Part 2: Cyber Hygiene Made Public – A Necessary Evil?

In part one of this series, I addressed what DoD contractors could be doing to prepare for the CMMC security level rating. In part two of the series, I want to discuss our customers’ concerns about the possible impacts of having their company’s security rating made public.

According to the CMMC FAQ, all companies conducting business with the DoD must be certified (not just those who handle CUI), and the level of certification for each company will be made public. How will the public disclosure of cyber hygiene ratings change the way companies do business? Will this be a motivating factor for contractors to improve their security posture or a demotivator to pursue government business?

DevOps Connect:DevSecOps @ RSAC 2022

I personally believe that this will be a motivation for companies to improve their security posture – and if it is not, it should be.

Whether you are pursuing business from the government or from a commercial entity, being able to produce a third-party assessment of your organization’s cyber hygiene will likely become an essential requirement of doing business.

As enterprises adopt cloud services and create complex integrations to deliver products and services, awareness of the security of their supply chain is going to be critical. When an organization looks to add new products and services to their supply chain, they are going to want to know how secure they are. When a vendor is breached, organizations will quickly need to find out if that vendor is part of their supply chain. Cyber insurance providers are going to look to measure cyber hygiene in order to determine premiums.

Of course, the size of the company must be taken into consideration when it comes to the burden an organization is able to bear in order to (Read more...)