Content uploaded by Shaughnn Raschid Muller
Author content
All content in this area was uploaded by Shaughnn Raschid Muller on Sep 11, 2023
Content may be subject to copyright.
220
Copyright © 2023, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
Chapter 14
DOI: 10.4018/978-1-6684-8691-7.ch014
ABSTRACT
This chapter addresses the rationale behind commissioning the Cybersecurity Maturity Model Certification
by the Department of Defense to address critical supply chain issues that directly affect services provided
by contractors. The fourth pillar of cybersecurity was added to the existent three-pillar model (cost,
schedule, and performance) to significantly lower risk to the supply chain. Scenarios addressed in the
chapter identify the need for its immediate implementation. Recommendations were made based on the
literature about informing the supply chain community of the impact of cybersecurity’s lack of awareness
on its overall effect on business continuity and impact.
I. INTRODUCTION
The Department of Defense (DoD) is the world’s largest consumer of goods and services. As the global
economy becomes more interconnected, the DoD is increasingly vulnerable to supply chain disrup-
tions and cyber-attacks from malicious actors. To protect its supply chains, the DoD has developed
the Cybersecurity Maturity Model Certification (CMMC) program, designed to establish a baseline of
cybersecurity standards for its contractors and vendors.
This chapter’s objective is to discuss the causes for the DoD to commission and implement the
CMMC to address the gaps in supply chain management at the executive levels of the United States (US)
An Analysis of the Design of
the Cybersecurity Maturity
Model Certication (CMMC)
and Its Direct Effect on
Supply Chain Management
S. Raschid Muller
https://orcid.org/0000-0002-1742-7575
Capitol Technology University, USA
221
An Analysis of the Design of the Cybersecurity Maturity Model Certication
government. It will also provide an overview of the CMMC program, examine the implications of the
CMMC standard on the DoD’s supply chains, and suggest potential future improvements. Furthermore,
the chapter addresses the rationale for adding cybersecurity as the fourth pillar of the acquisitions cycle.
Cyber-attacks have increased worldwide as they interrupt businesses and government operations, leading
to massive ransomware payouts and damaged corporate reputations. As a result, cybersecurity threats
and attacks have recently become a vital issue for the Department of Defense (DoD).
Methodology
The methodology used in this chapter will be a review of the literature related to the CMMC and the
DoD’s role in cybersecurity. The literature review will include published works such as books, journal
articles, and other scholarly sources. The literature review will discuss the rationale behind the DoD com-
missioning and implementing the CMMC, the importance of the DoD’s role in cybersecurity, the various
aspects of the CMMC, and how it is beneficial for the DoD and its business vendors and contractors.
Significance of the Study
The DoD’s need for the CMMC program can be traced back to several security gaps in its supply chains.
In 2017, the Government Accountability Office (GAO) found that the DoD could not properly track,
monitor, and secure the supply chain due to insufficient information about vendors and contractors
(Pacheco, 2017). This lack of visibility made it difficult for the DoD to identify and mitigate potential
security risks. As a result, the DoD has been increasingly vulnerable to cyber-attacks from malicious ac-
tors and supply chain disruptions from external factors. This study offers specific background to answer
the current environment to set a baseline of metrics for Supply Chain Management awareness and the
influence of policy and future amendments to adapt to the evolving threat matrix with increased risk.
Purpose of the Study
This chapter aims to inform the supply chain community of the impact of cybersecurity’s lack of aware-
ness on its overall effect on business continuity and impact. Therefore, additional recommendations
conclude this article for consideration.
Definitions
Covered contractor. A covered contractor information system is owned and operated by a contractor that
manages, supplies, or conveys Federal contract data (Office of the Under Secretary of Defense, 2022).
Federal contract information. Federal contract information provides, develops, and delivers government
contracts. However, it does not include information the government provides to the public on open
websites or simple transactional data needed to manage payments (Office of the Under Secretary
of Defense, 2022).
Information system. An information system is a separate set of information resources organized for
storing, managing, preserving, utilizing, communicating, distributing, or discarding information
(Office of the Under Secretary of Defense, 2022).
222
An Analysis of the Design of the Cybersecurity Maturity Model Certication
Safeguarding. Safeguarding means measures or controls prescribed to protect information systems (Of-
fice of the Under Secretary of Defense, 2022).
Supply chain. A supply chain combines the ecology of supplies needed to create, produce, and circulate
a product. For example, a supply chain in cybersecurity includes hardware and software, cloud, or
local storage capacity and distribution devices (European Union Agency for Cybersecurity, 2021b).
Background
The Department of Defense (DoD) is the most powerful military organization in the world, with a budget
of more than $700 billion in 2020 (United States Government Accountability Office, 2020). However, with
such a large budget, the DoD is a prime target for cyber-attacks. In the past few years, the DoD has lost
significant money due to cyber-attacks, estimated to be over $1.6 billion between 2020 and 2022 (United
States Government Accountability Office, 2020). This raises serious questions about the effectiveness
of the DoD’s supply chain risk management (SCRM) procedures and the vulnerabilities of its systems.
Approximately 300,000 companies provide services and products to the nation’s defense industrial
base (Modiyliani, 2022). Concerns raised include some US military contractors who cause a significant
cybersecurity threat because they control with limited management of their domestic cybersecurity
mechanisms (Peters, 2020). An attempt to focus on cybersecurity assaults and the accompanying trade
and industry and national protection expenditures to the DoD supply chain is the department’s continuing
efforts to execute its Cybersecurity Maturity Model Certification (CMMC) framework (United States
Government Accountability Office, 2022). This initiative provides a mountable cybersecurity benchmark
for the full range of defense assets (Office of the Undersecretary of Defense for Acquisition and Sustain-
ment, 2020). Once fully implemented, with a target date of the fiscal year (FY) 2026, the framework
requires all DoD premier contractors and subcontractors to receive confirmation. This authentication
is through approved third-party accreditation organizations that an individual organization’s domestic
cybersecurity procedures and methods meet (Lopez, 2020).
The Department of Defense established the Cybersecurity Maturity Model Certification (CMMC
1.0) program in 2020. The CMMC 1.0 framework protects unclassified federal contract information and
CUI within the Defense Industrial Base (DIB) sector (Department of Defense, 2020). The DoD released
an ungraded CMMD 2.0 framework in November 2021. According to DoD, the changes reflected the
CMMC 2.0 through the rulemaking process (Part 32 of the CFR and DFARS), and defense contractors
were required to comply once the forthcoming rules went into effect. In addition, organizations whose
systems processed, transmitted, or stored DoD-controlled unclassified information (CUI; Spencer, 2019)
systems had to adhere to the regulations of the National Institute of Standards and Technology (NIST)
Special Publication (SPub) 800-171 (Ross et al., 2020).
NIST SPub 800-171 provides recommendations about the requirements needed to protect CUI con-
fidentiality. Defense contractors must implement the recommended conditions in this publication to
demonstrate how they planned to provide sufficient security to protect defense contracts information,
as required by DFARS clause 252.204-7012. For example, manufacturers that are part of NASA, DoD,
the General Services Administration (GSA), and other federal or state agencies’ supply chains must also
implement security requirements and mandates in this special publication (Spencer, 2019).
The DoD implemented more than 70% of four selected cybersecurity requirements for CUI systems.
This finding includes an analysis of GAO’s DoD reports, including the report to Congress and data
from DoD’s risk management tools (United States Government Accountability Office, 2022). Mandated
223
An Analysis of the Design of the Cybersecurity Maturity Model Certication
requirements include (1) categorizing the impact of the integrity, confidentiality loss, and low, moder-
ate, or high available systems; (2) implementing specific controls on the system level impact; and (3)
authorizing operational systems (United States Government Accountability Office, 2022). However, as
of January 2022, the extent of implementation varied for each of the four requirement areas. For example,
performance ranged from 70 to 79% for the cybersecurity maturity model certification (CMMC) program
DoD established in 2020. In contrast, it was over 90% for authorization of systems to operate (United
States Government Accountability Office, 2022).
