-
NEW! Get email alerts when this author publishes a new articleYou will receive email alerts from this author. Manage alert preferences on your profile pageYou will no longer receive email alerts from this author. Manage alert preferences on your profile page
- Website
- RSS
Cybersecurity Certification: What Israeli Defense Companies Need to Know
In its fiscal year 2025 budget request, the U.S. Department of Defense (DoD) requested $14.5 billion for network security, cyber operations and digital research and development. The request, which reflects a notable increase from its 2024 budget, was part of a larger $27.5 billion ask by the Biden Administration for increased federal cyber funds, including for civilian related agencies. While the Biden Administration’s budget represents a wish list that requires congressional approval to be enacted, it offers an indication of the administration’s priorities. According to a report by the U.S. Government Accountability Office, the DoD has experienced over 12,000 cyber incidents from 2015 to 2022.
The DoD has been engaged in various efforts to improve its cybersecurity posture throughout the years. The most recent effort is focused on a new certification requirement designed to protect the U.S. supply chain. The forthcoming DoD’s Cybersecurity Maturity Model Certification (CMMC), will require in some instances a third-party cybersecurity certification of compliance with current obligations – including information systems requirements, reporting requirements following a breach, and supply chain requirements. Beyond CMMC for DoD contracts, other U.S. federal agencies also have or will soon launch new cybersecurity initiatives.
While the CMMC is focused on products and services, the U.S. already instated the Federal Risk and Authorization Management Program, FedRAMP in short, for cloud service providers if U.S. government information is involved. Israeli companies in the U.S. supply chain are required to comply with the CMMC and other applicable programs, even if they are far down the supply chain and do not have direct contact with the U.S. federal government.
The CMMC, which is expected to enter into initial effect on December 1, 2024, has a broad-based applicability and will include a tired three-level assessment. The certification, which applies to contractors and subcontractors, combines the best practices of multiple cybersecurity models. Level 1 is generally geared towards handling of less sensitive information and federal contract information. Levels 2 and 3 are geared toward handling more sensitive information and controlled unclassified information.
The CMMC final rule is expected by the end of 2024/ early 2025. However, DoD’s government contractors are already being held liable for failure to abide by cybersecurity standards, exposing them to the risk of False Claims Act violations. Israeli Defense technology companies are encouraged to take a proactive approach to CMMC compliance. Including, assessing the type of information they are handling, limiting assets in scope of work and setting boundaries between related companies, and establishing policies and training to validate compliance.
Related Topics