What You Need to Know About the DOD’s New Cybersecurity Certification Model for Contractors

Max Emelianov, CEO, HostForWeb by Max Emelianov, CEO, HostForWeb

The U.S. Department of Defense has unveiled a new cybersecurity certification model to the public. The model, according to the DOD, will bring the agency in line with established cybersecurity best practices. It’s quite thorough – and other organizations could actually learn a great deal by looking at it. 

Earlier this month, the U.S. Department of Defense officially unveiled the latest draft of its Cybersecurity Maturity Model Certification. The model, according to the Federal News Network, is meant to enhance cybersecurity across the agency.  Primarily, it’s focused on the supply chain – consistently one of the most significant cybersecurity challenges in the enterprise, as you might recall.

And one of the most difficult to address. Today’s supply chains are almost overwhelmingly complex, particularly for larger agencies and corporations.  I’m talking about countless contractors, business partners, vendors, manufacturers, and suppliers.

Any of them could be the source of a data breach. Any of them could serve as a point of entry to your network. Any of them could represent a significant threat to your business’s data – and there’s very little you can do about it.

For an agency such as the Pentagon, which frequently deals with matters of national defense, that’s a terrifying thought. It contracts to thousands of companies, many of which subcontract out some of their work to other organizations. It’s no surprise that the agency has been attacking the matter of supply chain security with such fervor. 

But will the new certification model actually achieve its desired goal? 

It’s difficult to say. On the one hand, it does present some excellent ideas. It establishes a comprehensive set of guidelines covering virtually every facet of cybersecurity within an organization, from access control and asset management through to security assessments, audits, and training.


Time is precious, but news has no time. Sign up today to receive daily free updates in your email box from the Data Economy Newsroom.

An organization is assigned a “score” under each category from 1 to 5, with 1 being the lowest and 5 being the highest. 

I’m not going to go into too much depth here – the model is, after all, still a work in progress. What I will say is that it establishes a very strict set of guidelines that organizations wishing to work with the DoD must follow. Presumably, these are all security guidelines that the agency itself adheres to.  

That’s the first lesson of this model – hold your suppliers and vendors to your own standards, or don’t work with them.

Even then, the agency is currently looking for ways to secure, visualize, and retain greater control over its supply chain – currently, Lockheed Martin and the Missile Defense Agency are working together to create a dashboard which will allow the agency to identify the specifics of where protected information resides. And therein lies our second lesson.

Processes and certifications alone cannot protect data. They can mitigate the risk that sensitive data will be compromised. But if you truly want to keep your information safe as it moves through the supply chain, you need a means of controlling and monitoring that information no matter where it resides. 

It remains to be seen if this new model will achieve its desired goal, or if it will – as some have worried – simply represent another layer of complexity atop an already complex series of licenses and requirements. As it stands, though, it does at the very least represent a good framework for how you yourself can approach your own supply chain. 

Read the latest from the Data Economy Newsroom: