White papers: Looking for solutions

Cybersecurity Maturity Model Certification (CMMC)

Presentations

NATO Life Cycle Management Group – January 26th 2021 (Public release)

The management of the Life cycle (LCM) of defence systems, from the drawing board through manufacture, deployment, maintenance and removal from service requires careful consideration for the defence industry base (DIB) and the end user.  US DoD Cyber security requirements defined by the Cyber Security Maturity Model (CMMC) impact how CUI data is managed by the DIB.  For LCM it has an impact on the creation, storage and usage of CUI through the whole life of ‘any’ component part of a US defence system. 

Requiring the implementation of NIST SP 800 – 171 and CMMC cyber security practices and certification to the required CMMC Level (level 1 to Level 5).

White Papers

CMMC -The complex road ahead following the IFRThe challenges and opportunities for companies complying with the US DoDs requirements

The international Defence Industry Base (DIB) is an important contributor to the US DoD and the CMMC programme will have an impact on the international supply chain.  In this paper we discuss the Interim Final Ruling which came into effect on the 1st December 2020.  The 2 part approach adopted by the DoD for the deployment of NIST and CMMC, and the implications for companies across the DIB.  With some practical examples on what to do to start the compliance process.

DFARS D041 balancing actThe DFARS Balancing Act

An important read if you are interested in cyber regulation and supply chain security.  CMMC has been on the radar for many months and with the release last week of the interim ruling and the ‘Unpublished’ release by the Federal Government of DFARS: Assessing Contractor Implementation of Cybersecurity Requirements for public comment; is a pivotal moment for deployment of cyber security standards within the US DoD supply chain and in general.  Pulling together some of the salient points raised by the Interim Final Ruling and bridging the gap between CMMC deployment and regulation.

DFARS D041 balancing actCMMC an international perspective

It won’t be long before the draft DFARS text for the US DoD CMMC programme is released for public consultation.  Whilst no one knows what it will say, the MoU between the Department of Defence and the CMMC AB is in the public domain.  The first round of training for CMMC provisional assessors has taken place and deployment of the standard is widely discussed in the US.  For international contractors the standard will have a profound effect on how trade, specifically procurement takes place with the US.  Whilst the first phase of CMMC regulation is firmly focused upon the Department of Defence, other Federal Agencies have added CMMC requirements into their own procurement requirements.  It is expected that it will gain momentum over the coming months and CMMC requirements will make their way into procurement policies.

The paper outlines the history of CMMC and some of the opportunities and potential issues which companies will face, as the model is deployed.

Board governance

The Elephant in the board room

Cyber is one of the biggest non-financial risk’s boards deal with today.  By any measure it has been shown to have a significant impact on an organisation’s financial statements.  Cyber has both significant upside and down side costs.  Cost to secure the organisation from the attack and costs to remediate a successful attack. Cyber is an enterprise wide risk, wherever data is created, transmitted and consumed, cyber is a risk.  Whether that is CUI, FCI, PII or corporate IP its damage, loss or destruction has a cost. A risk requiring board oversight and assurance?

Securing the corporate balance sheet

Cyber security has evolved, for many years it has been seen as the responsibility of the IT department and CIO.  Cyber is an enterprise wide business risk, which is demonstrated through the impact of an attack on corporate financial statements. Costs to deploy security solutions and costs to remediate incidents impact P&L, Cash flow and the balance sheet.  The conversation around the board table has traditionally been a technology conversation.  This has to change to be a business conversation, managing a risk which touches the physical and logical foot bring of any organisation.

Professional standards

Setting professional standards for cyber security
Cyber security is a complex capability to manage.  International frameworks and standards such as ISO 27001 or NIST 800 – 171 identify over 170 practices, which should be applied to manage cyber risk. Whilst there are over 120 cyber related qualifications there are no professional standards for a board to assess the capability of cyber leadership, as there are in finance, legal, engineering or the medical profession.  How does the chairmen or CEO assess the capabilities of their CISO?

Chartered Security Professional (CSyP)The Institute of Mechanical Engineers (IMECHE). The UKs largest professional body representing Mechanical Engineers and Chartered Engineers.Security Institute (MSyI)Worshipful Company of Security ProfessionalsAcademy of Experts