Visible to the public The Most Common Control Deficiencies in CMMC non-compliant DoD contractors

TitleThe Most Common Control Deficiencies in CMMC non-compliant DoD contractors
Publication TypeConference Paper
Year of Publication2022
AuthorsSundararajan, Vijay, Ghodousi, Arman, Dietz, J. Eric
Conference Name2022 IEEE International Symposium on Technologies for Homeland Security (HST)
KeywordsAccreditation, assessment, CMMC, Computational modeling, Control Family, Cybersecurity Damage Assessment, Data security, mitigation, NIST, NIST SP 800–171, pubcrawl, Regulation, resilience, Resiliency, Security Control Deficiency, US Department of Defense, US Department of Homeland Security
AbstractAs cyber threats become highly damaging and complex, a new cybersecurity compliance certification model has been developed by the Department of Defense (DoD) to secure its Defense Industrial Base (DIB), and communication with its private partners. These partners or contractors are obligated by the Defense Federal Acquisition Regulations (DFARS) to be compliant with the latest standards in computer and data security. The Cybersecurity Maturity Model Certification (CMMC), and it is built upon existing DFARS 252.204-7012 and the NIST SP 800-171 controls. As of 2020, the DoD has incorporated DFARS and the National Institute of Standards and Technology (NIST) recommended security practices into what is now the CMMC. This paper presents the most commonly identified Security-Control-Deficiencies (SCD) faced, the attacks mitigated by addressing these SCD, and remediations applied to 127 DoD contractors in order to bring them into compliance with the CMMC guidelines. An analysis is done on what vulnerabilities are most prominent in the companies, and remediations applied to ensure these vulnerabilities are better avoided and the DoD supply-chain is more secure from attacks.
DOI10.1109/HST56032.2022.10025445
Citation Keysundararajan_most_2022