2021 was an eventful year for cleared facilities, bringing new federal security legislation driven by changing trends in technology and the workforce. With rising cybersecurity threats and international conflict on the horizon, 2022 is shaping up to be just as disruptive, and FSOs must be prepared.
Today, FSOs stand at the front line of America’s fight for national security. Amidst the growing tide of insider threats, malware attacks and cybersecurity incidents, they protect our nation’s most sensitive facilities from foreign actors and organized espionage. In the coming year, their jobs will be more important and demanding than ever before.
To help them along the way, in this blog we’re sharing our top 5 predictions for trends that will impact cleared facilities and their employees in 2022.
Early Adoption of CMMC
In November of 2021, the Department of Defense (DoD) announced new updates to the Cybersecurity Maturity Model Certification (CMMC), its latest effort to combat rising cyber threats across federal organizations. CMMC 2.0 – the most recent version of the model – includes three tiers of certification, with a more lenient system for third-party assessments.
With the rulemaking process projected to last for another 9-24 months, CMMC is still a work in progress – but due to the imminent need for increased security, the DoD is considering incentives to boost the number of early adopters. Consequently, organizations who are certified in 2022 may see their deadline for re-assessment expanded to four years instead of the usual three.
Whether this happens or not, cleared contractors are well-advised to consider early adoption of CMMC and schedule their third-party assessment accordingly: aside from potential incentives, it will bring added protection and early eligibility for CMMC-based contracts. For further information and resources, visit the DoD’s official CMMC website.
Increased Cybersecurity Threats
Driven in part by COVID restrictions and an increasingly mobile workforce, 2021 saw a shocking rise in cyberattacks across organizations in the public and private sector. Over 22 billion records were leaked in data breaches – ransomware attacks on government targets increased by 1885% – and organizations lost $4.65 million on average for breaches caused by phishing attacks.
Only a few months into 2022 and there are plenty of reasons to expect that these trends will continue: at the beginning of the year, millions of cyberattacks targeting the Log4Shell vulnerability were detected per hour. More recently, Russia’s attack on Ukraine has prompted concerns over increased activity from nation-state cyber actors.
In response to these concerns, senators passed the “Strengthening American Cybersecurity Act’ in early March, combining language from three earlier bills. If it passes the House of Representatives, the legislation will have a sweeping impact on all federal contractors, enacting laws for early cyber reporting along with updates to FISMA and a renewal of FedRAMP to encourage cloud adoption.
Accelerated Push for Zero Trust Security
2021’s ‘Executive Order on Improving the Nation’s Cybersecurity’ (EO 14028) pushed government agencies to adopt zero trust architecture across their IT systems. From a cybersecurity perspective, this means treating every user like a potential threat, continually verifying their identity and restricting their privileges to access resources.
A few months after the executive order was released, the Cybersecurity and Infrastructure Security Agency released a Zero Trust Maturity Model (ZTMM) to guide federal agencies. But even though agencies are not required to implement this model until December of 2024, that timeframe may soon be accelerated.
Following Russia’s attack on Ukraine, legislators have shown increased urgency for zero-trust security – for instance, the bill that is currently before Congress would “require agency progress reports on implementing zero trust security.” If passed, this would put increased pressure on government organizations to implement CISA’s model sooner.
Dangers for Critical Infrastructure
Critical infrastructure – such as oil and gas, manufacturing, energy and utilities – have long been a growing target for cyber actors, representing a major national security risk. In 2021, the Florida Water Supply and Colonial Pipeline attacks were a major motivation behind EO 14028 and subsequent security reforms.
In 2022, experts fear the possibility of increased critical infrastructure attacks from Russian-based cyber actors, especially after president Vladimir Putin threatened “consequences” to any country who “tries to hinder” the nation in its ongoing aggression against Ukraine.
Cleared organizations and contractors who rely on operational technology (OT) to carry out their mission have every reason to be concerned: more than 90% of companies across manufacturing, energy and other industries experienced at least one cyber incident between 2020 and 2021 alone.
Further Clearance Reform
The security clearance process has shown remarkable improvements since the Office of the Director of National Intelligence (ODNI) announced its Trusted Workforce 2.0 initiative in 2018. Since then, the backlog of security clearances has fallen from record-breaking highs, and continuous evaluation has been rolled out to all DoD clearance holders, allowing them to forego the need for re-evaluation.
But things aren’t perfect yet: The National Background Investigation Services (NBIS) will not reach full operational capacity until 2023. In the meantime, the average time for processing secret and top-secret clearances has fallen behind, and government agencies still suffer from a lack of information sharing that could further expedite the clearance process.
In 2022, the Defense Counterintelligence and Security Agency (DCSA) has announced its intentions to further develop NBIS, and modernize legacy background investigation systems. By the end of the year, FSOs can expect a smoother end-to-end experience that will lead to faster processing time, and savings for cleared organizations.
In 2022, FSOs and other security officers will need all the help they can get to keep up with changing legislation and developing threats.
The latest version of Access Commander® includes critical functionality to help FSOs collaborate with other executives, prevent threat incidents and promote a culture of cybersecurity from the top-down.
- Understand and identify insider threats with the Advanced Insider Threat Analysis
- Share information through role-based dashboards and integration with Portal Commander™
- Implement training programs and track progress with the Training and Conference Management module
- Track security incidents, suspicious contacts, foreign travel and more
Want to learn more? Contact us today for a free demo!