At the beginning of March 2020, Fifth Domain reported that Colorado-based aerospace, automotive and industrial parts manufacturer Visser Precision LLC had suffered a DoppelPaymer ransomware infection. Those behind this attack ultimately published information stolen from some of Visser’s customers. Those organizations included defense contractors Lockheed Martin, General Dynamics, Boeing and SpaceX.
As the attack discussed above illustrates, digital threats like DoppelPaymer threaten to weaken the federal government’s supply chain by targeting contractor organizations. At best, these contractors will undertake lengthy investigations and ultimately be required to make difficult, and potentially costly, decisions in order to minimize the damage of these sophisticated attacks to themselves and their government customers. At worst, these attacks will expose information that compromises national security.
It’s therefore no wonder that the U.S. government is pursuing several initiatives in an effort to better secure its supply chain. Two of the most prominent of these efforts are SP 800-171, Revision 2 and Cybersecurity Mature Model Certification (CMMC).
SP 800-171 Rev. 2
On February 21, 2020, the National Institute of Standards and Technology (NIST) released the final draft of SP 800-171, Revision 2, entitled “Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations.” The motivation for this publication is the understanding that controlled unclassified information (CUI) residing on non-federal systems could limit the U.S. government’s ability to effectively fulfill its missions and business operations if not properly secured.
In December 2017, all DoD contractors that handle, process or store sensitive types of government information were required to comply with the security controls described in NIST 800-171, Rev 1. Revision 2 of the Requirement provides agencies with updated guidance that they can use to secure CUI on systems and organizations outside of the federal government. These updates include some minor editorial changes to Chapter (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/government/cmmc-sp-800-171-rev-2/