NEW WEBSITE – Why DFARS and CMMC

Why has DFARS been used to address DIB cybersecurity

Cybersecurity Is One Of The Biggest Risk Nations, Organisations, And Society Face

Cyber is the biggest non-financial risk faced by nation-states and their governments, alongside climate change, military conflict, and geopolitical risks. Cyber is a risk to national security, economic security, and the security of society. Cyber is a threat vector that is increasingly being used as a tool to destabilize nation-states through targeted attacks against the public and private sectors and pre-positioning within critical national infrastructure (CNI). The political, economic, and societal impact of cyber-attacks is broad and deep.

Cyber risks are a unique category of risk, as a single cyber attack can simultaneously impact national security, organizational security, and economic stability. Cyberattacks against SolarWinds, UnitedHealth, and CDK in the United States demonstrated the impact on national technology services (SolarWinds), national healthcare (UnitedHealth), and national automotive distribution (CDK). While cyber attacks against Jaguar Land Rover and Collins Aerospace have demonstrated the effect of cyber attacks against logistics networks and suppliers (JLR) and UK and European air transport Infrastructure (Collins Aerospace).

Cyberattacks are a threat to national security

Cyberspace has become as critical to national security as land, sea, air, and space. Nations rely heavily on digital networks for economic stability, defense operations, and the functioning of critical infrastructure. While technology has enabled remarkable progress, it has also introduced a dangerous new domain of conflict. Cyber threats now pose some of the most pressing challenges to national security, as they can undermine government institutions, destabilize economies, and even disrupt daily life. There are several reasons cyber is a threat to national security.

Critical National Infrastructure(CNI) – Cyber attacks are a threat to vulnerable CNI, such as power grids, oil and gas, healthcare, water treatment plants, transportation systems, and communication networks that are increasingly connected to the internet. If successful, a cyber attack on a power grid could plunge millions into darkness, crippling hospitals, businesses, and emergency services.
Espionage and Data Theft – Hackers are known to have stolen classified government information, military secrets, and sensitive research, weakening a nation’s defense capabilities and giving adversaries an advantage.
Reputation Damage – A successful cyber-attack can erode customer trust, especially if sensitive personal data is exposed. Poor management of a cyber attack can lead to negative media coverage, damaging a company’s image, and driving customers and business partners away.
Operational Disruption – Cyber attacks can disable critical business functions, affecting IT, supply chains, communication, or manufacturing. Ransomware can lock networks, stopping operations completely. Extended downtime results in lost revenue, damages relationships with suppliers, partners, and customers.

Cyber attacks are a threat to Corporate Security

The global economy relies on public and private sector organisations to sell products and services. Products and services that rely on digital infrastructure for their research, development, design, manufacture, and maintenance. The public sector is heavily reliant on the private sector for tax income, sustainable jobs, technology & innovation, and most of its national infrastructure, such as CNI, supply chains, and logistics. Without which society does not function. Corporations are of all shapes and sizes. Many firms are interconnected, with large companies relying on small companies for products and services. All companies rely on CNI, which is often provided by the private sector. There are several reasons cyber is a threat to corporate security.

Nation-state management of public and private sector cybersecurity

Cyber risks are complex risks to manage. Cyber attacks can affect supply chains and national security. NATO recognises Cybersecurity is a domain of operation alongside kinetic warfare. Cyber threat actors can work for Nation States, Nation State Proxies, while also working as cyber criminals. Cyber weapons developed to attack nation-states have been repurposed to attack commercial companies and a nation’s citizens. Our digitally connected and dependent society creates opportunities to launch cyber attacks that are only limited by the number of devices connected to the internet. Nation-state governments, organisations, and the public’s awareness of cybersecurity are relatively low, as is the maturity of cybersecurity risk management. There are not enough experienced and qualified resources available to manage cybersecurity risk. With these points in mind, how do nation-states protect their public and private sectors and their citizens from the effects of cyber attacks? There are few levers available other than using regulation and the law.

Why did the US DoD adopt CMMC In 2018, the US Government Accountability Office (GAO) wrote a report called “DOD Needs to Clarify Cybersecurity Oversight Roles and Improve Safeguards for Controlled Unclassified Information”, and published a report in 2019, “Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities”. Reports that raised concerns over the management of cybersecurity by the DoD’s Defense Industry Base (DIB), the theft of weapon systems data, and the use of data by nation-states. Which initiated the US DoD’s program to improve the cybersecurity of the Defence Industry Base (DIB). A process that resulted in the publication of the DFARS 252.204-7021 CMMC rule on the US Federal Register. on the 10th September 2025. The DFARS 252.204-7021 effective date is the 10th November 2025. Following this, the DoD can adopt the CMMC clause in DoD Contracts.