regardless of industry sector] it’s important to have an understanding of your environment and your vulnerabilities to protect your enterprise, especially if you’re dealing in intellectual property, chemical formulation, or HIPAA–because of the intellectual property, those are [the businesses] at highest risk. Small to medium-sized [businesses] are the most vulnerable because they don’t really have the infrastructure in place to be cyber secure. They don’t have the time or resources to ensure proper cyber hygiene, so they’re most vulnerable–and there are a lot of them in New Jersey. There are a lot of manufacturers that are involved in the life science, chemical manufacturing, [and] department of defense spaces–upwards of 3,000.”DAVE VISALLI, SENIOR ACCOUNT MANAGER AND CYBER SECURITY SPECIALIST – NJMEP
If you count yourself among the thousands of manufacturers that call New Jersey home, then this is an appeal to you to review your cyber security protocols and systems–even more pressing so, if you are a prime or subcontractor, because the DOJ is not mincing words about the necessity of cybersecurity compliance in the private sector. In the past, businesses could simply offer Plans of Actions and Milestones (POAM) as collateral for accepting DOD contracts, without having to actually take steps to ensure that the policies were put into action–but no longer. CMMC 2.0 is a new measure that’s indicative of the sentiment that the DOJ means business. Lisa Monaco, Deputy Attorney General, says that “holding contractors accountable for their cybersecurity promises will enhance resiliency against cyber intrusions across the government, the public sector and key industries [like manufacturing].”
WHAT’S AT STAKE
The Federal Government is no longer going to take POAMs at face value. When Lisa O. Monaco gave her Keynote Address this past July at the International Conference on Cyber Security, she affirmed that sentiment by stating that the Civil Cyber-Fraud Initiative (CCFI)–which was launched in 2021–would apply the DOJ’s traditional expertise and would “hold accountable those companies that contract with the federal government and receive federal funds, but fail to follow required cybersecurity standards.” This area is mostly a warning call to any prime or subcontracting manufacturers that are working with the DOD. If you fail to meet CMMC 2.0 compliance once the initiative is finalized and ratified into law, then you can expect to lose any existing DOD contracts you previously held–or worse, if you don’t tie up the loose ends in your POAM, you could also be prosecuted by the DOJ for misrepresenting your organization’s cybersecurity compliance. Already, the CCFI has resulted in one such defense contractor being liable for paying $9 million to resolve allegations that it misrepresented its compliance with cybersecurity requirements in DOD and NASA contracts.
While DOD contracting and CMMC 2.0 compliance may not feel applicable to your business if you operate outside the defense sector, another area you should consider is Cyber Insurance Liability. The U.S. Government Accountability Office (GAO) compiled a report this past July that discusses cyber threat liability and its effects on insurance premiums.
The cost of cyber insurance is based in part on the frequency, severity, and cost of cyberattacks, all of which have been increasing. The uncertainty about future threats also plays a role, and insurers have become more selective about who and what gets covered.
So, while your business’s potential to earn may not be affected by these recent changes in cyber compliance statutes, you could find yourself holding the bag when–most likely not if–you experience a cyber breach; and most likely you won’t be able to rely on cyber insurance liability. Reports from GAO show that between 2017-2020 Cyber Insurance Premiums increased nearly 12%, and that number is expected to continue to climb as claims increase.
Regarding an increase in cybersecurity incidents, the FBI analyzed data reported between 2016-2021 and realized that cybersecurity incidents involving the most common types of incidents (business email, data breach, denial of service and distributed denial of service, and ransomware) increased nearly 27% in the past 5 years, with an associated increase in total cost from $470 million in 2016 to more than $2.5 billion in 2021. With the incessant rise of cybersecurity incidents, if you’re not increasing your organization’s cybersecurity controls and parameters, then you’re not protecting your enterprise. Cybersecurity is an ever-evolving landscape and it requires renewed vigor and enthusiasm if you plan to continue operating in the manufacturing space in New Jersey, domestically, and abroad. You will need to take the necessary measures to rise and meet the challenge, and luckily enough, you’re not alone in the dark on this one.
