At Coalfire Federal, we’ve witnessed firsthand the evolving cyber threat landscape and the increasing sophistication of adversaries. The recent breach of the U.S. Treasury by Chinese state-sponsored actors is not just another headline – it’s a glaring signal that our current cybersecurity frameworks are leaving critical gaps across federal departments and agencies.
This attack, enabled by vulnerabilities in third-party vendors, highlights a systemic weakness in how we secure our federal supply chains. It’s time to ask a tough question: why is the Cybersecurity Maturity Model Certification (CMMC) limited to the Department of Defense (DoD)? Cyber threats extend beyond the defense sector, and our response must do the same.
In late 2024, Chinese state-sponsored hackers infiltrated the U.S. Treasury Department by exploiting vulnerabilities in third-party software vendors. The attack was part of a broader supply chain compromise that affected multiple agencies. Attackers gained unauthorized access to sensitive systems by exploiting weaknesses in vendor-managed platforms, ultimately compromising critical Treasury operations and data. This breach underscored a fundamental weakness in the federal supply chain: many agencies rely heavily on external vendors with varying levels of cybersecurity maturity. The incident revealed that existing defenses were inadequate to detect and prevent sophisticated, persistent attacks that targeted the supply chain.
Let’s be clear – the Treasury breach wasn’t a sophisticated masterstroke that outwitted impenetrable defenses. It was an exploitation of the weakest link in the supply chain. A single vendor, lacking proper oversight and adherence to rigorous cybersecurity standards, opened the door to one of the most sensitive federal departments.
This is the kind of attack that CMMC was designed to prevent, and it’s working within the DoD. But Treasury, Energy, Commerce – all are vulnerable, and none benefit from the uniform protections CMMC provides. This inconsistency is unsustainable.
We’ve spoken with countless CISOs and federal IT leaders who all express the same frustration: vendors hold the keys to sensitive networks and store and process CUI/CCI and recent history has proven that self-attestation to cyber standards is not the solution. When we don’t hold vendors to the highest cybersecurity standards, we’re inviting breaches like the one at Treasury.
CMMC enforces continuous monitoring, rigorous third-party assessments, and significant criminal and financial penalties, ensuring that defense contractors remain vigilant. Why shouldn’t vendors working with other federal departments and agencies face the same scrutiny?
One of the strengths of CMMC is third party attestation to compliance. Prior to CMMC, DIB members were required to self-attest to compliance with NIST 800-171 but self-attestation is problematic for many reasons. Some companies may simply not understand how to implement a control and falsely believe their approach is adequate. Others may understand, but indefinitely put off implementation due to cost or lack of resources and continue to keep the control stated as a future POAM. There are still others who may intentionally cut corners, and federal agencies lack the resources or authority to uniformly enforce compliance across the vendor ecosystem.
CMMC, by contrast, mandates third-party assessments, continuous monitoring, and imposes penalties for non-compliance. This level of oversight ensures vendors are consistently held accountable, reducing the likelihood of breaches stemming from poor cyber hygiene.
Some may view this breach as an isolated incident, but that’s dangerously short-sighted. Today, it’s Treasury. Tomorrow, it could be Homeland Security or the FAA. Beyond the immediate financial and operational impact, these breaches undermine public trust, compromise national security, and embolden our adversaries.
This isn’t fearmongering. It’s reality. If we don’t extend CMMC or a similar framework across the federal government, we’re gambling with the nation’s most sensitive data.
Imagine a federal landscape where every agency enforces the same baseline cybersecurity standards across their entire vendor ecosystem. That’s the power of expanding CMMC beyond the DoD.
A government-wide adoption of CMMC would:
Here’s the reality – extending CMMC across federal agencies isn’t just an option; it’s a necessity. We need decisive action at the highest levels of government to make this happen.
Congress and department and agency leadership must:
The Treasury breach should serve as a catalyst for change. It’s a reminder that cybersecurity is not just the responsibility of IT teams but of agency leadership, lawmakers, and industry partners alike.
We have the tools to prevent these attacks. It’s time for a coordinated Federal approach. The model exists in CMMC and the heavy lifting has been done by DoD. While the current DoD CMMC framework may not be a perfect fit for all departments and agencies, it’s easily the 85% solution in form and content. We now need the will to take a whole of government approach. The lessons of all previous breaches are there, let’s make them lessons learned and extend the benefits of CMMC across the Federal government.
Need help help with your own CMMC journey? Reach out to us today.
Tom McAndrew is Chief Executive Officer for Coalfire. He is recognized as one of the world’s leading cybersecurity experts in both the commercial and government sectors. Mr. McAndrew joined Coalfire in 2006, and since that time, has held key leadership roles spanning Sales, Operations, Service Delivery, and Technical Testing, most recently serving as the company’s COO. Mr. McAndrew is focused on driving aggressive growth for the company’s strategic business units; under his leadership, Sales and Delivery teams have grown the business an average of 40+% annually over the past five years while supporting more than 2,000 customers annually.
Bill Malone has been serving as an accomplished executive for over 30 years, and has been celebrated for his leadership qualities and business experience; most recently being named a 2024 Top Cyber Exec to watch by WashingtonExec. As President of Coalfire Federal, Mr. Malone leads through thoughtful policy, mission expertise, and knowing the ins and outs of cutting-edge technology. Keep up to date with him on LinkedIn and learn more about the Coalfire Federal mission.