General Problem Statement
The general problem is the need for cybersecurity awareness from the human perspective, which causes
a severe gap in securing the nation’s supply chain during critical needs (Lovells & Olmsted, 2022; Rauf,
2019, Muller & Lind, 2020). Data breaches occur when intentional or unintentional errors within an
organization’s technology system. In many instances, employees may be unaware, negligent, and have
inappropriate access to misused information (Cyber Defense QCD Corporation [CYDEF], 2021). There-
fore, humans are a significant factor contributing to data breaches. In addition, while cybersecurity is a
technology problem, 88% of data breaches result from human error (CYDEF, 2021). Regardless of the
reasons, human errors cost companies millions of dollars. IBM lost over $3.33 in data breaches from
human error. With large companies losing this much, most small and medium-sized enterprises cannot
afford this loss from human errors (CYDEF, 2021).
ManageEngine and Endpoint Central (2021) focused on the Department of Homeland Security’s top
cybersecurity priority in 2021 to confront the immediate threat of ransomware and build a more robust
and diverse workforce. According to the Secretary of Homeland Security, Alejandro Mayorkas:
Approximately $4 billion in cybercrime losses occurred to the US government in 2021. Those losses
affected the incomes of Americans across the country, happening most often to vulnerable populations
such as elderly and unemployed individuals who rely on government assistance, poor minorities, and
American families worldwide. Based on the ransomware attacks and intrusions into critical infrastruc-
ture, cyber threats are getting alarmingly close to intimidating peoples’ lives. (p. 15)
The United States should strengthen its cyber practices in federal, public, and private organizations
to diminish those threats to defend against sudden cyber threats (ManageEngine & Endpoint Central,
2021). The vision for the DoD’s cybersecurity work found five fundamental principles: (1) cybersecurity
should protect people’s lives; (2) foster bold and immediate innovations, wide-scale savings, and raise the
bar of essential cyber hygiene to improve cyber defenses; (3) determine the risks to select and allocate
limited resources; (4) to strengthen collaboration between the private sector and government to gener-
ate insights necessary to detect malicious cyber actors; and (5) integrate diversity, equity, and inclusion
throughout every aspect of cybersecurity (ManageEngine & Endpoint Central, 2021).
Specific Problem Statement
Cyber threats are rapidly growing against targeted information systems, and the lack of knowledge ex-
pands beyond the supply chain management system (National Institute of Standards and Technology,
2021). A cyber threat can infiltrate a software supply chain when an individual penetrates a software
224
An Analysis of the Design of the Cybersecurity Maturity Model Certication
vendor’s web. An actor can use malicious codes to circumvent the software before the supplier sends
it to customers (National Institute of Standards and Technology, 2021). The negotiated software then
compromises customers’ data systems. Newly acquired software might pose a threat from its inception. In
other words, a disturbance may occur through a patch or hotfix (Banerjee, 2022). A hotfix for a specific
issue applies while the system is still active. A hotfix is also a code called a patch, which fixes a virus in
a product (Cybersecurity and Infrastructure Security Agency, 2019). In these cases, infiltration occurs
before the patch or hotfix enters the customer’s network (National Institute of Standards and Technology,
2021). These types of attacks affect virtually all users of the infiltrated software. Therefore, hotfixes are
general costs for the government, critical public services, and private sector software customers (National
Institute of Standards and Technology, 2021).
A supply chain merges the network of resources needed to create, produce, and disseminate products.
In cybersecurity, a supply chain includes hardware and software, local storage, and distribution systems
(European Union Agency for Cyber Security, 2021a). The European Union Agency for Cybersecurity
plotting on evolving supply chain attacks showed that 66% of attacks focus on supply chain codes (Eu-
ropean Union Agency for Cyber Security, 2021a). Cybersecurity experts’ primary concern is supply
chain attacks caused by a chain reaction triggered by one attack on a supplier that compromised network
providers. In addition, malware is the technique that attackers resorted to in 62% of the attacks (European
Union Agency for Cyber Security, 2021b).
The European Union Agency for Cybersecurity (ENISA) and the Threat Landscape for Supply Chain
Attacks investigated 24 malicious attacks. Robust security protection is no longer sufficient for organiza-
tions when attackers transfer attention to suppliers (European Union Agency for Cyber Security, 2021b).
The increasing impact of these attacks provides systems stoppage, financial loss, and status annihilations.
The ENISA report represented the supply chain attacks from January 2020 to early July 2021. In 2020,
observed trends and designs of supply chain attacks increased in number and complexity that contin-
ued into 2021, posing an increased risk for organizations (European Union Agency for Cyber Security,
2021b). Four times more supply chain attacks occurred in 2021 than in 2020. Half of the attacks were
from Advanced Persistence Threat (APT) actors. The difficulty and supplies significantly exceeded the
common non-targeted attacks. Such new trends emphasized the need for politicians, legislators, and the
cybersecurity community to act instantly. Innovative protective measures might prevent and respond
to future supply chain attacks while mitigating their impact and the need for immediate introductions.
Figure 1 shows an increasing need for new protective methods incorporating suppliers to guarantee that
organizations remain secure (European Union Agency for Cyber Security, 2021b).
225
An Analysis of the Design of the Cybersecurity Maturity Model Certication
II. LITERATURE REVIEW
The History of Cybersecurity
Cybersecurity began with the Internet’s founding, initially traced to the 1970s with the construction of
the Advanced Research Projects Agency Network (ARPANET; Plachkinova, 2022). Originally, ARPA-
NET expanded with people’s little public knowledge of its existence. On January 1, 1975, ARPANET
was under the explicit control of the Defense Communication Agency (DCA), which became concerned
about the lack of control of the network. The DCA warned against unauthorized persons accessing and
using the web, hoping to limit its use to military persons or validated persons working on government
contracts (Plachkinova, 2022).
However, by the early 1980s, the network became open to authorized and unauthorized access. The
access situation was out of control when a significant drop occurred in computer prices granting more
people access to the network (The Conversation, 2016). To manage the situation, ARPANET separated
into two distinct networks. The first part kept the name ARPANET and was primarily devoted to re-
search. The second part, MILNET, served as a military operational network shielded by concrete security
measures involving limited access control and encryption (Plachkinova, 2022). In computer networking,
MILNET, for example, is an entirely military establishment associated with the name given to the part
of the ARPANET internetwork allocated for as unspecified in United States Department of Defense
transportation (Plachkinova, 2022).
By the 1980s, many researchers and developers began using the network. In 1984, the National
Science Foundation (NSF) began using ARPANET as the backbone for its network NSFNET (Plach-
kinova, 2022). Under the guidance of the NSF, the use of the network guided the development of private
and long-haul networks. The ARPANET was officially decommissioned in 1990, while in 1995, the
NSFNET became defunct and effectively privatized the Internet. By then, the network, no longer the
private enclave of computer scientists or militaries, had become the Internet (The Conversation, 2016).
Figure 1. ENISA threat landscape for supply chain attacks
Source: European Union Agency for Cybersecurity. (2021b). ENISA threat landscape for supply chain attacks. https://www.
enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks
226
An Analysis of the Design of the Cybersecurity Maturity Model Certication
Few would argue that the growth Internet expanded the ability of society to obtain valuable knowledge
and engage in electronic commerce (Plachkinova, 2022). However, the lack of control expressed by the
DCA only worsened as the Internet became a more significant part of people’s everyday lives. With the
Internet becoming publicly available in 1990, more and more persons started to put personal informa-
tion online (Plachkinova, 2022).
Organized cybercrime quickly recognized this as an opportunity to generate revenue using the web
to pilfer data from people and the government (Frandia & Zanzig, 2022). With the tremendous increase
in network security threats, there was a strong demand for antivirus programs and network firewalls to
protect from hackers (Frandia & Zanzig, 2022). After the turn of the century, organized crime stepped up
its attacks by funding professional cyberattacks. Consequently, the role of information security increased
significantly, and governments handed down more severe penalties against hackers (Davies, 2021).
