In 2024, the public sector faced a number of data breaches, highlighting the vulnerability of government agencies and public institutions in the face of evolving cyber
The Defense Industrial Base (DIB) consists of over 100,000 companies that provide materials or services to the United States Department of Defense (DoD). These companies provide products needed to defend the nation and are a critical part of the DoD supply chain. DIB companies range in size from large, well-known defense contractors, like Lockheed Martin, Boeing and Northrop Grumman, to small and medium-sized enterprises that provide specialized products and services, such as drones and military vehicles.
As nation-state cyber attacks continue to target public sector services, government agencies and private companies within the DIB must take cybersecurity seriously and work towards enhancing cybersecurity defenses to protect sensitive defense information. The DoD developed the Cybersecurity Maturity Model Certification (CMMC) framework to enhance the cybersecurity posture of the DIB. It combines cybersecurity standards published by the National Institute of Standards and Technology (NIST) that any government contractor who wants to do business with the DoD must adhere to.
Cyber attacks targeting the DIB
Adversaries launch cyber attacks to steal sensitive data or intellectual property, sabotage commercial activity or threaten supply chains.
High-profile examples of cyber attacks in recent years include the 2021 Colonial Pipeline ransomware attack, which shut down a major gas pipeline for several days and caused a national state of emergency. In the 2020 SolarWinds attack, nation-state hackers gained access to the networks, systems and data of thousands of SolarWinds customers, including many local, state and federal government agencies.
The root cause of the Colonial Pipeline attack was a leaked password, an inactive VPN account and a lack of multi-factor authentication – all basic cybersecurity principles. In the case of SolarWinds, it was a supply chain attack targeting the company’s IT-performance monitoring systems which had privileged access to other IT systems to obtain log and system performance data.
More recently, in April 2024, four Iranian nationals were indicted in a federal court and charged with participating in a malware operation using spear-phishing and other hacking techniques to compromise U.S. government employee accounts, including the U.S. Departments of the Treasury and State, as well as defense contractors. In one of the instances, the Justice Department noted that:
“The conspirators compromised an administrator email account belonging to a defense contractor. Access to this administrator account empowered the conspirators to create unauthorized accounts, which the conspirators then used to send spear-phishing campaigns to employees of a different defense contractor and a consulting firm.”
Social engineering tactics were also used to deploy malware onto victim computers and compromise additional devices and accounts.
CMMC and cyber resilience
Cybercriminals only need to compromise one privileged account to gain access to other accounts and data within an organization’s network. Government contractors who handle Controlled Unclassified Information (CUI) need to abide by the CMMC security framework, which encompasses a range of controls categorized into domains. These domains cover a broad spectrum of cybersecurity practices, and the controls within them are designed to enhance the overall security posture of an organization.
CMMC Level 2 compliance requires organizations to satisfy 110 security controls from NIST SP 800-171. While we can’t cover every single control here, there are a few things your organization can do that will help ensure CMMC compliance and cyber resilience.
- Implement Multi-Factor Authentication (MFA) – Use MFA for accessing sensitive systems and data to add an extra layer of security to password-protected accounts.
- Update and Patch Systems – Keep all software, operating systems and firmware up to date with the latest patches to protect against known vulnerabilities.
- Conduct Regular Security Assessments – Perform regular security audits, vulnerability assessments and penetration testing to identify and fix potential security weaknesses.
- Encrypt Sensitive Data and Passwords – Use a password manager to protect access to sensitive data, both at rest and in transit, and prevent unauthorized access.
- Use Privileged Access Management (PAM) – Implement strict access controls to ensure only authorized personnel have access to sensitive information. This includes Role-Based Access Controls (RBAC) and adhering to the principle of least privilege.
- Implement a Zero-Trust Security Architecture – Ensure that authentication, authorization and encryption, at the user and device level, are implemented across the entire organization.
How Keeper Security Government Cloud helps DIB contractors meet CMMC requirements
Keeper Security Government Cloud (KSGC) password manager and privileged access manager is FedRAMP Authorized and addresses several CMMC controls in the domains of Access Control (AC), Audit and Accountability (AU), Identification and Authentication (IA) and more.
KSGC analyzes the strength and security of stored passwords across the organization and provides a comprehensive risk score for individual credentials, as well as the overall password hygiene of both the organization and individuals. IT administrators receive actionable insights through detailed reports and dashboards, highlighting weak, reused or compromised passwords, enabling them to proactively enforce password policies and initiate corrective measures.
KSGC utilizes a zero-trust and zero-knowledge security architecture, along with delegated administration and role-based enforcement policies, to provide system administrators with complete visibility and control over identity security and risks within their organization.
To learn more about how KSGC can address CMMC compliance and protect your organization against cyber attacks, request a demo today.