Do You Have the Right Cyber Insurance to Win DOD Contracts?
CMMC VERIFICATION HAS ARRIVED!
Being up to speed on the current CMMC requirements is essential. The right cyber insurance policy can be a great advantage when going after DOD and GSA contracts. Are you properly insured? Specialists at Cyber Armada can assist your company to gain an edge to win contracts.
WHY THIS MATTERS
We are at a cybersecurity inflection point for the Department of Defense (DOD) as they seek to stop the onslaught of cyber threats and the theft of valuable intellectual property and sensitive data.
As the cyberattack surface expands, the 300,000 plus DOD contractors that comprise the Defense Industrial Base (DIB) are looking to get their cyber ducks in a row for the Interim DFARs Rule and CMMC.
Your business needs to take action steps that make good business sense:
- Establish a sound cyber risk management plan that fulfills the regulatory and contractual obligations, prime contractors and their subcontractors.
- Establish proof of compliance via cybersecurity measures.
- Invest in cyber insurance to help alleviate some of the financial burden:
- Direct first party costs of incident response planning and team building to mitigate a cyber loss.
- Third party costs that arise from claims, regulatory enforcement actions, or lawsuits.
Cybersecurity Maturity Model Certification (CMMC)
Cyberattacks on supply chains are well-documented and on the rise, especially during COVID-19. The US government is intent on minimizing supply-chain threats and cybersecurity risks.
Information Protected by CMMC
First, DIB contractors need to know if they have Federal Contract Information (FCI) or Controlled Classified Information (CUI). If you enjoy listening to podcasts, DIB Tech Talk podcasts hosted by Leslie Weinstein help clarify FCI and CUI classifications.
Here are the basic requirements:
- FCI is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
- The CMMC model uses the basic safeguarding requirements for FCI as the Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for CUI as specified in NIST 800-171/ DFARS.
- CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
CMMC Levels of Cybersecurity Maturity
Prime contractors and subcontractors must protect their networks and demonstrate compliance via five levels of certification of cybersecurity maturity – depending on the nature of the contract – aligning a set of processes and practices with the type and sensitivity of the information to be protected.
The Challenge for Prime Contractors
The challenge for prime contractors to be awarded DOD contracts is two-fold:
- First, they must comply with the CMMC maturity level relevant to the goods and services they contract to sell to the DOD.
- Second, primes must confirm CMMC certification by their subcontractors.
Cybersecurity is No Longer Optional
Katie Arrington, CISO in the Office of the Undersecretary for Acquisition and Sustainment), and the self-described "mother of CMMC," noted that cybersecurity is no longer optional from December 1, 2020, because it is critical to our commerce and national security.
Arrington made her remarks at the recent Intelligence and National Security Alliance (INSA) conference concerning the imminent implementation of new contracting rules mandating cybersecurity.
Arrington said, "It's trust but verify. This is the start of a new day in the Department of Defense where cybersecurity, as we've been saying for years, is foundational for acquisitions. We're putting our money where our mouth is. We mean it."
Regarding timing, Arrington said she and her team are pushing straight ahead: "The CMMC is going to continue. We are not stopping. We haven't let up on the gas, we are rapidly rolling through mere days until the interim rule becomes effective."
Arrington confirmed that as soon as the interim rule goes final, effective November 30, 2020, pilot programs due to be launched in 2021 will be released. The first 15 contracts will start the shift to new, verifiable cybersecurity among contractors. A total of at least 1500 contractors and subcontractors are expected to work on those first projects, and each will need to be certified to do the work.
Those first 15 contracts will range in size and complexity, be spread out across the services, and commands such as Transcom and Cyber Command, and parts of the so-called Fourth Estate, like the Missile Defense Agency -- and certification will take place throughout fiscal 2021.
Previously, companies could meet some of the 110 benchmark standards in NIST 800-171 so long as they claimed they were working towards compliance with the rest. That meant companies could compete for contracts without having to prove compliance.
"CMMC is going to be a go/no-go decision. When audited, you're either level 1 or not," said Arrington. For primes contracts that specify a high compliance level, CMMC rules mean contracts will outline if subcontractors need to meet the same level of compliance -- or a lower compliance level (as they will not be handling sensitive information).
