What Government Organizations Need to Know about Cybersecurity Maturity Model Certification (CMMC)

Ryan Johnson Miniature
Ryan Johnson
Published October 22, 2020

At the start of the year, the Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC) version 1.0—a highly anticipated unified standard meant to secure the agency’s vast supply chain. When tensions with other countries rise, for instance, many worry that retaliation will come not just through cyberspace, but through “potentially vulnerable defense contractors.”

CMMC, as it’s rolled out over the course of five years, is meant to reduce, if not eliminate, such vulnerabilities and address a critical national security challenge. The defense industrial base (DIB) includes more than 300,000 companies, over which there has been a glaring lack of previous oversight. These companies access and store sensitive defense information on their own systems. CMMC represents an important step toward protecting this information.

Despite the long-term benefits, CMMC may result in short-term confusion for many contractors. Depending on their work, contractors must meet one of five new levels of security. However, the starting line for improving one’s security posture is more or less the same.

Preparing for CMMC

For those looking to get up to speed with regard to security best practices in the wake of CMMC, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which emphasizes continuous security, is a good starting point. The NIST Framework is segmented into five buckets, or functions: identify, protect, detect, respond, and recover.

The first bucket is, of course, the foundation. In order to identify threats, companies must first be able to identify the breadth of their own systems, which can be challenging in the age of BYOD and shadow IT. There is no way to secure a system if you don’t have a full understanding of your employees, assets, and data. Numerous tools exist to help make this visibility a reality, though, from app-centric visualization to SSL visibility. The latter decrypts and re-encrypts traffic to ensure it doesn’t contain malware.

Continuous Monitoring

Only by having full visibility into systems and data can companies put the necessary safeguards in place—such as protection from common web exploits, malicious IPs, and coordinated attack types. Access management, such as single sign-on, secure VDI, and privileged user access, offers one way to protect from bad actors. Put simply, the federal government needs to be able to verify contractors are who they say they are—and grant the right level of access accordingly.

Still, security cannot stop at the door. Even after users are authenticated, companies must continue to monitor and log their activities to accomplish the third component of the NIST framework: rapid detection. Behavioral analytics, artificial intelligence, and machine learning can be used to this end, analyzing traffic and flagging risky or unusual behavior.

Without these first three steps, the last two—developing a response plan and a plan to restore impacted systems and assets—are nearly impossible. Of course, the goal of CMMC is to make these last two steps a rarity. With continuous monitoring, the goal is to prevent DoD contractors and subcontractors from being compromised at all.

The Bottom Line

In the short term, companies in the DoD’s supply chain should invest in technologies that support visibility, protection, and rapid detection. That will lay the foundation needed for certification and security. While many contractors may find the prospect of CMMC daunting, the reality is that this represents a necessary response to years of neglect.

Still, it is important that this new level of security doesn’t squeeze out smaller subcontractors, who also play a crucial role in the supply chain. The good news is that the DoD has estimated that most contractors will only need a level one certification, which is centered on basic cyber hygiene. These are best practices that companies should be putting in place even if they’re not accessing sensitive government data. For those in the defense industrial base, the time to protect and detect was yesterday.