Cyber security is an important topic for discussion in 2021. Whilst this years US elections will undoubtedly create some breathing space for regulation, the Senate and the House Armed Services Committee has set an agenda for discussion of CMMC in 2021. CMMC is one component of the drive in the US for Supply chain security. With re-shoring, the implementation of Subsection 889(a)(1)(B) of the FY2019 National Defense Authorization Act (NDAA), the release of the interim rule of the Federal Acquisition Supply Chain Act (FASCSA – out for comment), and the on-going adaptation of NIST 800 series (53B and 171). Indications that cyber security standards and supply chain security are on the Federal agenda.
Nine provisions have been added to the fiscal 2021 Defense Authorisation Bill for CMMC, including for the DoD to be level 3 CMMC. Which to me places a level of scrutiny over cyber security and its application over the US Defence Industry Base (DIB). Irrespective of the challenges which CMMC faces, there is a direction of travel set for cyber security standards and cyber security deployment in the US which is difficult to ignore. Especially given the amount the US spends on Defence, at the last count having commitments of around $1.8trn.