The goal is a process that makes source selection equal for all companies that comply with the security they claim to offer. The Pentagon will automatically price security into contracts, taking a cheaper option that is not yet compliant off the table.
Companies seeking future contracts with the Pentagon will need to change their compliance posture as the era of voluntary compliance winds down. A cybersecurity regime built on verification means that the Pentagon can finally stop contracting with companies that leave vulnerabilities unfixed for years after patches are available.
Contractors leaving weaknesses in place, including simple errors that threaten the whole supply chain, will be a thing of the past. "People are not changing passwords, not implementing two factor, not labeling documents appropriately. We are causing harm to our supply chain by not doing these," said Arrington.
Stand-Alone Cyber Insurance
Are you conducting a cyber risk assessment to know how and where you are vulnerable? For small to medium-sized businesses, the cyber risk assessment conducted to acquire Stand-Alone Cyber Insurance could be a differentiator in the CMMC certification process.
Cybercriminals are creative, using ever-expanding attack surfaces to gain unauthorized access to steal critical data (FCI, CUI, PII) via 1)mobile devices, 2) IoT devices (e.g., bring your own devices aka BYOD), 3) tracking and mapping tools, 4) customer data management systems, 5) computer systems, or 6) networks.
Your employees are a potential gateway into your systems in multiple work environments (working from home, remotely, in the office, in the warehouse or plant, or on a job site).
In 2020, with ransomware attacks on the rise and predicted to increase in 2021, you need to pre-test your incident response plans and data back-ups as if you are experiencing a cyberattack. Once a cyberattack occurs, you may face a shutdown of your systems or your entire operation.
Stand-Alone Cyber Insurance protects your balance sheet. Your third-party suppliers should have cyber insurance for the same protection. Although more businesses rely on contractual obligations to ensure adequate cyber loss protection, you should confirm cyber coverage within your supply chain.
For example, some carriers offer cyber insurance coverage for:
- Bodily Injury and Property Damage to third parties caused by a security breach or failure:
- Third-party physical injury.
- Third-party damage to tangible property.
- Ransom payment demands during a ransomware attack:
- Ransom payments (often in cryptocurrency) agreed with the prior written approval of the insurance company.
- Ransom negotiations with the hackers (regarding the ransom demand with the help of a security expert).
- Business interruption during a cyber event:
- Costs incurred during a shutdown caused by a ransomware attack (after a brief waiting period and during a restoration period), including lost net profits.
- Extra expenses incurred during a shutdown of your computer network, including payroll.
- Data recovery or restoration:
- Recovering or restoring lost programs, software, or data due to damage, disruption, theft, or misuse of your data during a cyber event.
- Incident response during a cyber incident:
- Incident response planning.
- Incident response team pre-selected from a panel of experts).
- Cyber incident response costs incurred.
- Employee cyber risk awareness training:
- Employee training focused on reducing the likelihood of human error by employees being tricked or manipulated into taking action that leads to a ransomware attack, data breach, or funds transfer fraud.
Stand-Alone Cyber Insurance is a Win-Win. First, you win from your investment because of the services provided in most policies. Second, you win by investing in the coverage provided when faced with a claim or lawsuit for damages.
- The cyberattack surface has expanded. Are you prepared?
- The cyberattack vectors are dynamic. Are you prepared?
- A holistic cyber risk management plan is the new foundation of government contracts, including cybersecurity and cyber insurance.
- Your business needs specialist advice from a broker and carrier dedicated to providing comprehensive cyber insurance appropriate for your specific cyber risk tolerance.
- In conjunction with its specialist network, the Cyber Armada Insurance team is here to help you as you seek to win government contracts.
Reach out to a specialist cyber broker, such as Cyber Armada Insurance, to request cyber solutions appropriate for your needs and cyber risk tolerance. We understand the evolving demands and expectations of cyber insurance clients.
Contact Cyber Armada today to examine your company's potential financial losses from a cyberattack. Contact us at 888.727.6232.
Please watch for our upcoming article on critical infrastructure.