Why the DoD is Prioritizing Continuous Monitoring


Since the unveiling of the Cybersecurity Maturity Model Certification (CMMC)—the Department of Defense’s (DoD) new cybersecurity standards framework unveiled in January 2020—there has been both optimism and concern among government contractors surrounding the implications of the new program.

In July, featured guests Steve Shirley, Executive Director, National Defense Information Sharing & Analysis Center; Jennifer Gillepsie, Senior Associate, Information Services, Governance, Risk & Compliance at Booz Allen Hamilton; Chris Golden, CMMC Accreditation Body; and Robert Knake, Senior Fellow for Cyber Policy at the Council on Foreign Relations joined this Webinar hosted by Sachin Bansal, General Counsel at SecurityScorecard, to shed light on what CMMC means for both DoD contractors and other organizations.

The panelists examined everything from the basics of CMMC, to its Accreditation Body’s (AB) implementation of new features such as continuous monitoring, and how tools like security ratings can help companies and government agencies solve risk and compliance issues.

What is (and isn’t) the CMMC?

CMMC is the DoD’s newest cybersecurity framework, which will require defense contractors to undergo a third-party cybersecurity assessment, certifying the necessary level of cyber maturity based on the services they provide.

“I see CMMC as an evolution of the NIST 800-171 requirement, and it’s a desperately needed one in terms of making sure that there is a governance aspect to cybersecurity,” Gillespie said.

Golden explained that CMMC “is not currently a replacement for [the preceding] DFARS or NIST 800-171, but hopefully come October, DFARS will have a new rule that will say that companies have to abide by the CMMC standard.”

What does “continuous monitoring” mean within the CMMC framework?

The CMMC AB plans to deploy a monitoring tool that analyzes the cybersecurity posture of its contractors on an ongoing basis in order to verify compliance between certification renewals.

“I think what we’re going to see is that over time, these kinds of requirements are going to move from a point-in-time assessment to requiring a data feed to validate compliance requirements,” Knake said.

He also described how security ratings platforms provide a blueprint for effective continuous monitoring.

“The number of things that can happen within a three year period [between assessments] is too big to count. So we need to have some mechanism to give us an idea of what is going on inside the firewall without putting an agent on their networks, because frankly, most companies—mine included—would not allow that,” Golden said.

How is the industry reacting to CMMC?

The new regulatory framework has been met with concern among DoD contractors surrounding its interpretation and enforcement.

“If there isn’t clarity and consistency in the way the standards are applied, it really drives the potential for a lot of cost and a lot of issues,” Shirley said.

Golden is optimistic that the training provided to the Defense Acquisition University by the CMMC Accreditation Board and the DoD will allow auditors to apply a uniform interpretation of the security level required of a given product or service. He acknowledged, however, that the training process could be a lengthy undertaking.

The next steps

Knake feels CMMC provides much-needed clarity for companies lacking a clear understanding and course of action to shore up their cybersecurity posture. He also believes it represents a potential universal standard. “You could see this model being adopted broadly by other sectors,” he said.

To learn more about CMMC and what it means for your organization, view the full webinar above.