Since the beginning of the rollout of the Defense Federal Acquisition Regulation Supplement (DFARS) and now the Cybersecurity Maturity Model Certification (CMMC), much of the emphasis on the necessity of these programs has been on protecting national security. Also, the top down enforcement of these programs has led many DIB suppliers to focus less on the benefits of implementing cybersecurity controls within their organizations, and more on simply trying to “follow the law” so that they can continue to win government contracts — what many of these suppliers depend on to survive.
This article will cover two underemphasized benefits of DFARS and CMMC for DIB suppliers:
- Protection from ransomware, data loss, downtime and liability
- Ability to qualify for cyber insurance
Protection From Ransomware, Data Loss, Downtime and Liability
While protecting national security should be a priority for all DIB suppliers to embrace, additional emphasis might be placed on the fact that the cybersecurity controls in NIST 800-171 will help businesses protect themselves against ransomware, data loss and operational downtime — something that every business (even those outside of the defense supply chain) should be concerned about.
- Ransomware: This is when hackers infiltrate an DIB supplier’s computer systems. Once inside, they can lock out all authorized members of the organization from gaining access to data required to keep the business operational. They’ll then demand a ransom in exchange for the keys to unlock the data.
- Data Loss: Even if the ransom is paid, there’s no guarantee that an organization’s data will be fully or partially restored.
- Downtime: Even if organizations have backed up their data in a location that was not infiltrated by hackers, the process of restoring data and getting computer systems back online can be a substantial amount of time leading to financial and reputation losses.
- Liability: DIB suppliers can be held liable for the damages stemming from the theft of third-party data.
Ability to Qualify for Cyber Insurance
In the past two years, cyber insurance underwriters have significantly stepped up their requirements to ensure organizations have a certain level of cybersecurity solutions in place before they can qualify for cybersecurity insurance. Implementing NIST 800-171 controls will more easily enable DIB suppliers to qualify for cyber insurance and at a potentially lower rate due to their cyber risk being decreased.
Why would DIB suppliers need cyber insurance? While having cybersecurity controls in place substantially reduces the risk of cyber criminals wreaking havoc on a business, it does not 100% guarantee that a cyber breach will not occur. People within organizations make mistakes or can be malicious. Having cyber insurance can help organizations recover from the financial loss when all else fails.
Next Steps…
If your organization offers products and services to the DoD, then implementing NIST 800-171 is on your list of to dos. For organizations that would like to pursue implementation themselves, read our guide to CMMC compliance. If you lack the resources to implement controls yourself, consider outsourcing the task to a CMMC consultant, like SysArc. We’ve consulted with over 1,000 DIB suppliers on complying with DFARS and helping them get prepared for CMMC.