The US Department of Defense (DoD) issued a report responding to President Joe Biden’s 2021
Executive Order (EO) 14017, Securing America’s Supply Chains and securing supply chains. This order
called for a thorough assessment of supply chains in crucial regions, including the defense industrial
base (DIB; Lovells & Olmsted, 2022). The DoD report, titled Securing Defense-Critical Supply Chains
Report, evaluated supply chains in the DIB. In addition, the DoD plans to associate its central concerns
and capabilities to improve the industrial base and establish a network of national and combined sup-
ply chains to meet national defense needs (Lovells & Olmsted, 2022). The DoD’s plan is a significant
development for the aerospace and defense (A&D) industry.
Supply Chain Risk Management and Its Blind Spots
Before discussing the significant gaps in SCRM, it is important to define what SCRM is and how it is
used to protect organizations from cyber-attacks. According to Wasowski (2020), SCRM is “the pro-
cess of identifying, assessing, and mitigating risks within the supply chain” (p. 12). SCRM includes a
variety of processes and procedures that are used to protect organizations from cyber-attacks, such as
developing strategies to protect information systems, implementing security protocols, and monitoring
the supply chain for potential threats. The DoD has implemented numerous SCRM measures, such as
the Cybersecurity Maturity Model Certification (CMMC), and the federal government commissioned
the Cybersecurity and Infrastructure Security Agency (CISA) in 2018 (Muller & Thomas, 2020).
Despite the DoD’s implementation of SCRM procedures, there are still significant gaps in the De-
partment’s protection against cyber-attacks. One of the most significant gaps is the lack of oversight of
third-party vendors and contractors. According to a report by the Government Accountability Office
(GAO), “the Department of Defense is not always aware of the risks posed by its contractors’ use of
third-party vendors” (United States Government Accountability Office, 2022). This lack of oversight
can lead to cyber-attacks, as malicious actors can exploit the vulnerabilities of third-party vendors and
contractors to gain access to the DoD’s networks.
Another significant gap in SCRM is the lack of threat intelligence. According to the GAO (2020), the
DoD has not “fully developed a comprehensive threat intelligence program” (p. 6). Without a compre-
hensive threat intelligence program, the DoD is unable to anticipate and prevent potential cyber-attacks.
Furthermore, the DoD has not implemented an effective system for sharing threat intelligence with its
contractors and vendors, meaning that they are unable to protect themselves from potential cyber-attacks.
A final significant gap in SCRM is the need for advanced analytics. According to the GAO (2020),
the DoD has not “fully implemented an advanced analytics program” (p. 6). Without advanced analyt-
227
An Analysis of the Design of the Cybersecurity Maturity Model Certication
ics, the DoD cannot identify potential threats and vulnerabilities in its networks. Furthermore, the lack
of advanced analytics makes it difficult for the DoD to detect and respond to cyber-attacks promptly.
Assessment of the Critical Supply Chains
The US continues to lead in developing information and communications technology (ICT) and innovation
in many product categories (US Department of Commerce and US Department of Homeland Security,
2022). However, many products, such as printed circuit boards (PCBs) and displays, became progres-
sively more condensed in China, along with electronics fabrications. For a limited number of products
considered, such as fiber optic cables, the United States continues to maintain a national engineering
base (US Department of Commerce and US Department of Homeland Security, 2022). The nature of
present-day ICT software ecology creates several security dangers. The worldwide use of open-source
software threatens software supply chain security because it is susceptible to corruption. Open-source
software is a code designed to be visibly available for everyone to see, alter, and disseminate the code.
Open-source software develops in a distributed and cooperative manner, depending on peer review and
community construction. Furthermore, the intricacy of the ICT supply chain led many original equipment
manufacturers (OEMs) to contract out firmware expansion to third-party suppliers. This outsourcing
introduces risks related to the lack of transparency in suppliers’ programming and cybersecurity standards
(US Department of Commerce and US Department of Homeland Security, 2022).
Outsourcing ICT manufacturing has significantly reduced domestic ICT production and manufac-
turing workforce (US Department of Commerce and US Department of Homeland Security, 2022).
Comparatively, the domestic software developer and engineering workforce, which makes up 40 percent
of the US ICT personnel, is expected to grow substantially based on recent employment developments.
However, in manufacturing and software development segments, industry stakeholders reportedly need
help finding qualified employees across occupations (US Department of Commerce and US Department
of Homeland Security, 2022).
Underlying weaknesses across the ICT supply chains presented several more noticeable hazards due to
disturbances caused by the COVID-19 pandemic (US Department of Commerce and US Department of
Homeland Security, 2022). These include the need for a cleaner environment for many ICT manufactur-
ing sectors lacking reliance on one source and one region’s suppliers. In addition, maintaining product
reliability caused complex supply chains. These susceptibilities increased the capacity for supply chain
disturbances and obstructed products as supply chain safety measures (US Department of Commerce
and US Department of Homeland Security, 2022).
Supply Chain Report
The global supply chain report provides an understanding of the worldwide economy and the top inter-
national regions (Interos Resilience Lab, 2022). The cost of supply chain distractions was approximately
equivalent around the world. Some companies in the United Kingdom and Ireland are performing
slightly better, with $142 million in revenue losses compared to those in France, which averaged $230
million in income losses. Costs also varied among industries, with financial services corporations of
$143 million in average annual losses faring best, while pharmaceuticals and life sciences (reporting
$226 million in losses) fared worst (Interos Resilience Lab, 2022). Significant findings of the Interos
Resilience 2022 survey showed that 64% of companies plan to make sweeping changes to their supply
228
An Analysis of the Design of the Cybersecurity Maturity Model Certication
chain path. Seventy-seven percent planned to execute technology in the next year to gain prominence in
their supply chains. Nevertheless, only 11% of organizations display supplier risk incessantly. In com-
parison, 82% of companies agreed that joint responsibility protects against supply chain disturbances
(Interos Resilience Lab, 2022).
Cost of Major Supply Chain Disruptions
Major supply chain disruptions can reduce supply accessibility, increase leadership times, and postpone
order execution (Helper & Soltas, 2021). Supply chain disruptions are expensive because they include
additional charges for expedited logistics, slow and non-productive lines, and penalties for late or incom-
plete deliveries (Helper & Soltas, 2021). Interos Resilience Lab’s (2022) survey indicates that supply
chain disruptions are expensive and costly. The annual cost to organizations is upwards of $182 million,
or 1.74% of their yearly revenue based on geography and sector. France has the highest costs of $230
million, followed by pharmaceuticals and life sciences at $226 million. The lowest costs were in the
United Kingdom and Ireland at $142 million, and financial services cost $143 million. Being proactive
rather than reactive, supply chain risk management and operational resilience tactics help to avoid or
even reduce such high costs of supply chain disruptions (BizClik Median, 2020).
Cyber Hygiene and Resilience Programs
Cyber hygiene has become a critical method for creating operational resilience programs with agile
capabilities that must have muscle memory (Snijders et al., 2020) to maintain availability when risks
arise (Rao, 2022). Resilience programs consider cyber hygiene, regularly performing actions to keep
assets secure, essential. In addition, these organizations consider the ecosystem and know which levers
to pull in response (Rao, 2022).
The Cybersecurity Maturity Model Certification (CMMC) program at National Science Foundation-
International Strategic Registrations (NSF-ISR) became among the first to help secure regulated public
domain information for the Department of Defense (DoD) supply chain (Giles & Dancel, 2020). NSF-ISR’s
directions for knowing the five levels within the new CMMC program are essential reading for competent
defense contractors (Giles & Dancel, 2020). Level 1 is basic cyber hygiene, where the performance of
processes occurs. Level 2 consists of intermediate cyber hygiene and the documentation of procedures.
Level 3 involves good cyber hygiene, which means management of operations. Level 4 involves the
evaluation of proactive processes for effectiveness. Finally, Level 5 involves optimizing the organiza-
tion’s processes (National Science Foundation-International Strategic Registrations [NSF-ISR], 2021).
