At the start of the year, the Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC) version 1.0—a highly anticipated unified standard meant to secure the agency’s vast supply chain. When tensions with other countries rise, for instance, many worry that retaliation will come not just through cyberspace, but through “potentially vulnerable defense contractors.”
CMMC, as it’s rolled out over the course of five years, is meant to reduce, if not eliminate, such vulnerabilities and address a critical national security challenge. The defense industrial base (DIB) includes more than 300,000 companies, over which there has been a glaring lack of previous oversight. These companies access and store sensitive defense information on their own systems. CMMC represents an important step toward protecting this information.
Despite the long-term benefits, CMMC may result in short-term confusion for many contractors. Depending on their work, contractors must meet one of five new levels of security. However, the starting line for improving one’s security posture is more or less the same.
Preparing for CMMC
For those looking to get up to speed with regard to security best practices in the wake of CMMC, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which emphasizes continuous security, is a good starting point. The NIST Framework is segmented into five buckets, or functions: identify, protect, detect, respond, and recover.
The first bucket is, of course, the foundation. In order to identify threats, companies must first be able to identify the breadth of their own systems, which can be challenging in the age of BYOD and shadow IT. There is no way to secure a system if you don’t have a full understanding of your employees, assets, and data. Numerous tools exist to help make this visibility a reality, though, from app-centric visualization to SSL visibility. The latter decrypts and re-encrypts traffic to ensure it doesn’t contain malware.
Continuous Monitoring
Only by having full visibility into systems and data can companies put the necessary safeguards in place—such as protection from common web exploits, malicious IPs, and coordinated attack types. Access management, such as single sign-on, secure VDI, and privileged user access, offers one way to protect from bad actors. Put simply, the federal government needs to be able to verify contractors are who they say they are—and grant the right level of access accordingly.
Still, security cannot stop at the door. Even after users are authenticated, companies must continue to monitor and log their activities to accomplish the third component of the NIST framework: rapid detection. Behavioral analytics, artificial intelligence, and machine learning can be used to this end, analyzing traffic and flagging risky or unusual behavior.
Without these first three steps, the last two—developing a response plan and a plan to restore impacted systems and assets—are nearly impossible. Of course, the goal of CMMC is to make these last two steps a rarity. With continuous monitoring, the goal is to prevent DoD contractors and subcontractors from being compromised at all.
The Bottom Line
In the short term, companies in the DoD’s supply chain should invest in technologies that support visibility, protection, and rapid detection. That will lay the foundation needed for certification and security. While many contractors may find the prospect of CMMC daunting, the reality is that this represents a necessary response to years of neglect.
Still, it is important that this new level of security doesn’t squeeze out smaller subcontractors, who also play a crucial role in the supply chain. The good news is that the DoD has estimated that most contractors will only need a level one certification, which is centered on basic cyber hygiene. These are best practices that companies should be putting in place even if they’re not accessing sensitive government data. For those in the defense industrial base, the time to protect and detect was yesterday.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...