Foreign countries are targeting and compromising U.S. contractors so frequently that the Department of Defense (DOD) requested that the National Institute of Standards and Technology to develop custom security guidelines.
The result was 31 new recommendations for contractors to harden their defenses and protect unclassified but still sensitive government data including Social Security numbers and other personally identifying information.
Recommendations include implementing dual-authorization access controls for sensitive operations, employing networks segmentation where appropriate, deploying deception technologies, and employing threat-hunting teams and a security operations center to monitor system and network activity. Additionally, DOD has taken steps to beef up participation in information sharing programs and rolled out new cybersecurity standards for its contractor base.
These security guidelines are mandatory for approximately 65,000 primary and subcontractors who work with DOD. Implementing these guidelines can be an heavy financial burden but it is hoped that nonfederal organizations implement alternative, but equally effective security measures, using CMMC as a model.
Summarized from washingtontechnology.com