Contractors working with the Department of Defense, may have heard that the Cybersecurity Maturity Model Certification is coming. As information on the CMMC continues to be released, here is what we hope to see.
There is some speculation about what the Cybersecurity Maturity Model Certification is going to look like and what the time-frame will be for certification.
What we do know, is that organizations need to prepare now by getting help with implementing the NIST SP 800-171 controls, not just “compliant” with DFARS 252.204-7012.
Aside from that, we have some recommendations on what we do not know.
But first, here is a quick recap of the cybersecurity + defense contractor landscape.
OUSD + CMMC + DOD + DFARS + NIST = What Exactly?!
The information by The Office of the Undersecretary of Defense, about the Cybersecurity Maturity Model Certification, has been released in phases.
The OUSD has been aiming to bolster the protection of vital government information, specifically DoD information, in order to avoid being hacked by bad actors.
We are talking about our National Defense after all, so if a business has gone to all the trouble to win a government contract, they certainly want to keep it.
A firm understanding of the NIST SP 800-171 implementation, as required by DFARS 252.204-7012, is the correct place to start when protecting Controlled Unclassified Information (CUI).
The goal for any organization working with Federal Government, should be to achieve adequate security and overall defenses, of the entire organization.
That is what the CMMC is going to do.
What We Hope to See
At Beryllium, we have an extensive history in information security within Government. We have seen both good and bad implementations of security solutions.
We are very excited to see the CMMC come to fruition, as it is way overdue.
Here are a few things we hope to see addressed with the Cybersecurity Maturity Model Certification:
Partly Cloudy: Limit Cloud Implementations
We continue to hear about the cloud. Cloud migrations, cloud computing, cloud architecture, etc.
And yet, even the definition itself gets muddled when being slung around. We are fans of the NIST definition.
While the cloud is great for certain implementations, such as flexible computing needs and world-wide infrastructure, migrating the entire business to the cloud can be a huge security risk.
Using the above mentioned NIST definition of cloud computing, one can see that in a national security context the cloud can be problematic:
Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
(ISC)2 and Cybersecurity Insiders report concluded that proper cloud security is one of the largest concerns among security professionals.
Some of the largest data leaks recorded have been due to poor cloud security practices and misconfiguration.
While the cloud is great for certain uses, in regards to protecting CUI, we suggest “keeping our heads out of the clouds” as much as possible.
Pie in the AI Sky
Another buzz word that is often thrown around is AI (Artificial Intelligence).
Machine Learning, AI, and deep learning are great, again when implemented correctly, but they are not a security cure-all.
We have worked with some great companies who have implemented effective AI/machine learning, to augment the use of data/information, and to reduce churn.
AI makes perfect sense for security practitioners whose tasks are too repetitive or too loaded with data.
There is great value in not mandating something like AI.
Instead, making provisions for AI implementation in order to help automation and threat recognition.
At the highest levels of CMMC certification, it makes sense to recommend AI (especially when identifying insider threats).
MFA, all the way!
Multi-factor authentication (MFA) is all the rage! Why? MFA is affordable, easy to use and implement, while providing a massive security boost for any organization.
Using MFA also helps with one of the most commonly known weaknesses in most organizations: poor passwords (we have a no-cost solution for that).
MFA, combined with unique password policies and access control, make protecting controlled unclassified information, much more secure.
When the goal is good cyber-hygiene through the Cybersecurity Maturity Model Certification, MFA is a huge bang for the security buck!
Cybersecurity Maturity Model Certification: In Clear Language
The subject matter of cyber security is often times difficult for those not in the cyber security field.
When combined with legal-style regulatory writing, cybersecurity regulation can be difficult to understand.
If the CMMC is to succeed (and we are confident it will), we suggest a plain-English version everyone can comprehend.
An approachable mandate (similar to the NIST Cybersecurity Framework) will help SMBs understand what questions they need to ask when communicating with IT and security providers, in order to get the value and security they need.
Maturity models are great tools for organizations who have a firm handle on what security implementations should look like.
For those SMB’s with less robust budgets, and not well rounded in security, the task can be challenging.
There will be five levels for CMMC certification. The details of each level are coming in to focus.
How might the CMMC help “level the playing field” for all contractors, as well as build effectiveness with implementation?
Here are three ways that could help, as the Cybersecurity Maturity Model Certification process grows (these are just ideas from Beryllium, not from the CMMC team):
1. A weighted scale for each point of requirement.
Not all security implementations bring the same level of security to the table.
Within each of the levels, weighting could help those trying to understand timelines and priority.
Specifically for implementation of the requirements as the organization works towards securing CUI.
2. “High-water” marks for levels.
In some maturity models, organizations can achieve a level of maturity without necessarily meeting all of the requirements of the previous level.
For example, will only having 80% of levels 1 and 2 implemented be required to achieve level 2 certification?
Or, would the organization have to meet all requirements in both levels 1 and 2 to achieve level 2 certification?
As the CMMC team releases more information, we look forward to further clarification on the above scenarios.
3. Data Protection Officer, required.
There are areas within the NIST SP 800-171, as well as within the required documents, that allude to program ownership.
One suggestion we always make to clients, specifically in today’s security landscape, is to have a dedicated person in charge of data protection.
Implementing the required set of controls will be required in order to meet (and maintain) the correct CMMC level.
The CMMC team has already stated that certification process will be a “go/no go” decision.
Would a requirement that states each contractor must have a dedicated employee who will be responsible for overseeing the organization’s DFARS program, help? We believe it would.
Not so much for “legal” reasons, but as a way to instill ownership in the organization’s requirements for handling CUI.
Communication within the organization would likely increase, while lowering the risk of employees trying to “cut corners” and putting the organization at risk.
That is a win/win for everyone!
Good cyber-hygiene…with confidence.
Although the CMMC process is overdue, it is further proof that cybersecurity will be a foundation for our national defense.
Our advice to contractors?
Work with experts who can provide the right solutions for the organization.
Contractors need the confidence to know they are at the CMMC level they required by their contract, prior to being certified.
Organizations, specifically SMBs, should be prideful in their Cybersecurity Maturity Model Certification level. Use it as a competitive advantage!
At Beryllium, we are excited about the CMMC. We think it will help move both businesses and our nation into better security postures.
We also we realize this sort of process is not easy, and it can be difficult to understand the best way to accomplish such a challenging task.
Is your organization looking to be compliant and fully implemented with DFARS 252.204-7012?
Want to quickly achieve CMMC Level 3 so you can pass your certification with confidence?
UPDATE: CMMC DRAFT 0.7 is available here
Beryllium InfoSec Collaborative (“Beryllium” for short), is an information security and cyber security company located in Minneapolis, Minnesota. As a small business owned by veterans, Beryllium has 80-plus years of industry experience across industry & government. We are National Institute of Standards and Technology (NIST) information security experts, who know the balance of security needs and operational requirements. NIST provides the definitive compilation of guidelines that all other standards are derived from, either partially or wholly.
Beryllium is unique, in that we use strategic collaboration, education, and a holistic approach to information security & cyber security. From small to medium size businesses (SMBs), to enterprise organizations, our expertise of the NIST information security & cyber security guidance allows us to build unique, compliant & cost-effective solutions for any organization.