“Change is the only constant.” That is an idea we accept in both our own lives and the world of technology. Within the technology space, cybersecurity and IT compliance requirements are continually evolving, and it seems like defense contracting cybersecurity standards and privacy regulations are evolving most rapidly at this time. As someone who helps clients with these matters on a daily basis and continuously works to stay up-to-date on happenings in the cybersecurity industry, I can only imagine how difficult it is for organizations that look at security as just one more item on their to-do list to stay informed of changing requirements.
The Defense Federal Acquisition Regulation Supplement (DFARS) has been a requirement for contractors doing business with the United States Department of Defense (DoD) for some time. The goal of DFARS has been to protect the DoD supply chain, including Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and Controlled Defense Information (CDI). DFARS has been around since 2016, and has required defense contractors to show that they have their security house in order AFTER a contract has been awarded. Depending on the bid, some organizations simply needed to self-assess against the 110 controls of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and submit a “System Security Plan (SSP)” and a “Plan of Action and Milestones (POA&M).” In some cases, organizations would be asked follow-up questions by the Defense Contract Management Agency (DCMA), or an on-site DCMA audit could be required. Ultimately, DFARS has not gained the adoption that the DoD would have liked, and many viewed the requirement as not having a lot of teeth behind it. Because of these reasons and others, the DoD has recognized that something better is needed.
The DoD will be moving to the Cybersecurity Maturity Model Certification (CMMC). The main difference between DFARS and CMMC is that, with CMMC compliance has to be shown BEFORE a contract can be awarded. Also, a self-assessment will no longer be an option; compliance will need to be validated by a certified CMMC Third Party Assessment Organization (C3PAO). A CMMC audit will be pass/fail, and an organization must be fully compliant with every requirement to pass. There will be five levels of CMMC compliance, with Level 1 being the most basic and Level 5 being the most complex. All contractors, including prime contractors (“primes”) and their subcontractors (“subs”), must achieve the specified CMMC certification level stated in the contract of work, and they must maintain the specified level for the duration of the contract. As you can imagine, the largest primes and their subs will likely need to achieve Level 5 compliance (171 requirements). Level 3 compliance (130 requirements) will likely apply to the majority of the other entities who are handling CUI.
CMMC will be fully in place sometime between now and 2025. DFARS has undergone some recent changes and will continue on for some time, at least until CMMC is fully implemented. I tend to believe that other government agencies will begin to adopt CMMC (or something like it) in the coming years. I also believe that this will extend beyond the US government, perhaps to US allies and their supply chains.
It seems like an increasing number of government bodies recognize the need to enforce protections around personally identifiable information (PII) such as Social Security numbers, drivers license numbers and other sensitive data, to safeguard against identity theft and the misuse of personal information.
While three states have legislation in place, and more than 20 others have legislation in process, it shouldn’t be surprising that the US state at the forefront of privacy regulations is California, a state synonymous with technology. California passed the California Consumer Privacy Act (CCPA) into law in 2018, and CCPA became fully enforceable on July 1, 2020. CCPA seeks to protect the identities of the individuals it governs. California also just passed the California Privacy Rights Act (CPRA) into law in November 2020. CRPA will make some immediate changes to CCPA and will create an entirely new state government agency known as the California Privacy Protection Agency. CRPA will fully go into effect January 1, 2023.
In short, if a for-profit organization has $25 million or more in annual revenue, impacts the privacy of 100,000 or more people or households, or generates 50% or more of their revenue through selling or sharing personal information, it must be compliant with the CCPA. While the laws themselves do not contain a security checklist to follow, there are standards, such as the NIST Privacy Framework, that organizations should seek to adopt. Doing so will help them meet many of the current and future privacy regulations.
Some are suggesting that the CRPA will be adopted by other states and will be viewed along the same lines as the European Union’s General Data Protection Regulation (GDPR). Obviously, we’ll have to wait and see. However, I believe that a time will come when individual states will no longer be able to handle privacy in their own separate ways.
The Bigger Picture
While these changes, to a certain extent, are intended to be proactive, the unfortunate reality is that the security industry finds itself in a reactive mode on a regular basis. The increasing number of events related to next-generation malware and advanced persistent threats (APTs), such as the recent SolarWinds breach event, are forcing the industry, governments and those in positions of influence to put more effort into meeting security challenges head on.
How is your organization tackling the ever-evolving IT compliance landscape? How are you preparing for the next generation of security threats? Sikich has helped many organizations over the years in complying with DFARS, the NIST Privacy Framework and numerous other regulations and standards. Sikich’s team of experts stands ready to assist in your cybersecurity journey.