How changes in cybersecurity regulation by the DOD could impact your VRM strategy

file 2 RiskXchange The leader in Third-Party Cyber Risk Management

RiskXchangecan fully assess third-party risk factors to ensure your business complies with specific programs and frameworks.

The Department of Defense (DOD) has launched a relatively new protection mechanism called the Cybersecurity Maturity Model Certification (CMMC), which is a unifying standard for the implementation of cybersecurity across an organisation.

The CMMC has been created to help regulate the cybersecurity practices of the third parties working with government agencies. In light of recent breaches, the DOD has implemented more stringent guidelines on how contractors and third parties need to meet cybersecurity maturity requirements before working within the department’s network.

The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that an associated organisation can adequately protect sensitive, unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.

The new CMMC protection mechanism could impact your vendor risk management (VRM) framework.

VRM programs are ultimately concerned with ensuring third-party products, service providers and IT vendors do not result in business disruption or reputational and financial damage. VRM programs have an intricate plan in place for the identification and mitigation of legal liabilities, business uncertainties and reputational damage. They also deal with the monitoring and management of risks resulting from third-party vendors and suppliers of information technology (IT) products and services.

If your organisation works closely with government agencies, then your VRM program must go hand-in-hand and comply with the CMMC framework. Even if your organisation doesn’t work alongside a government agency, it could still benefit from following the same CMMC structure and bolstering security in a similar way.

Dissecting the Cybersecurity Maturity Model Certification

First established in 2019, the purpose of the Cybersecurity Maturity Model is to place contractors into different categories based on their cybersecurity maturity. The model requires independent verification from a third-party evaluator to rank a contractor in various cybersecurity categories. A low cybersecurity maturity model score doesn’t necessarily mean an organisation is prevented from working with the DOD, but public access to the CMMC results mean all of their business partners and future associates can see the inherent risk associated with them. This can affect company standing and influence who does business with them, as a contractor. Here’s what the DOD considers lowest to highest in terms of cybersecurity maturity model rankings:

Level 1:  Basic cybersecurity, limited resistance against data exfiltration. 

  • Practices are performed, at least in an ad-hoc manner.

Level 2: Inclusive of universally accepted cybersecurity best practices, resilient against unskilled threat actors.

  • Practices are documented.

Level 3:Coverage of all NIST SP 800-171 rev 1 controls, moderate resistance against data exfiltration, comprehensive knowledge of cyber assets.

  • Processes are maintained and followed.

Level 4: Advanced and sophisticated cybersecurity practices, resilient against advanced threat actors, defensive responses approach machine speed. 

  • Processes are periodically reviewed, properly resourced, and improved across the enterprise.

Level 5:  Highly advanced cybersecurity practices, machine performed analytics and defensive actions.

  • Continuous improvement across the enterprise.

How to manage third-party risk

With hacks and data breaches on the rise and cybersecurity protection on the agenda, the DOD has made it mandatory for third parties to be certified using the CMMC framework. This ensures that vendors are meeting compliance standards before they are integrated into the DOD network. Once certified, there is a further step necessary for preventing further exploitations through cybersecurity program maintenance and processes. 

Cybersecurity threats are not only evident within organisations that work alongside or are associated with government agencies. It’s a widespread problem where well-funded networks lurk on the systems of most industries and sectors. Although it is a challenging task, it would be beneficial for most organisations to meet the cybersecurity maturity model requirements (or attempt to come close to it).

What can be applied to a third-party risk management strategy

Here are the key points raised by the DOD’s CMMC that can be applied to any organisation’s third-party risk management strategy:

  • Ensure crucial vendors are secure

Key vendors should be held to tighter security standards because they are closest to sensitive data.

  • Set risk-based thresholds

Setting risk-based thresholds for vendors based on the risk they pose to your organisation is similar to determining the level of maturity required for a vendor. 

  • Establish tiers of maturity

Establishing different tiers of maturity will allow you to prioritise your resources on the relevant third parties.

A closer look at a VRM framework

A VRM framework also addresses each step in the life cycle:

  • Qualifying

– Due diligence – Reviewing information security – Review process for staff training and licensing – Benchmarks for evaluating IT products and services – Benchmarks for reviewing financials – Process for obtaining business license documentation, insurance and bonding

  • Engagement

– Reviewing information security – Contracts to include a statement of work, delivery date and payment schedule

  • Reviewing Information Security

– Continuous information security management throughout entire life cycle – Baseline identity access management within third-party vendor – Baseline privileged access management for third-party vendor

  • Managing Delivery

– Scheduling deliverables, timelines and timeframes

– Scheduling receivables, timelines and timeframes

– Reviewing information security

– Establishing and defining physical and system access requirements

– Organisation defines stakeholders responsible for working with third-party vendor

  • Managing Finances

– Establishing an invoice schedule

– Establishing a payment mechanism

– Reviewing information security

  • Relationship Termination

– Revoking physical access of/to the third-party vendor

– Revoking system access of/to the third-party vendor

– Reviewing information security

– Definitions of causes for contract and/or relationship termination

Include cybersecurity requirements within vendor contracts

In order to ensure that all third-party vendors abide by a specific security framework, cybersecurity requirements should be outlined in vendor and partner contracts. These guidelines should outline the basics requirements, like a proven historical cybersecurity performance or an established remediation plan, which is an easy way to gauge a vendor’s risk up front and get help when selecting the right vendor, while securing your organisation at the same time.

How RiskXchange can help

RiskXchange is one of the firms leading the fight against cybercrime, coming up with novel solutions to everyday problems experienced at the hands of hackers. We are a respected provider of cybersecurity ratings and can fully assess third-party risk factors to ensure your business complies with specific programs and frameworks. With full visibility over your ecosystem’s entire attack surface in near real-time, you can regularly monitor and mitigate risks to prevent unnecessary exposures. Our passive data collection methods are effective and have no impact on your network performance. Using data-driven insights to prevent breaches is the best way to reduce an attack surface and prevent cyberattacks. 

About RiskXchange

RiskXchange provides a powerful AI-assisted, yet simple, automated and centralised 360-degree cybersecurity risk rating management approach. We generate objective and quantitative reporting on a company’s cyber security risk and performance, which enables organisations with evolving business requirements to conduct business securely in today’s open and collaborative digital world.  RiskXchange is an information security technology company, which helps companies of all sizes fight the threat of cyber threats by providing instant risk ratings for any company across the globe. RiskXchange was founded and is led by recognised experts within the security industry, who have held leading roles within companies, such as IBM Security.