The CMMC model protects Federal contract information (FCI) and Controlled Unclassified Informa-
tion (CUI) with contractors and subcontractors of the department through acquisition programs (Office of
the Under Secretary of Defense, 2022). In coordination with the Federal Acquisition Regulation (FAR),
FCI defines information not intended for public release. For example, FCI generates the government
under a contract to develop a product for the government. However, FCI needs to include information
the government provides to the public, such as that on public Websites necessary to process payments
(Office of the Under Secretary of Defense, 2022).
229
An Analysis of the Design of the Cybersecurity Maturity Model Certication
Department of Defense Acquisitions
DoD’s Cybersecurity Maturity Model Certification (CMMC) framework cybersecurity threats represented
by cyber-attacks and data theft have significantly impacted the DoD and the DIB (Peters, 2020). These
threats are an essential concern to policymakers due to purported incidents involving the unauthorized
procurement of considerable quantities of vulnerable defense information from DIB systems. In response
to these threats, the DoD began work in early 2019 to develop the CMMC framework. This DoD-driven
initiative provided a cohesive cybersecurity standard for defense acquisitions and intended to use and
develop existing laws and policies (Peters, 2020). Upon completing the CMMC framework, a verifica-
tion mechanism requires all prime contractors and subcontractors to conduct business with the DoD to
obtain certification from accredited third-party organizations that contractors’ in-house cybersecurity
practices and processes meet specific standards (Peters, 2020).
The DoD’s CMMC framework protects federal contract information or information provided by or
generated under government contracts (Peters, 2020). This framework is not intended for public release
and to enhance security for controlled unclassified information generated during contracted activities.
DoD anticipates fully implementing the CMMC framework over five years. It may fully apply to DoD-
covered contracts starting in Fiscal Year (FY) 2026 or on or after October 1, 2025 (Peters, 2020).
The DoD asserts that the framework guarantees to the department that a DIB contractor can adequately
protect controlled unclassified information and federal contract information at a level commensurate
with the associated risk (Peters, 2020). The framework includes a system of tiered requirements based
on a contract’s specific cybersecurity needs. For example, level one requires essential cybersecurity,
whereas level five, the highest level, entails state-of-the-art cybersecurity (Peters, 2020). DoD asserted
that most defense contractors and subcontractors need a level 1 certification. About another 15,000
cleared defense contractors may require level 3 certification or higher. A single contract may require
different certification levels for each participating entity, depending on the contractual responsibilities
of a prime contractor and its subcontractors (Peters, 2020).
On September 29, 2020, the DoD released an interim rule to begin its phase-in of the CMMC frame-
work requirements (Peters, 2020). The interim government took effect on November 30, 2020, and the
first contracts could include CMMC requirements in 2021. In addition, Congress worked to mitigate DIB
cybersecurity risks and vulnerabilities through various policy initiatives, including related authorization
legislation considered by the 116th Congress (PL 116-92; Peters, 2020).
The Fourth Industrial Revolution and Smart Manufacturing
The fourth industrial revolution led to the most recent ICT developments. This revolution involves a sub-
stantial investment in developing intelligent manufacturing systems (Oliveira & Santos, 2022; Phuyal et
al., 2020). Information communication technologies (ICTs) help to reduce poverty, create new sources of
income, help to employ the poor, and improve access to health and education for low-income individuals
(Organization for Economic Cooperation and Development [OECD], 2022). Accessing and using ICTs
has become a significant factor in driving competitiveness, economic growth, and social development.
In the last decade, ICTs, particularly mobile phones, have opened new doors and channels for freeing
ideas and opinions, promoting democracy and human rights (OECD, 2022).
Smart manufacturing is the technology that utilizes interconnected machines and tools to improve
manufacturing performance and optimize the energy and workforce (Phuyal et al., 2020). Smart manu-
230
An Analysis of the Design of the Cybersecurity Maturity Model Certication
facturing requires data processing, artificial intelligence, advanced robotics technology, and intercon-
nectivity. Phuyal et al. defined the intelligent manufacturing system as a current implementation status.
Those researchers analyzed the gap between the current manufacturing system and the predicted future
intelligent manufacturing system, the associated technologies, and their contribution to innovative
manufacturing technology (Phuyal et al., 2020).
Industry 4.0 is about adopting technologies that involve the Internet of Things, Cloud Computing,
Artificial Intelligence, and Cyber-physical systems to deploy technology-driven Smart Manufacturing
(Oliveira & Santos, 2022). Industry 4.0 introduces participants to current industry trends and advance-
ments in manufacturing technologies. One of the Industry 4.0 paradigm’s characteristics is a modular
structure of smart factories. CPS monitors the physical processes and develops a virtual copy of the
physical world to test and make decisions. Figure 2 shows that these ICT innovations, allied with the con-
stant dependence on the Internet, are opening the physical processes to a broad surface of vulnerabilities
and threats, continuously raising many cybersecurity issues in the systems (Oliveira & Santos, 2022).
It becomes essential to enforce security and develop a framework to continuously monitor the sys-
tems, access them, and attest to their security through an international standard framework to mitigate
these issues. An IT security framework is documented processes that define policies and procedures to
implement and sustain information security controls. These frameworks are blueprints for managing risk
and reducing vulnerabilities (Kirvan & Granneman, 2022; Muller & Burrell, 2022). Oliveira and Santos
(2022) analyzed the current state of cybersecurity in the industrial sector, including critical infrastructures,
Figure 2. Industry 4.0 smart manufacturing system
Source: Prasad, A., & Ramesh, G. (2019). One day national level workshop on Industry 4.0: Smart manufacturing system.
Chennai, Tamil Nadu [Chennai, on the Bay of Bengal in eastern India, is the capital of the state of Tamil Nadu].
https://www.knowafest.com/explore/events/2019/06/3010-one-da
y-national-level-workshop-industry-4-0-smart-manufacturing-s
ystem-2019-saveetha-school-engineering-chennai
231
An Analysis of the Design of the Cybersecurity Maturity Model Certication
and presented ideas about improving security in the industry. In addition, Oliveira and Santos presented
a cybersecurity certification model based on the international standard ISA 62443. The model aims to
develop a framework of constant analysis and monitoring, in real-time that continuously assesses the
systems to improve the security level and the maturity of an organization. According to Oliveira and
Santos, the work is part of a European Project that aims to increase resilience in supply chains.
Supply Chain Disruptions During the Pandemic
These are times of rapid change for the US economy (Deloitte, 2021; Harapko, 2022; Helper & Soltas,
2021). With the lessening of the COVID-19 pandemic, businesses have added 540,000 jobs per month
since January 2022. In addition, many customers made large purchases with savings amassed during
the pandemic. Consequently, new home sales increased to their highest level in more than a decade, and
automobile sales increased to their highest in 15 years (Helper & Soltas, 2021). While a rapid swing
in growth is good news for businesses and workers, it also produces challenges. For example, the hotel
and restaurant industries dwindled dramatically during the pandemic and attempted to reopen (Helper
& Soltas, 2021).
Some businesses reported that they needed to employ workers more quickly to keep pace with their
escalating need for workers, leading to a world record of 8.3 million job opportunities in April 2022
(Helper & Soltas, 2021). Other businesses needed more manufactured goods in inventory to prevent
from termination of stock. The situation was especially difficult for businesses with complicated sup-
ply chains, as their production was susceptible to disruption due to deficiencies of efforts from other
companies. These scarcities and supply chain disturbances are substantial and pervasive but more than
likely transitory (Helper & Soltas, 2021).
The COVID-19 pandemic compelled many companies and industries to reconsider and convert their
global supply chain model (Deloitte, 2021). The pandemic uncovered the susceptibilities of many orga-
nizations, especially those with a high reliance on China, to meet their need for unprocessed materials
and finished products. China’s dominant role as the world’s factory means that significant disruptions
put global supply chains at risk (Deloitte, 2021). Highlighting more than 200 Fortune Global 500 firms
with a presence in Wuhan, the highly commercial region where the outbreak began, is the most fero-
cious attack (Deloitte, 2021).
