As CMMC assessments progress, many security vulnerabilities among contractors and subcontractors are coming to light that reconfirm the need for the DoD’s comprehensive framework of assessment & remediation.
Companies are now discovering several previously undetected security vulnerabilities as various stakeholders in the defense industrial base (DIB) prepare to meet the necessary CMMC compliance to qualify for future contracts.
Some of these security vulnerabilities include different kinds of prohibited software and undetected hardware devices present on the department’s network.
Mock Assessments Highlight Significant Security Issues
About 30 medium and large defense companies were part of mock contractor assessments last summer as they prepared to meet the necessary CMMC compliance to qualify for future contracts. The mock assessment revealed numerous outstanding security issues that required immediate fixing as to not jeopardize a company’s ability to meet the future CMMC compliance.
The mock assessment pointed out some security concerns that may seem harmless, but could create significant vulnerabilities.. For example, one of the assessments revealed two smart speaker devices placed in sensitive locations. Although this may not sound alarming at first, such poor locations could easily make it possible for sensitive data to be picked up by those devices and stolen should they be hacked.
In another example, five unknown wireless devices were discovered along with access points and unauthorized high-risk platforms being used on computer networks. Other inspections also revealed that two networks previously thought to be air-gapped or closed to public use were remotely accessible. This cybersecurity violation could have been a result of poor network design or by accident.
Foreign Actors Pose a Threat
The assessment inspectors also found 27 traces of files sourced to Kaspersky software on the networks of contractors, representing a high risk. Moreover, because Kaspersky is Russian-owned, its use is currently banned to all US government agencies doing business with the government—whether defense or civilian contractors. However, at the time of the inspection, Kaspersky software was still in use and widely available.
Further Improvements Still Required
The assessment proved the necessity of tightening security requirements through CMMC certification and audits. Additionally, it highlighted the fact that further improvements are still needed in the areas of improved monitoring tools and classifying assets
Companies must begin putting the proper measures in place to ensure that they attain the right level of CMMC compliance if they want to continue doing business with the government. The best time to get started is now, as it takes quite a lot of time, effort, and financial commitment to meet all the newly required data security standards.
Because of the high-risk issues identified by the assessment, one can hardly argue against the importance of having a new CMMC. This move will help intellectual assets while promoting a safer cybersecurity space.