Introduction
Yesterday, the Cybersecurity Maturity Model Certification (CMMC) program, governed by 32 CFR Part 170, officially went into effect, bringing a significant change to defense contracting. Under this new rule, defense contractors must undergo assessments by a CMMC Third-Party Assessment Organization (C3PAO) to qualify for contracts containing the associated clause.
The inclusion of a third-party verification mechanism, considered aggressive by some, was introduced to address deficiencies in the self-attestation process for compliance implemented by DFARS 7019. While CMMC’s approach is relatively unique, it may signal a broader trend for future regulatory frameworks.
It’s no secret that the impact of cybercrime is steadily increasing. Some estimates project the global cost of cybercrime to reach $10.5 trillion by 2025, a significant jump from $3 trillion in 2015. International conflict and geopolitical tensions further underscore the urgent need for stronger cybersecurity measures. In response, the global trend is moving toward stricter cybersecurity regulations and standards designed to mitigate escalating threats.
The FAR CUI Rule
One example of the growing emphasis on cybersecurity regulations is the anticipated FAR CUI rule, which recently passed regulatory review at the Office of Information and Regulatory Affairs (OIRA) and is expected to be released soon. This rule represents a significant expansion in scope, requiring all federal contractors handling any category of Controlled Unclassified Information (CUI) to implement NIST 800-171 controls.
While it remains uncertain whether third-party verification will be required, the rule signals the government’s increasing commitment to cybersecurity. Even if third-party verification is not initially mandated, it is perhaps likely to become a requirement over time. CMMC arose from the inadequacies of self-attestation, and other agencies may follow this approach in the future.
Other Regulations
In addition to the FAR CUI rule, there is a clear global trend toward stricter cybersecurity regulations, reflecting a universal concern for the security of information and IT/OT systems. While many of these regulations currently do not require third-party verification, it would not be surprising if this became the norm in the future. As with any risk, stakeholders seek assurance that it has been effectively mitigated. Given the limitations of self-attestation in providing such assurance, third-party verification of cybersecurity controls could perhaps become the standard.
About Component Products Corporation
Component Products Corporation (CPC) is an aerospace and defense machine shop in operation since 1967. Throughout the last several years, we have invested significantly in technology and processes to meet the stringent cybersecurity standards within our industry. We are currently in queue to for a CMMC Level 2 assessment, demonstrating our commitment to meeting our customers’ compliance requirements. Contact us today for more information.