The COVID-19 pandemic caused significant trials for supply chains worldwide (Harapko, 2022).
Multiple national lockdowns continue to slow and cease the circulation of raw materials and finished
goods, thus, disrupting manufacturing. However, unlike Helper and Soltas (2021), Harapko found that
the pandemic has not particularly created new supply-chain challenges. Instead, in some areas, it brought
to light previously unseen vulnerabilities for many organizations that suffered staff shortages and losses
due to the COVID-19 pandemic. As a result, accelerated and magnified problems already existed in the
supply chain (Harapko, 2022).
The COVID-19 pandemic is a worldwide disruption across finance, health, education, trade, busi-
nesses, and societies. In 2020, Ernst and Young surveyed approximately 200 senior-level supply chain
executives to examine topics including the COVID-19 pandemic’s impact on supply chains. In addition,
they explored the priorities for the next one to three years to provide digitized and create self-sufficient
supply chains. Only 2% of responded companies reported being prepared for the pandemic. Severe dis-
ruptions affected 57%, with 72% reporting a negative effect, 17% said a significant adverse impact, and
55% primarily negative (EY US, 2020; Harapko, 2022).
232
An Analysis of the Design of the Cybersecurity Maturity Model Certication
COVID-19 Pandemic and the Work From Home
Approach to Cybersecurity Concerns
Consider the disruption caused by the COVID-19 pandemic. The disruption created opportunities for
criminal hackers to attack individuals and companies through email phishing, supply chain attacks, and
password and malware attacks preying on millions of remote workers’ devices (Gilkey, 2021). In 2021,
the global ransomware attacks were over 304 million, surpassing last year’s total (Duong et al., 2022).
The COVID-19 pandemic has intensely impacted the world where many would find themselves work-
ing, studying, communicating, and performing other essential needs within cyberspace (Duong et al.,
2022). The pandemic has presented many obstacles and challenges for everyone around the world. Due
to the outbreak of COVID-19, many organizations chose to adopt a working-from-home approach to
keep employees safe and reduce the spread of the virus. However, the pandemic forced many people to
work online, which also attracted many cyber-criminals who viewed the pandemic as an opportunity to
exploit many working-from-home users (Duong et al., 2022). The cyber-security concerns derived from
working from home include having weak security control measures and the possibility of encountering
ransomware (Duong et al., 2022).
Cyber Hygiene and Security Posture
Cyber hygiene reduces vulnerabilities by identifying risks and deploying mechanisms and strategies
to mitigate or resolve them (Null, 2021). By practicing cyber hygiene, organizations strengthen their
security posture and can more effectively defend themselves against devastating breaches (Null, 2021).
Cyber hygiene means taking security measures to protect one’s assets (i.e., people, processes, and
technology) from unauthorized access, including using strong passwords and up-to-date software and
protecting information shared online (Cyphere, 2022). In addition, cyber hygiene means creating backups
of personal data and using security measures such as two-factor authentication. The first factor is an
electronic verification method where a person must present evidence that they are whom they say they
are. The user must successfully present at least two or more pieces of evidence to show proof, or they
will not be granted access (Shacklett, 2022). Maintaining computers and software with a regular cyber
hygiene strategy is beneficial for maintenance and security. In addition, cyber hygiene practices protect
a company from cyber-attacks by preventing hackers or malicious actors from infiltrating the computer
network and stealing private data like customer information (Cyphere, 2022).
The definition of cyber hygiene for individuals’ means taking care of digital items similar to one’s
physical self. Just as individuals would not leave their houses unlocked or car running with the keys in
the ignition, nor should one neglect basic security measures for online accounts and devices (Cyphere,
2022). Cyber security measures aim to prevent hackers or malicious actors from infiltrating the computer
network and stealing sensitive data, such as customer information. It is also known as cyber health.
Security measures can be as simple as using strong passwords or changing them often, doing routine
security audits, or installing security updates (Cyphere, 2022).
Types of Cyber Threats
Cyber threats are three-fold. First, cybercrime includes actors or groups targeting systems for monetary
gain or to cause disturbances. Second, cyber-attack often involves politically motivated gathering of
233
An Analysis of the Design of the Cybersecurity Maturity Model Certication
data. Finally, cyberterrorism undermines electronic systems to cause panic or fear (Kaspersky, 2022).
In mitigating cyber-attacks that are complex and ever-increasing, effective security practices and basic
information technology hygiene is generally good (Fichtner, 2022). In addition to implementing good
cybersecurity practices, an organization should exercise safe coding practices and keep systems and
security software up to date. Companies could leverage firewalls and threat management tools and
solutions and install antivirus software across systems. In addition, organizations must control user ac-
cess and privileges to their systems. In addition, backup systems often proactively watch for breached
systems (Fichtner, 2022).
Cybercrime. Cybercrime is single actors or groups directing systems for monetary gain or to cause
disturbances (Cybersecurity and Infrastructure Security Agency, 2021). Cyber threats refer to
individuals who challenge unsanctioned contact with a control system device and network using
a data telecommunications pathway that leads from within an organization by reliable workers
or from inaccessible locations by unfamiliar persons using the Internet (Cybersecurity and Infra-
structure Security Agency, 2021). Threats to control systems come from many sources, including
hostile governments, guerrilla groups, dissatisfied employees, and mischievous invaders. Protect-
ing against these threats is necessary to create a protected cyber impediment around the Industrial
Control System (Cybersecurity and Infrastructure Security Agency, 2021). Other threats are natural
catastrophes, eco-friendly structures, technical failures, and irresponsible behaviors of an approved
operator. Intentional threats are national governments, extremists, corporate infiltrators, controlled
crime groups, hackers, and drudges. Activities include surveillance, management, identity theft,
corruption, and extremism (Cybersecurity and Infrastructure Security Agency, 2021).
Cyber-attack. Cyber-attack often involves politically motivated information gathering. Malicious actors
gain control of computer systems by using standard methods to threaten cybersecurity malware,
structured language query injection, Phishing, Man-in-the-middle attacks, and Denial-of-service
attack (Kaspersky, 2022).
Malware. Malware covers various outbreaks, including spy software and hardware, worms, and viruses.
Malware uses weaknesses to violate a network when a user clicks a threatening link or email at-
tachment, which installs malicious computer software inside the structure (Fichtner, 2022).
Phishing attacks. Phishing attacks are pervasive and involve sending large volumes of deceptive emails
to unwary users masquerading from a reliable source. Deceptive emails appear to be authentic.
Nevertheless, they connect the receiver to a malicious file designed to give invaders access to a
device to control it, gather intelligence-related data, connect malicious files, and remove financial
information (Fichtner, 2022). Phishing attacks occur through social networks, online areas, and
direct emails from other users with secret intentions. In addition, phishers use public domain in-
formation sources to collect information about a person’s employment, pursuits, and actions. As a
result of fraudulent emails via phishing attacks, invaders can convince an individual that they are
not who they are (Fichtner, 2022).
Man-in-the-middle attacks. Man-in-the-middle attacks occur when an invader diverts a two-party
operation, implanting themselves in the middle. As a result, cyber invaders rob and control data
by suspending business. This type of attack frequently takes advantage of safety weaknesses in a
network, such as unsafe public Wi-Fi, which means there is no unique login or screening process to
get on the network, and anyone else can use it. An unsafe Wi-Fi is no guarantee of security while
a person uses that network. A Man-in-the-middle attacker injects itself between a user’s computer
234
An Analysis of the Design of the Cybersecurity Maturity Model Certication
and the web. Such an attack like this is difficult to detect because the user assumes the informa-
tion is a legitimate purpose. Phishing or malware attacks implement this attack (see Figure 3).3).
Denial-of-service attack. A denial-of-service attack is where cybercriminals prevent a computer system
from fulfilling legitimate requests by overwhelming the networks and servers with traffic. This
attack renders the system unusable, preventing an organization from carrying out vital functions
(Santos, 2020).
