CMMC Takeaways From a CISO
This article has been re-printed with permission from the author
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework and certification model that is designed to increase the security of the Defense Industrial Base (DIB). This standard is needed because the DIB as a supplier to the Department of Defense (DOD) can be used as a vector for entrance into the DOD networks. Additionally, as sensitive information may reside on supplier networks, an adversary can target these networks to exfiltrate this sensitive information without ever attempting to enter the DOD network. Contractors that fall under CMMC should ensure that they have a firm grasp of CMMC and how it will affect their organizations regarding both certification and building a framework for resiliency. These requirements are not going away, and the DIB should only conclude that requirements like these will be more robust over time. Some essential takeaways to keep in mind:
- Preparation for CMMC Starts Now: If your organization has not taken the time to address cybersecurity concerns, now is the time. From a resiliency perspective, cybersecurity must be addressed across a firm's digital ventures to ensure they can be defended against actors that would cause harm. From a competition perspective, organizations in the DIB that are not preparing to meet CMMC set themselves up to be non-compliant with future contract requirements.
- Plan of Action and Milestones: The current process related to the NIST SP 800-171 self-assessment generated by the contractor and entered into the Supplier Performance Risk System (SPRS) system allows for a Plan of Action and Milestones (POAMs), where a contractor is deficient with a specific 800-171 control. However, the DOD asks for a date where the contractor expects to be fully compliant with 800-171 without any POAMs being in place. CMMC changes this paradigm by not allowing for the use of POAMs. To be compliant with the standard and achieve certification, the supplier must be fully compliant with all CMMC processes and practices at the CMMC level required for the contract.
- Government Audits: The interim rule allows the government to audit the vendor based on a risk determination informed by the government program's criticality or the data that the contractor is handling as part of a contract. It is incumbent upon the supplier to ensure that they are adequately meeting the requirements of NIST SP 800-171 and have the necessary information and artifacts to support the contractor's self-attestation.
- Supply Chain Management Risks: Organizations must take a closer look at suppliers across their digital portfolios to understand their suppliers' and partners' security. Ensure that you are only buying authentic technology from the vendor and that you are not inadvertently purchasing counterfeit or modified equipment and software that could result in organizational compromise. Also, ensure that your suppliers and partners meet the same standards as you are for the deals you have in place. CMMC requirements must be applied to all members of a contract.
- Prepare to Adapt: Supply chain risk management and contractor security requirements have changed dramatically over the past few years. We should expect this level of adaptation to continue to increase as standards solidify and as threats in the environment cause changes to the standards in response to adversary actions. The new interim DFAR rule change is an excellent example of a new requirement that requires immediate action by the vendor community. As a prediction, over time, do not expect the levels within CMMC to remain static. These changes in the standards will be in response to needed maturity as we as a nation respond to becoming more secure, and adversaries will need to become more sophisticated as a response.
- Civilian Agency Adoption: Additionally, outside of DOD, the Deputy Assistant Commissioner for Acquisitions with the General Services Administration (GSA) Keith Nakasone stated that GSA would continue to embed cybersecurity requirements within government contracts and that these requirements would be aligned to CMMC. The acting Chief Information Security Officer for the Department of Homeland Security (DHS) stated that the agency is looking at pilots that would include CMMC standards. The key takeaway from these examples is that we can expect an expansion of the CMMC standard within the civilian community as a place that will require an additional level of adaptation from the contractor community.
“Do Your Part, Be Cyber Smart”
Working to eliminate the cybersecurity technical debt within a government contractors’ digital portfolio improves an organization’s cyber hygiene and competitiveness and plays a role in strengthening the government customer's security. In the Cyberspace Solarium Commission’s Report published March 2020, the second layer of the commission’s strategy noted, “The United States needs a whole-of-nation approach to secure its interests and institutions in cyberspace.” By addressing technical debt and adhering to the cybersecurity safeguards needed to conduct business today, you, as a leader and decision maker, are doing your part to protect your company, your customer and the nation.