Security today is about integrated systems, new connections, open protocols and the continued mainstreaming of interactive internet of things (IoT) devices. With it, systems integrators face new challenges, such  as making sure their installations continue to operate safely and without fear of compromise while protecting sensitive data. That makes cybersecurity readiness an important component of the systems integration business. 

Residential systems must be safe from malicious actors or physical intrusion attempts—or their core reason for existing is negated. Stakes are higher for commercial security systems, as cyber-hacked solutions can set companies into a tailspin of potential consequences, such as unsecured openings, data center breaches, control management operations and even ransomware. According to the 2023 Annual Global Supply Chain Survey, supply chain-related disruptions in 2023 led to an average $82 million in annual losses per organization in key industries, including financial services, aerospace, defense, healthcare and energy.

CMMC 2.0 in 2025

Cyber mandates, emerging regulations and voluntary programs are growing in every sector, from commercial to consumer to government. The Cybersecurity Maturity Model Certification (CMMC 2.0), released by the Department of Defense late last year, was the final step of a five-year process that established a framework of compliance for systems integrators and their subcontractors performing work for the federal government. 

According to the final rule, the program was established to verify contractors have implemented required security measures necessary to safeguard federal contract information and controlled unclassified information. The CMMC program follows a tiered model, requiring contractors to “implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also describes the process for requiring protection of information flowed down to subcontractors.” 

Expected to roll out in mid-2025 once compliance mechanisms are in place, contractors will not be able to bid or respond to solicitations without fulfilling assessment requirements and other criteria. Periodic audits, training and network readiness are part of ongoing compliance.

Cyber trust and the loT

In the consumer and residential space, the Federal Communications Commission created a voluntary cybersecurity labeling program for wireless loT products to promote hardened communications, help consumers select cyber-secured devices and encourage manufacturers to meet higher cybersecurity standards. 

The U.S. Cyber Trust Mark Program, also referred to as Cybersecurity Labeling for Internet of Things, establishes rules and requirements for qualifying smart products. Eligible devices include home security cameras, internet-connected appliances, baby monitors and others. 

Matter, another evolving loT standard, promotes a Wi-Fi-based IP standard for smart home devices to ensure they are secure, reliable and seamless to use. Matter’s constituents and representation includes Amazon, Apple, Comcast, Google, Lutron, Samsung, Schneider Electric and others. 

These regulations and programs have widespread implications for systems integrators as we adjust to a more open environment where IT, cybersecurity and physical security continue to converge.

Rob Simopoulos, a veteran of the physical security industry for more than 25 years and co-founder and CEO of Defendify, Portland, Maine, believes we’ll see compliance grow and evolve over time with each sector developing its own distinct program. 

“Protecting a company from cyberthreats requires numerous controls and approaches to do it successfully,” Simopoulos said. “Companies, government and industries are trying to find ways to judge or score a company on its internal cybersecurity program to ensure they have proper safeguards in place. It’s not an easy task, as each company has unique IT systems, data and products. These can vary by industry, company size or specialization, and having one scorecard usually will not work across all sectors and industries.” 

Simopoulos said organizations can begin by implementing a cybersecurity program internally with numerous layers that educates the team on prevalent cyberthreats. 

“Not being able to prove that a company has an appropriate cybersecurity program in place may mean not being granted a new contract or perhaps losing a top customer. It’s important that organizations are prepared ahead of time,” he said.

Simopoulos said companies must be aware of how employees use tools such as artificial intelligence. 

“Companies now must adapt their cybersecurity strategies to address the unique risks these tools bring. Whether it’s software developers leveraging A.I. to write code or sales representatives using it to generate customer outreach, some of these tools can interact with sensitive company data, or users can insert sensitive data into external A.I. platforms, creating potential security risks,” he said. “Organizations should consider implementing clear policies on the use of A.I. tools, provide training on secure practices and integrate access controls and monitoring to ensure they mitigate risks.”

Sikov / stock.adobe.com