Cyberterrorism. Cyberterrorism is any planned, ethically motivated attack to weaken electronic systems
and cause panic or fear (Santos, 2020; Sheldon & Hanna, 2022). Gross et al. (2017) investigated
cyberterrorism in three separate studies. A significant finding was how cyberterrorism aggravates
stress and anxiety, intensifies feelings of vulnerability, and hardens political attitudes. In an earlier
study, researchers Sinclair and Antonius (2013) demonstrated that cyberterrorism causes responses
similar to conventional terrorism. In addition, cyberterrorism destabilizes people’s resistance by
instilling fear and defenselessness. Consequently, some people’s confidence might corrode the
ability of the government and law enforcement agencies to protect people against future attacks.
Cyberterrorism neglects policymakers’ focus on national security interests and protecting frontiers,
critical infrastructures, and military capabilities (Gross et al., 2017). To secure computer systems, Gross et
al. warned that programs in schools and businesses should impart the knowledge and skills workers need
to maintain personal cybersecurity. Gross et al. concluded that the only evaluation tool is performative
such as how well end-users master and adopt the skills needed to protect online assets (e.g., recognizing
malware, changing passwords, and updating firewalls).
Cybersecurity and Ransomware Attacks
Cybersecurity is more critical than ever, with increasing ransomware attacks and incidents that threaten
organizations’ security (Department of Homeland Security, 2021; Unified Endpoint Management [UEM],
Figure 3. Man-in-the-middle attacks
Source: Fichtner, E. (2022). What are the common types of cyber security attacks? https://www.datto.com/blog/cybersecurity-
101-intro-to-the-top-10-common-types-of-cybersecurity-attacks
235
An Analysis of the Design of the Cybersecurity Maturity Model Certication
2021). Unified endpoint management refers to securely managing all the endpoints in an enterprise or
an organization using a comprehensive solution. Information technology asset footprints are prolifer-
ating in organizations (UEM, 2021). Controlling these assets has become more challenging with the
ever-increasing number of endpoints, such as laptops, desktops, tablets, and smartphones. In addition,
Endpoint management becomes even more challenging to manage with various devices outside the
organization’s network (UEM, 2021).
The Department of Homeland Security (DHS, 2021) warned organizations in the US to strengthen
their defenses against ransomware attacks as mandated by the National Cyber Strategy. When cyber inci-
dents occur, the DHS aids potentially impacted entities analyzes the impact across critical infrastructure,
investigate those responsible with law enforcement, and coordinates how the nation responds to serious
cyber incidents (DHS, 2021).
III. DISCUSSION
Cybersecurity Maturity Model Certification as the Solution
Cybersecurity Maturity Model Certification (CMMC) is one of the standards for cybersecurity imple-
mentation within the Defense Industrial Base (DIB). This framework guarantees that Controlled Unclas-
sified Information (CUI) is protected (Interlink Cloud Advisors, 2022). The CMMC framework requires
any organization that contracts with the DOD to comply with CMMC compliance that began in 2020.
Nonetheless, the DOD continues to add new standards to new contracts until all entities are covered by
2025 (Interlink Cloud Advisors, 2022).
Cybersecurity Maturity Model Certification (CMMC) is a standard for implementing cybersecurity
(Interlink Cloud Advisors, 2022). This framework includes a certification element to confirm that orga-
nizational processes and practices are in place intending to protect unclassified federal information in
the supply chain. All organizations conducting business with the Department of Defense (DoD) must be
CMMC certified. This certification is critical news for the 220,000 DoD contractors and sub-contractors
(Interlink Cloud Advisors, 2022).
Initially, the CMMC served as part of the Defense Federal Acquisition Regulation Supplement
(DFARS). Then a decision sent over 300,000 members of the defense industrial base (DIB), primarily
small and midsize businesses (SMBs), into a state of instability and unrest (Interlink Cloud Advisors,
2022). Most organizations deluge all the unnecessary noise surrounding CMMC and its more significant
implications on existing and future government contracts (Interlink Cloud Advisors, 2022). Figure 4
shows that the CMMC model has five maturity levels; only level 1 needs to start. CMMC level 1 has
17 requirements directly lifted from NIST 800-171. Future DoD contracts define the CMMC level and
may require higher maturity levels over time.
236
An Analysis of the Design of the Cybersecurity Maturity Model Certication
The initial implementation of the CMMC is only within the DoD and not necessarily for all the Fed-
eral non-DoD contracts. However, the DoD made this a requirement in a phased-in approach until all
contracts reach certification on September 30, 2025 (Interlink Cloud Advisors, 2022). During the first
year of this requirement, only 15 contracts met their obligation to meet the requirement. Many other
organizations across all industries sought CMMC as a benchmark for compliance. For example, CMMC
and FedRAMP share a standard security model. Federal Risk and Authorization Management Program
(FedRAMP) is an extensive process requiring a third-party audit to assess the security of Cloud solutions
and services used by US federal agencies (Interlink Cloud Advisors, 2022).
The CMMC was formally a part of the Defense Federal Acquisition Regulation Supplement (DFARS;
Interlink Cloud Advisors, 2022). The decision caused over 300,000 defense industrial bases (DIB) from
small and midsize businesses (SMB) to be upset and disturbed by the requirement. Most found themselves
in situations surrounding CMMC and its more significant implications on existing and future government
contracts. The CMMC model has five maturity levels; only level 1 starts the model. CMMC level 1 has
17 requirements directly lifted from NIST 800-171. Future DoD contracts might define the CMMC level
and require higher maturity levels over time (Interlink Cloud Advisors, 2022).
Advantages of Implementing the CMMC
The CMMC offers several advantages for organizations that choose to implement it. These advantages
include increased security, improved compliance, and cost savings.
Figure 4. CMMC levels
Source: Interlink Cloud Advisors. (2022). Cybersecurity maturity model certification (CMMC). https://www.interlink.com/
cybersecurity-maturity-model-certification-cmmc
237
An Analysis of the Design of the Cybersecurity Maturity Model Certication
Increased Security
The primary benefit of the CMMC is improved security. The CMMC is an industry-recognized cyberse-
curity standard that provides organizations with a comprehensive approach to safeguarding their networks,
systems, and data. By following the CMMC, organizations can reduce their risk of unauthorized access
to their networks, systems, and data. According to the DoD, “The CMMC model is designed to provide
organizations with the necessary security controls to protect Federal Contract Information (FCI) and
Controlled Unclassified Information (CUI) from unauthorized access and malicious activity.” (DoD,
2020). The CMMC provides organizations with the necessary tools to protect their networks, systems,
and data from cyber threats. It also helps organizations develop a robust security posture that is more
resilient to threats.
Improved Compliance
The CMMC also provides organizations with improved compliance with government regulations. The
DoD requires that contractors and subcontractors comply with the CMMC in order to do business with
the government. By implementing the CMMC, organizations can ensure that they are meeting the gov-
ernment’s requirements. The CMMC provides organizations with the necessary framework to ensure
that they are meeting the government’s security requirements. It also provides organizations with the
necessary guidance to ensure that they are implementing the appropriate security controls.
Cost Savings
The CMMC also provides organizations with cost savings. The CMMC helps organizations reduce
costs by eliminating the need to implement multiple security controls. By implementing the CMMC,
organizations can reduce their costs by eliminating the need to purchase and implement multiple security
products. The CMMC also helps organizations reduce their costs by streamlining the security process.
By implementing the CMMC, organizations can reduce costs by eliminating the need to hire and train
additional personnel. The CMMC also helps organizations reduce costs by eliminating the need to hire
third-party vendors to audit their systems.
