In March 2020, Visser Precision Manufacturing confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft of data.” Visser Precision, a Denver, Colorado-based manufacturer, makes custom parts for many industries, including Lockheed Martin, Boeing, General Dynamics, and SpaceX.
Security researchers say the DoppelPaymer ransomware caused the attack, a file-encrypting malware that first exfiltrates the company’s data before encrypting the victim’s computer then exposes the files. The ransomware threatens to publish the stolen files if the ransom is not paid.
The Department of Defense (DoD) has one of the world’s largest supply chains, including thousands of third-party contractors. The vendors and partners represent the weakest cyber link in the nation’s defense infrastructure and present a substantial cyber risk.
In this series of blogs, “Everything You Need to Know About DoD CMMC,” we will discuss the Cybersecurity Maturity Model Certification, known as “CMMC.” Today’s article is about CMMC background.
Third-party Contractors – Weakest Cyber Link
The Defense Industrial Base (DIB) sector consists of companies that contribute to research, engineering, production, delivery, operations, installation, and support services. The cyber actors continue to target the DIB sector and the Department of Defense (DoD) supply chain for intellectual property and unclassified information. These activities significantly increase the risk to national security and threat to national security.
For contractors that engage with the DoD, the CMMC is the new standard to abide by. Per IBM Cost of Data Breach Report 2020, the global average total cost of a data breach is $3.86 million. The nation-state actors caused 13% of the malicious violations, and financially motivated attackers caused 53$. Per Verizon Data Breach Report 2020, 70% of breaches were perpetrated by external actors, and organized criminal groups caused 55% of breaches.
Below are some additional details from Verizon Data Breach Report 2020:
| What tactics are utilized? | Who’s behind the breaches? |
| 45% of breaches featured hacking22% included social attacks22% involved malware17% caused by errors8% of breaches were misuse by authorized users4% of breaches involved physical actions | External actors perpetrated 70% of breachesOrganized criminal groups caused 55% of breachesInternal actors perpetrated 30% of breaches4% of breaches had four or more attack actions1% involved partner actors1% involved multiple parties |
CMMC Background
The attacks described above and the statistics based on Verizon and IBM’s studies are the kind of cyber incidents the Pentagon is trying to prevent through its new CMMC framework. CMMC is a new security DoD framework that holds suppliers accountable for their security postures before engaging in government business.
In 2015, The U.S. Department of Defense published the Defense Acquisition Federal Regulation Supplement, known as DFARS, which mandates that DoD vendors and partners adopt cybersecurity standards according to the NIST SP 800-171 cybersecurity framework. Because of the slow adoption rate of the DFARS 252.204-7012 regulation, the Department of Defense has released the Cybersecurity Maturity Model Certification (CMMC) to ensure appropriate levels of cybersecurity controls, and processes are adequate and in place to protect Controlled Unclassified Information (CUI) on DoD contractor systems.
The CMMC is being created to streamline security practices, making it easier for specific companies who work along the DoD supply chain to maintain cybersecurity compliance. It applies to contractors who work with:
- Federal Contract Information (FCI) – Information provided by, or created for the Government, and is not made available to the public.
Controlled Unclassified Information (CUI) – Information that “requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policy.”