GETTING STARTED WITH CYBER HYGIENE AND CMMC 2.0
While the process itself is daunting and may leave you feeling as though you don’t know where to start, there are several resources available for manufacturers considering revisiting their cybersecurity protocols and practices. The process of reaching CMMC 2.0 compliance itself requires a NIST 800-171 self-assessment, which results in scoring that’s later posted in the Suppliers Performance Risk System (SPRS) database. Then, contracting officers–from the DOD–can check this database prior to contract award or exercising an option year to ensure the self-assessment is complete. Finally, a score is posted and a POAM is made available to close any gaps found in the self-assessment. However, it doesn’t stop there with the self-assessment. Contract Requests for Proposal will soon be requiring CMMC compliance to be considered for award. The CMMC level will depend on the contract and the type of work the business will be involved in. Bringing your business up to CMMC compliance is a daunting task for a Firm that isn’t in the Cyber Security business and will require a credible, experienced partner to get you across the finish line.
“We come in, perform an assessment, we help you understand your environment, the vulnerabilities, the gaps, and we put together a Plan of Actions and Milestones–a POAM–to help you get fully secure.”DAVE VISALLI, SENIOR ACCOUNT MANAGER AND CYBER SECURITY SPECIALIST – NJMEP
In the past year, NJMEP has helped two New Jersey-based manufacturers hit the ground running with CMMC compliance. In 2022 Dave worked with General Technical Services, LLC to achieve level 2 CMMC Compliance and helped them retain contracts valued in excess of $15 million, and more recently has undertaken the task of bringing Wireless Telecom Group up to compliance through 2023.
YOU’RE NOT ALONE
While CMMC 2.0 compliance might bring with it heavy costs and an arduous certification process, there are some upsides for smaller businesses that fear that the costs will put them at a competitive disadvantage. Namely, one of the details in the CCFI ensures that “companies that follow the rules and invest in meeting cybersecurity requirements are not [going to be put] at a competitive disadvantage.” While the sentiment is there, there’s no concrete foundation as to how the DOJ plans to enforce that idea. In the meantime, small to medium-sized businesses should take inventory of their resources, begin understanding their environment, and take the initial steps at addressing their cyber hygiene shortcomings–that way they’re not left holding the bag once these statutes and protocols are enacted. That’s where the New Jersey Manufacturing Extension Program can help.
“For the small to mid-size company that doesn’t have the resources to do that, we’re experts at that. We understand their environment, we go through everything with them, we help them write that POAM, and we can give them periodic guidance on how to get there–or, we can step in and help them get to those milestones.”DAVE VISALLI, SENIOR ACCOUNT MANAGER AND CYBER SECURITY SPECIALIST – NJMEP
It’s time to stop thinking of cyber hygiene as something theoretical or hypothetical, or something amorphous–it’s something businesses and manufacturers need to start considering as a necessary area of their operations, regardless of cost. Think of cybersecurity certification and CMMC compliance as another feather in your cap in terms of the level of security and prestige that your organization or business model can offer prospective clients and customers. In the end, if you’re not tied to DOD contracts or you feel like CMMC compliance isn’t worth the cost or efforts, Dave Visalli affirms that at the end of the day “[You need to] protect your enterprise, protect your business–what you’ve worked so hard to build. You’ve achieved a level of success as a business and you owe it to your enterprise and your customers to protect what you’ve built. When you do those things you not only secure [your business], your employees, your customer, your supply chain–you become a better partner for prospective customers that you can do business with in the future.”
Be sure to subscribe to NJMEP’s Manufacturing Matters magazine and stay up-to-date with the latest manufacturing news, industry developments, and events like State-of-the-State taking place on May 4th. NJMEP’s State-of-the-State of Manufacturing Summit brings together manufacturers, STEM Firm executives, and NJ elected officials in order to highlight and discuss industry-critical challenges within the manufacturing sector. Be there and be heard, May 4th!