IV. CONCLUSION
Cybersecurity is one of the most critical parts of a rapidly evolving digital world. The threats are dif-
ficult to dismiss. Therefore, it is critical to learn how to guard against them and teach others how to do
it. During escalating attacks, organizations explore new strategies (Shea, 2022). As global headlines
indicate, cyber-attacks are rapidly becoming the pandemic of 2021 (IronNet, 2021). However, the great
news is that most global survey respondents (90%) indicated that their company’s security posture has
improved in the past two years (IronNet, 2021). Nevertheless, 86% have had a severe cybersecurity
incident in the past year that required a Board meeting. There is a disconnect between a reportedly high
confidence level in existing controls and the rising attacks (IronNet, 2021).
238
An Analysis of the Design of the Cybersecurity Maturity Model Certication
Recommendations
Several recommendations were made based on the literature about informing the supply chain community
of the impact of cybersecurity’s lack of awareness on its overall effect on business continuity and impact:
1. One of the recommendations is to improve compliance standards to support the use of comple-
mentary measures when perceived may be necessary to identify opportunities for future research
in understanding the complexity of compliance guidelines and implementation.
2. Organizations and companies should partner with the industry to identify and mitigate supply chain
issues.
3. Over the next year, DoD needs to expand existing capabilities and develop new tools for an indus-
trial base analytic capability.
Informing and enabling DoD decision-makers to identify supply chain challenges helps to commu-
nicate specific concerns to the industry and mitigate risks as appropriate. The focus of the tools should
be on identifying sub-tier production limitations. Finally, experts agree that by building better defenses
against evolving cyber threats, organizations and companies should seek independent outside parties to
help expand knowledge bases, build more robust capabilities, and identify problems early in security
and risk management programs (Seets et al., 2022).
Another recommendation is to use a renowned, trustworthy supplier. Some companies argue that sup-
plying utilities, but utilities can be malicious software (Ursillo & Arnold, 2019). Therefore, companies
should be vigilant about using free software or software from an anonymous supplier. Generally, com-
panies should use the utilities recommended by business systems (i.e., technical support) organizations.
Such incorporations guarantee installations, designs, and maintenance (Ursillo & Arnold, 2019). The
protection of these applications remains critical. New malevolent software appears daily. Most software
vendors provide a minimum of daily routine updates to their files to certify that the system continues
to be effectively protected. Guaranteeing that these updates are correctly implemented becomes an es-
sential goal (Ursillo & Arnold, 2019).
REFERENCES
Banerjee, A. (2022). National Institute of Standards and Technology guidance: Defending against
software supply chain attacks. Riscosity. https://www.riscosity.com/nist-guidance-defending-against-
software-supply-chain-attacks/
BizClik Media. (2020). Accenture: Building supply chain resilience amidst COVID-19. Supply Chain
Digital. https://supplychaindigital.com/supply-chain-2/accenture-building-supply-chain-resilience-
amidst-covid-19
Cyber Defense Q. C. D. Corporation (CYDEF). (2021). The human factor: The hidden problem of cyberse-
curity. https://cydef.ca/blog/the-human-factor-the-hidden-problem-of-cybersecurity/#:~:text=Human%20
Factor%20in%20Cybersecurity,of%20human%20errors%20adds%20up
239
An Analysis of the Design of the Cybersecurity Maturity Model Certication
Cybersecurity and Infrastructure Security Agency. (2019). Security tip (ST04-006): Understanding
patches and software updates. https://www.cisa.gov/uscert/ncas/tips/ST04-006
Cybersecurity and Infrastructure Security Agency. (2021). Cyber threat source description. https://www.
cisa.gov/uscert/ics/content/cyber-threat-source-descriptions#terror
Cybersecurity and Infrastructure Security Agency. (2022). DHS role in cyber incident response. https://
www.cisa.gov/publication/dhs-role-cyber-incident-response
Cyphere. (2022). Cyber hygiene: Importance, benefits, and best practices. https://thecyphere.com/blog/
cyber-hygiene/#:~:text=Maintaining%20your%20computers%20and%20software,cyber%20hygiene%20
strategy%20is%20beneficial.&text=Cyber%20hygiene%20practices%20protect%20your,private%20
data%20like%20customer%20information
Davies, V. (2021). Cyber. In The history of cybersecurity. https://cybermagazine.com/cyber-security/
history-cybersecurity
Deloitte. (2021). COVID-19: Managing supply chain risk and disruption. https://www2.deloitte.com/
global/en/pages/risk/cyber-strategic-risk/articles/covid-19-managing-supply-chain-risk-and-disruption.
html
Department of Defense. (2020a). Cybersecurity Maturity Model Certification (CMMC). Retrieved from
https://www.acq.osd.mil/cmmc/
Department of Defense. (2020b). Cybersecurity maturity model certification: Defense federal acquisition
regulation supplement: Assessing contractor implementation of cybersecurity requirements (DFARS Case
2019–D041), 85 Fed. Reg. 61505. https://www.federalregister.gov/documents/2020/09/29/2020-21123/
defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
Department of Homeland Security. (2021). Implementing a resilient cybersecurity strategy as per the
Department of Homeland Security. Manage Engine Endpoint Central. https://www.manageengine.com/
products/desktop-central/us-national-cyber-strategy.html
Duong, A. A., Bello, A., & Maurushat, A. (2022). Chapter 3: Working from home users at risk of
COVID-19 ransomware attacks. Cybersecurity and Cognitive Science (pp. 51–87), Wilmington, DE.
doi:10.1016/B978-0-323-90570-1.00001-2
European Union Agency for Cybersecurity. (2021a). Understanding the increase in supply chain security
attacks. https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks
European Union Agency for Cybersecurity. (2021b). ENISA threat landscape for supply chain attacks.
https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks
Fichtner, E. (2022). What are the common types of cyber security attacks? https://www.datto.com/blog/
cybersecurity-101-intro-to-the-top-10-common-types-of-cybersecurity-attacks
Francia, G. A. III, & Zanzig, J. S. (Eds.). (2022). Global perceptions on information security regulations:
Compliance, controls, and assurance. IGI Global.
240
An Analysis of the Design of the Cybersecurity Maturity Model Certication
Giles, T., & Dancel, R. (2020). NSF-ISR information security program poised to become a leader
in protecting the DoD supply chain. https://www.yahoo.com/lifestyle/nsf-isr-information-security-
program-141000331.html
Gilkey, J. G. (2021). The challenges and realities of retailing in a COVID-19 world. ResearchGate. https://
www.researchgate.net/publication/351656064_The_challenges_and_realities_of_retailing_in_a_CO-
VID-19_world_Identifying_trending_and_Vital_During_Crisis_keywords_during_Covid-19_using_Ma-
chine_Learning_Austria_as_a_case_study
Gross, M. L., Canetti, D., & Vashdi, D. R. (2017). Cyberterrorism: Its effects on psychological well-
being, public confidence, and political attitudes. Journal of Cybersecurity, 3(1), 49–58. doi:10.1093/
cybsec/tyw018
Harapko, S. (2022). How COVID-19 impacted supply chains and what comes next. https://www.ey.com/
en_us/supply-chain/how-covid-19-impacted-supply-chains-and-what-comes-next
Helper, S., & Soltas, E. (2021). Why the pandemic has disrupted supply chains. The White House. https://
www.whitehouse.gov/cea/written-materials/2021/06/17/why-the-pandemic-has-disrupted-supply-chains/
Interlink Cloud Advisors. (2022). Cybersecurity maturity model certification (CMMC). https://www.
