Finally, Uncle Sam is compelling companies to take cybersecurity seriously.
Related: How the Middle East paved the way to CMMC
Cybersecurity Maturity Model Certification version 2.0 could take effect as early as May 2023 mandating detailed audits of the cybersecurity practices of any company that hopes to do business with the Department of Defense.
Make no mistake, CMMC 2.0, which has been under development since 2017, represents a sea change. The DoD is going to require contractors up and down its supply chain to meet the cybersecurity best practices called out in the National Institute of Standards and Technology’s SP 800-171 framework.
I sat down with Elizabeth Jimenez, executive director of market development at NeoSystems, a Washington D.C.-based supplier of back-office management services, to discuss the prominent role managed security services providers (MSSPs) are sure to play as CMMC 2.0 rolls out. For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:
Passing muster
CMMC 2.0 sets forth three levels of cybersecurity certification a company can gain in order to provide products or services to the DoD, all having to do with proving a certain set of cybersecurity controls and policies are in place.
Level 1, for instance, requires some 17 controls to protect information systems and limit access to authorized users. Meanwhile, Level 3, calls for several more tiers of protection specifically aimed at reducing the risk from Advanced Persistent Threats (APTs) in order to safeguard so-called Controlled Unclassified Information (CUI.)
In addition, every DoD contractor must conduct, at the very least, an annual self-assessment. Crucially, this includes accounting for the cybersecurity posture of third-party partners. In general, contractors must be prepared to divulge details about the people, technology, facilities and external providers — just about anything that intersects with their position in the supply chain. This includes cloud providers and managed services providers.
“It’s a milestone, for sure,” Jimenez told me. “All these controls need to be fulfilled from a compliance perspective and internal practices need to be put into place. This is all to attest that the contractor has a robust security posture, and, in the event of an audit, could pass muster.”
Auditable reviews
To get to square one under CMMC 2.0, a contractor needs to get a couple of very basic, yet widely overlooked, things done; those that handle controlled unclassified information, or CUI, must implement both a formal security management program and have an in place.
This comes down to reviewing IT systems, identifying sensitive assets, cataloguing all security tools and policies and, last but not least, implementing a reporting framework that can be audited. This seems very basic, yet it is something many organizations in the throes of digital transformation have left in disarray.
Jimenez
“Having both a security program and incident response plan in place is really important,” says Jimenez. “This should include continuous monitoring to highlight that the security environment is constantly being reviewed and refreshed with data that has an audit trail available for future reference.”
Doing basic best practices to pass an audit suggests doing the minimum. However, companies that view CMMC 2.0 as a kick-starter to stop procrastinating about cyber hygiene basics should reap greater benefits.
Performing auditable security reviews on a scheduled basis can provide critical insights not just to improve network security but also to smooth digital convergence.
“You can reconcile your current controls with your risk tolerance, and align your IT risk management programs with your security and business goals,” Jimenez observes.
Raising the bar
In short, CMMC 2.0 is the stick the federal government is using to hammer cybersecurity best practices into the defense department’s supply chain. In doing so, Uncle Sam, should, in the long run, raise the cybersecurity bar and cause fundamental best practices to spread across companies of all sizes and in all sectors.
This is much the way we got fire alarms and ceiling sprinklers in our buildings and seat belts and air bags in our cars. In getting us to a comparable level of safety in digital services, managed security services providers (MSSPs) seem destined to play a prominent role.
It was a natural progression for MSSPs to advance from supplying endpoint protection and email security to a full portfolio of monitoring and management services. In a dynamic operating environment, rife with active threats, it makes perfect sense to have a trusted consultant assume the burden of nurturing specialized analysts and engineers and equipping them with top shelf tools.
Full-service MSSPs today focus on improving visibility of cyber assets, detecting intrusions, speeding up mitigation and efficiently patching vulnerabilities. This reduces the urgency for companies to have to recruit and retain in-house security teams.
Meeting a dire need
Thus, MSSPs have advanced rapidly over the past five years to meet a need, a trend that only accelerated with the onset of Covid 19. The leading MSSPs today typically maintain crack teams of inhouse analysts and engineers myopically focused on understanding and mitigating emerging cyber threats.
They leverage leading-edge, cloud-centric security tools – often by hooking up with best-of-breed partners for vulnerability management, endpoint security and threat intelligence gathering. Many of these experts in the MSSP trenches helped develop NIST best practices — and continue to help refine them.
MSSPs are increasingly assuming a primary role in mid-sized enterprises for maintaining endpoint security, vulnerability patch management and even things like firewall management and configuration management.
NeoSystems, for its part, offers all these security services, in modular packages, with a focus on eliminating compliance hurdles for federal government contractors. It’s gaining a lot of traction with small businesses and mid-sized enterprises that can’t spare resources to suddenly infuse security into their networks, Jimenez told me.
CMMC 2.0, coming in May 2023, puts defense contractors’ feet to the fire – and it sends a signal to all companies. “It’s the first real, definitive step from the federal government saying this has to be in place, you must have a security posture and it has to be robust,” Jimenez says. “Once it really takes hold, it will be paramount for companies to step into line and make sure that they’re ready for an audit.”
Companies could have, and should have, embraced NIST’s cybersecurity best practices a decade ago. Hopefully, CMMC 2.0 will nudge them forward in the 2020s. I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
Guest expert: Yotam Segev, co-founder and CEO, Cyera
