With the Department of Defense (DoD) reporting annual losses of $600 billion in intellectual property through its digital supply chain, the need for a unified cybersecurity standard has become increasingly urgent. The soon-to-be-implemented Cybersecurity Maturity Model Certification (CMMC), which was introduced in January 2020, represents the latest step forward in the DoD’s effort to protect its most important data from third-party breaches.
Since its unveiling earlier this year, there has been some uncertainty surrounding the scope and implementation of CMMC. Recently, SecurityScorecard hosted a webinar discussion about the new model with industry experts, including a board member of the CMMC’s Accreditation Body, to help demystify CMMC. Below are some of the key takeaways from our discussion.
What is (and is not) CMMC?
CMMC is the DoD’s newest cybersecurity framework, which will require defense contractors to undergo a third-party cybersecurity assessment, certifying the necessary level of cyber maturity based on the services they provide.
CMMC and the DoD are not one and the same. It’s important to note the distinction between the DoD, who created the new model, and the CMMC Accreditation Body (AB). The latter is a non-profit, volunteer board that has been tapped by the DoD to implement the program. Fiscal and operational questions do surround the AB, which does not receive funding from the DoD.
Robert Knake, Senior Fellow for Cyber Policy at the Council on Foreign Relations, pointed out that the “DoD has taken pains to clarify that CMMC is not a replacement for the NIST cybersecurity framework.” He feels that CMMC will, however, provide added clarity around what vendors need to do in order to understand and shore up their cybersecurity posture.
Security ratings may address continuous monitoring requirement
By continuously monitoring government contractors’ cybersecurity posture—rather than relying solely on self-attestations like its quasi-predecessor, NIST 800-171—CMMC aims to fill costly security gaps within its vendor ecosystem.
“The number of things that could happen in that [three year] time frame [between assessments] is too big to count,” said Chris Golden, a member of the Board of Directors of the CMMC AB. He added that receiving alerts when events occur such as shifts to cloud-based technology, or impacts due to a management change, would go a long way in allowing the DoD to track important changes within its vendor ecosystem.
According to Steve Shirley, Executive Director at the National Defense Information Sharing & Analysis Center (for full disclosure, SecurityScorecard is a partner), the ability to carry out continuous monitoring with a “reasonable touch” on an organization’s network is essential and is one of the main value drivers of security ratings platforms.
“We need to have some mechanism to give us an idea of what is going on inside the firewall without putting an agent on their networks, because frankly, most companies—mine included—would not allow that,” Golden added.
The panel noted the effectiveness of security ratings platforms, even naming SecurityScorecard, in addressing the continuous monitoring requirements of CMMC. In particular, several stated that security ratings provide visibility into a third party’s cybersecurity posture in a non-intrusive manner.
The next steps
Some members of the defense contractor community are concerned about having to undergo costly changes to their cybersecurity compliance posture. Contractors, however, shouldn’t fear being caught by surprise. CMMC will be rolled out gradually over the course of 2020 and is likely to impact only about ten contracts this calendar year.
This ramp-up period, as we wait to see which companies will ultimately land contracts that need to be CMMC compliant, is an opportunity for contractors to improve their cybersecurity posture, according to Knake. If they aren’t ready for this round of contracts, they can be for the next one.
Many experts, including Knake, Shirley, and panelist Jennifer Gillespie from Booz Allen Hamilton, anticipate the adoption of CMMC across other sectors of the federal government, particularly if the program is successful. For now, it’s safe to say that nearly everyone is taking a wait-and-see approach.