interlink.com/cybersecurity-maturity-model-certification-cmmc
Interos Resilience Lab. (2022). Interos annual global supply chain report. https://www.interos.ai/re-
sources/global-supply-chain-report/
IronNet. (2021). Cybersecurity impact report. https://www.ironnet.com/resource-library/2021-cyber-
security-impact-report
Kaspersky. (2022). What is cyber security? https://www.kaspersky.com/resource-center/definitions/
what-is-cyber-security
Kirvan, P., & Granneman, J. (2022). IT security frameworks and standards explained. Tech Target. https://
www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one
Lopez, C. T. (2020). DoD to require cybersecurity certification in some contract bids. Department of
Defense News. https://www.defense.gov/Explore/News/Article/Article/2071434/dod-to-require-cyber-
security-certificationin-some-contract-bids/
Lovells, H., & Olmsted, L. (2022). The Department of Defense’s report on securing defense-critical
supply chains. U.S. Department of Defense. https://www.jdsupra.com/legalnews/the-department-of-
defense-s-report-on-7923795/
ManageEngine and Endpoint Central. (2021). Implementing a resilient cybersecurity strategy as per
the Department of Homeland Security. https://www.manageengine.com/products/desktop-central/us-
national-cyber-strategy.html?network=g&device=c&keyword=cyber%20security&campaignid=912
9222932&creative=414503841838&matchtype=p&adposition=&placement=&adgroup=915992946-
39&targetid=kwd-119746396&gclid=EAIaIQobChMI9Z2ai7-Z-AIVgTizAB1g7wN5EAAYASAA-
EgK1xPD_BwE
241
An Analysis of the Design of the Cybersecurity Maturity Model Certication
Modiyliani, P. (2022). Senate Arms Services Committee (SASC) hearing on the defense industrial
base. Acquisition in the Digital Age. https://aida.mitre.org/blog/2022/05/04/sasc-hearing-on-defense-
industrial-base/
Muller, S. R., & Burrell, D. N. (2022). Social Cybersecurity and Human Behavior. International Journal
of Hyperconnectivity and the Internet of Things, 6(1), 1–13. doi:10.4018/IJHIoT.305228
Muller, S. R., & Lind, M. (2020). Factors in information assurance professionals’ intentions to adhere
to information security policies. International Journal of Systems and Software Security and Protec-
tion, 11(1).
Muller, S. R., & Thomas, C. E. (2020). Election Infrastructure Security: Grants and Reimbursement to
the States for Usage of their National Guards in State Active-Duty Status to Provide Cybersecurity for
Federal Elections. Proceedings of International Conference on Research in Management and Technova-
tion, ICRMAT 2020 Vol (24). Annals of Computer Science and Information Systems ISSN 2300-5963
National Institute of Standards and Technology. (2021). Defending against software supply chain at-
tacks. U.S. Department of Commerce. Cybersecurity and Infrastructure Security Agency. https://www.
cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf
National Science Foundation-International Strategic Registrations (NSF-ISR). (2021). A guide to cy-
bersecurity maturity model certification (CMMC) levels. https://www.nsf.org/knowledge-library/guide-
cybersecurity-maturity-model-certification-cmmc-levels
Null, C. (2021). What is cyber hygiene and why does it matter? https://www.tanium.com/blog/what-is-
cyber-hygiene-and-why-does-it-matter/
Office of the Undersecretary of Defense. (2022). Overview of CMMC 2.0 model. Acquisition and Sus-
tainment. https://www.acq.osd.mil/cmmc/model.html
Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD A&S). (2020). Cyber-
security maturity model certification, version 1.02. https://www.acq.osd.mil/cmmc/docs/CMMC_Mod-
elMain_V1.02_20200318.pdf
Organization for Economic Cooperation and Development. (2022). ICTs for development: Improving
policy coherence. https://www.oecd.org/gov/pcsd/ictsfordevelopment-improvingpolicycoherence.htm
Peters, H. M. (2020). Defense acquisition: DoD’s cybersecurity maturity model certification framework.
Congressional Research Service. https://sgp.fas.org/crs/natsec/R46643.pdf
Phuyal, S., Bista, D., & Bista, R. (2020). Challenges, opportunities, and future directions of smart manu-
facturing: A state of art review. Sustainable Futures, 2, 1–15. doi:10.1016/j.sftr.2020.100023
Plachkinova, M. (2022). Global perspectives on information security regulations: Compliance, controls,
and assurance. doi:10.4018/978-1-7998-8390-6.ch001
Prasad, A., & Ramesh, G. (2019). One day national level workshop on Industry 4.0: Smart manufactur-
ing system. Chennai, on the Bay of Bengal in eastern India, is the capital of the state of Tamil Nadu.
https://www.knowafest.com/explore/events/2019/06/3010-one-day-national-level-workshop-industry-4-
0-smart-manufacturing-system-2019-saveetha-school-engineering-chennai
242
An Analysis of the Design of the Cybersecurity Maturity Model Certication
Rao, V. (2022). Steps cyber-resilient businesses must take now. World economic Forum. https://www.
weforum.org/agenda/2022/06/cyber-hygiene-resilience-steps/
Rauf, A. (2019). The importance of human factor in cybersecurity. Research Gate. https://www.research-
gate.net/publication/332539716_The_Importance_of_Human_Factor_in_Cybersecurity
Ross, R., Pillitteri, V., Dempsey, K., Riddle, M., & Guissanie, G. (2020). Special publication 800-171:
Protecting controlled unclassified information in nonfederal systems and organizations, revision 2. National
Institute of Standards and Technology. https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
Santos, J. A. (2020). Cybersecurity type definitions. https://www.linkedin.com/pulse/cyber-security-
types-definition-joas-antonio-dos-santos
Seets, C., Saverice-Rohan, A., & Burg, D. (2022). Cybersecurity: Staying vigilant through prevention,
oversight, and governance. Ernst & Young, LLP. https://www.ey.com/en_us/assurance/cybersecurity-
staying-vigilant-through-prevention-oversight-and-governance
Shacklett, M. E. (2022). What is multifactor authentication and how does it work? https://www.techtarget.
com/searchsecurity/definition/multifactor-authentication-MFA
Shea, S. (2022). What is cybersecurity? TechTarget. https://www.techtarget.com/searchsecurity/defini-
tion/cybersecurity
SheldonR.HannaK. T. (2022). Cyberterrorism. https://www.techtarget.com/searchsecurity/definition/
cyberterrorism
Sinclair, S. J., & Antonius, S. J. (2013). The political psychology of terrorism fears. Oxford University
Press. doi:10.1093/acprof:oso/9780199925926.001.0001
Snijders, T., Aussieker, T., Holwerda, A., Parise, G., van Loon, L. J. C., & Verdijk, L. B. (2020). The
concept of skeletal muscle memory: Evidence from animal and human studies. Acta Physiologica (Ox-
ford, England), 229(3), 1–20. doi:10.1111/apha.13465 PMID:32175681
Spencer, T. (2019). What is the NIST SP 800-171 and who needs to follow it? https://www.nist.gov/blogs/
manufacturing-innovation-blog/what-nist-sp-800-171-and-who-needs-follow-it-0
Suurv Technologies. (2021). Technologies and cybersecurity. https://suurv.com/technologies/
security/#:~:text=Most%20cybercrime%20includes%20single%20actors,to%20cause%20panic%20
or%20fear
Unified Endpoint Management. (2022). The need for unified endpoint management. Zoho Corporation.
https://www.manageengine.com/products/desktop-central/unified-endpoint-management-solutions.html
United States Government Accountability Office. (2020). Department of Defense: Improvements needed
in supplier risk management. Retrieved from https://www.gao.gov/assets/710/706549.pdf
United States Government Accountability Office. (2022). Defense cybersecurity: Protecting controlled
unclassified information systems. A Report to Congressional Committees. https://www.gao.gov/assets/
gao-22-105259.pdf
243
An Analysis of the Design of the Cybersecurity Maturity Model Certication
Ursillo, S., Jr., & Arnold, C. (2019). Cybersecurity is critical for all organizations, large and small.
International Federation of Accountants, Knowledge Gateway. https://www.ifac.org/knowledge-gateway/
preparing-future-ready-professionals/discussion/cybersecurity-critical-all-organizations-large-and-small
U.S. Department of Commerce and U.S. Department of Homeland Security. (2022). Assessment of the
critical supply chains supporting the U.S. information and communications technology industry. https://
www.bis.doc.gov/index.php/documents/technology-evaluation/2939-22-1175-attachment-1-of-1-ict-
supply-chain-assessment-report-v3-dhs-doc-signed-02-24-22/file
Wasowski, S. (2020). Supply chain risk management. John Wiley & Sons.
