This article will cover two underemphasized benefits of DFARS and CMMC for DIB suppliers:
- Protection from ransomware, data loss, downtime and liability
- Ability to qualify for cyber insurance
Protection From Ransomware, Data Loss, Downtime and Liability
While protecting national security should be a priority for all DIB suppliers to embrace, additional emphasis might be placed on the fact that the cybersecurity controls in NIST 800-171 will help businesses protect themselves against ransomware, data loss and operational downtime — something that every business (even those outside of the defense supply chain) should be concerned about.
- Ransomware: This is when hackers infiltrate an DIB supplier’s computer systems. Once inside, they can lock out all authorized members of the organization from gaining access to data required to keep the business operational. They’ll then demand a ransom in exchange for the keys to unlock the data.
- Data Loss: Even if the ransom is paid, there’s no guarantee that an organization’s data will be fully or partially restored.
- Downtime: Even if organizations have backed up their data in a location that was not infiltrated by hackers, the process of restoring data and getting computer systems back online can be a substantial amount of time leading to financial and reputation losses.
- Liability: DIB suppliers can be held liable for the damages stemming from the theft of third-party data.
Ability to Qualify for Cyber Insurance
In the past two years, cyber insurance underwriters have significantly stepped up their requirements to ensure organizations have a certain level of cybersecurity solutions in place before they can qualify for cybersecurity insurance. Implementing NIST 800-171 controls will more easily enable DIB suppliers to qualify for cyber insurance and at a potentially lower rate due to their cyber risk being decreased.
Why would DIB suppliers need cyber insurance? While having cybersecurity controls in place substantially reduces the risk of cyber criminals wreaking havoc on a business, it does not 100% guarantee that a cyber breach will not occur. People within organizations make mistakes or can be malicious. Having cyber insurance can help organizations recover from the financial loss when all else fails.
Next Steps…
If your organization offers products and services to the DoD, then implementing NIST 800-171 is on your list of to dos. For organizations that would like to pursue implementation themselves, read our guide to CMMC compliance. If you lack the resources to implement controls yourself, consider outsourcing the task to a CMMC consultant, like SysArc. We’ve consulted with over 1,000 DIB suppliers on complying with DFARS and helping them get prepared for CMMC.