As the Cybersecurity Maturity Model Certification (CMMC) nears full implementation, affected organizations are scurrying to ensure they'll pass the certification process.
The goal is simple: organizations must meet minimum cybersecurity standards, and in doing so, they do their part to improve national security. The stakes are extraordinarily high for the estimated 300,000 defense industrial base (DIB) organizations which will soon need to be certified to one of the five CMMC levels to be eligible to be awarded a federal contract. Simply stated: no certification, no contract. From the perspective of the U.S. Government and the Department of Defense, the stakes have always been high since the DIB plays such a critical role in the defense of our nation. The only way to ensure the protection of our data and the integrity of the supply chain is to hold industry to a higher standard.
How Did We Get Here?
Adversarial activity from state and non-state actors continues to increase, and the economic costs are staggering — $5 trillion globally — by some estimates. Other estimates show that the cost to the U.S. economy was somewhere between $57 billion and $109 billion in 2016. However, the need for CMMC is not just about economic interests, it is about collectively defending ourselves. Companies large and small contribute to the success of the American warfighter and they will all be held to the same level of accountability with CMMC.
In the federal space, it takes only a quick glance at a certain fighter jet to connect the dots of how important it is to secure the organizations which ultimately secure and defend our country. In the commercial space, the Target breach showed how business partners can be the weak link which ultimately facilitates an attack. By holding the DIB more accountable, we help fulfill not only a new business requirement, but we will meet a strategic imperative to be more resilient to attack. Times have changed and so have how we conduct business. Like it or not, we maneuver on the modern battlefield where words like “war,” “espionage,” and “crime” are prepended with “cyber,” meaning private and public entities must be prepared with a modern response.
What Is CMMC?
CMMC has five levels of technical and procedural controls which aim to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) for DoD contractors. To reach CMMC level 5, organizations will need to go through the implementation and assessment of 171 technical and procedural controls. Most cybersecurity professionals in the federal space will find that the bulk of the CMMC controls are familiar. In fact, to reach CMMC level 3, almost all the controls are found in NIST SP 800-171. The organizations which will soon require certification under CMMC have already been mandated to meet the controls outlined in NIST SP 800-171 since 2016. The key difference is that organizations can no longer self-certify and submit a Plan of Actions and Milestones to address deficiencies. Organizations seeking certification must be formally assessed by a CMMC Third Party Assessor Organization or assessor certified by the CMMC Accreditation Body, a non-profit organization charged with certifying the readiness of the assessors. While no dates have been given for when assessments will start, training has recently begun for the first group of CMMC assessors.
What to Do Now?
CMMC preparedness is an exercise in implementing the fundamentals of cybersecurity and continuous improvement to achieve greater resilience. The CMMC levels are cumulative and tiered so that one level builds up to the next, so to reach level 4, you must be fully compliant with level 3. Each level correlates to the level of sophistication of your security practices starting with basic hygiene and elevating to more advanced and proactive measures like threat hunting in Level 5. With 171 controls of increasing complexity, you ask where to begin?
- Educate yourself: Understand the technical controls and policies outlined by the CMMC.
- Determine which level is right for you: Organizations will need to decide which level of certification they seek. Organizations storing only FCI may be content reaching CMMC Level 1 and organizations storing and handling CUI or contributing to more sensitive efforts will likely want to be certified at CMMC Level 3 or higher. The DoD will list the CMMC level requirement on the request for proposals.
- Know yourself: Understand and document your environment from your internal network to your business partners. It is often said that “you cannot defend what you do not know,” and it is true. You must understand your segmentation, systems, and attack surface before you can hope to defend it.
- Self assess: Determine how you stack up to the controls for the level of certification your organization is seeking. Identify any controls which are not currently met, plan how to resolve the issues, and reassess. For future flexibility, identify what it would take for your organization to reach the next level.
- Buy in: We are only as strong as our weakest link; understand that CMMC is designed to help mitigate the risks of doing business in the defense sector. Some controls will be simple or are already being done, and others may require support from various parts of your organization. You might need approvals, increased budget, or executive sponsorship. Some controls may prove to be a heavy lift from a technical perspective. The entire organization will need to buy-in, be pragmatic and do their part to support and protect the mission.
- Be flexible: CMMC is new and it creates bridges between the large complex entities with the DoD and DIB. These are huge organizations, there are still unknowns with CMMC, and what was known a month ago may change. So be flexible, be patient, and know that we all need to do better to protect what we value.
Whether you need to be certified to CMMC Level 1 or 5, or perhaps your organization doesn’t even do business with the DoD, the standards set forth by CMMC are a roadmap for any organization to mature their cybersecurity posture. Regardless of your starting point, achieving CMMC compliance will pose a challenge to small and large organizations alike, but the outcome is the improvement we desperately need. Securing our data and intellectual property is both logical and of absolute necessity to maintain a technological edge over our adversaries. Continuous assessment and improvement in the practice of cybersecurity fundamentals are paramount to achieving a level of digital resilience that will allow us to combat modern threats.
Wayne Lloyd is federal chief technology officer at RedSeal.