By Eric Byrd, KY APEX Accelerator Procurement Consultant
This article was originally published in our monthly KY APEX Accelerator Newsletter. If you have any questions about this topic, your KY APEX Accelerator consultant is here to help! Not a client? Sign up here.
In today’s world, many business operations include some utilization of networks. Connecting networks to the internet allows system updates, data transfer and various other services that are vital to efficiently operate a business. This migration towards network-based and cloud-based data has been accompanied by a proliferation of cyberattacks and other forms of cybercrime in recent years.
While many small businesses may believe they are not large enough to be victims of cybercrime, statistics reveal that this line of thinking is inaccurate. In 2022 alone, businesses located in the Unites States saw 1,802 data breaches that exposed 422.14 million records (Statista). Both large and small businesses were victims of these breaches, which originated both within the Unites States and overseas. According to the Identity Theft Resource Center (ITRC), approximately 73% of small business owners in the US reported a cybersecurity incident in 2022.
Knowing how to protect your physical facility, printed information and employee safety is an important part of day-to-day business functions. In the same way, cybersecurity means having a general understanding of how to keep computer systems and electronic data safe from outside threats. This includes regularly reviewing risks and proactively pursuing protective or mitigating measures. It also encompasses safeguarding information about customers, employees, proprietary secrets and other confidential data. Cybersecurity should be a top priority for any business in today’s interconnected world.
While final requirements have not yet been released, it is likely that if you hold a federal contract, there will be cybersecurity requirements you must follow. We know that the federal government is the largest purchaser of goods and services in the world. So, it is understandable why they require their suppliers to have a secure cyber platform so that they can safely transfer data. In 2024 federal solicitations, there will be cybersecurity requirements listed in the Federal Acquisition Regulation (FAR).
How elaborate will your cybersecurity need to be as a government contractor? As with most government requirements, it depends. If you are a manufacturer that provides products to the Defense Industrial Base (DIB) and must access technical files, there will be more stringent requirements in place than those for a business that sells paper. However, your company’s cybersecurity guidelines will mainly depend on the requirements of handling Controlled Unclassified Information (CUI).
To be clear, CUI is not classified information. There is a completely different level of security that pertains to classified information. CUI is identified as government-created or government-owned information that requires safeguarding or dissemination controls consistent with government policies. Since this is not classified information, you may be wondering why this is important. CUI has fewer controls in comparison to classified information, which may create an easier path for our adversaries to steal, copy or intercept information pertaining to our national security. To combat theft of valuable information, starting in 2024, all manufacturers that support the DIB will be required to certify their cybersecurity based on the requirements of Cybersecurity Maturity Model Certification (CMMC).
The CMMC program was designed by the Department of Defense (DoD) to enforce protection of sensitive unclassified information that is shared with defense contractors and subcontractors (Defense.gov). The type of information that you have in your possession will determine which level of CMMC you are required to obtain. As of 2023, CMMC is not yet required. However, there is a strong indication that in early 2024, DoD will begin to include CMMC requirements in their solicitations. Today, a self-assessment of your cybersecurity practices is required. These requirements are outlined in the NIST Special Publication 800-171. How your business practices implement the movement of CUI within your organization will determine your score within the NIST 800-171 Self-Assessment.
There is a lot of information available for businesses to help with preparation, requirements and implementation of cybersecurity. What option makes the most sense for your business? You don’t have to be alone in identifying whether your business will be subjected to cybersecurity requirements. Contact the KY APEX Accelerator to enhance your knowledge of cyber risk management, CMMC requirements and handling of CUI. If you are not familiar with KY APEX Accelerator, then please visit our website at www.kyapex.com to learn more about how our free services can help your business.