What IT leaders should do now to prepare for CMMC compliance
- By Colby Proffitt
- Jul 01, 2020
The Department of Defense’s Cybersecurity Maturity Model Certification has been top of mind for federal IT leaders and contractors alike–and compliance is moving forward on the aggressive and necessary timeline. Most recently, the CMMC accreditation body announced that they are developing a course to train independent assessors who will evaluate contractors' ability to comply with CMMC requirements, with the first phase expected to kick off in less than six months and formally launch its program by early 2021.
With more than 300,000 estimated suppliers to the DoD, achieving a consistent level of cyber hygiene–a set of practices for managing the most common and pervasive cybersecurity risks–is critical. DOD is only as strong as its weakest link. Given that many contractors lack the necessary cyber hygiene processes to meet CMMC requirements, there are some critical steps that must be taken to mind this security gap.
Roadblocks to Basic Cyber Hygiene
Often, contractors address individual cybersecurity vulnerabilities by implementing a complex patchwork of point products that don’t integrate, are difficult to manage and patch, and fail to provide IT leadership with a full view of the threats facing the enterprise. This complexity results in increased risk and additional costs.
If contractors continue to implement disparate point products to resolve individual problems, they will also continue to increase complexity, cost, and risk–and won’t achieve the visibility needed to manage risk and meet CMMC requirements.
One of the primary goals of CMMC is to “reduce risk against a specific set of cyber threats”–and in order to do that, federal agencies and contractors alike need real-time data to make sound risk-based decisions. A decision made on stale or unreliable data may ultimately introduce new or additional risk to the enterprise; and in today’s complex environments, it can be difficult to determine truth between data sets or trace data paths back to the origin for validation. But, decision makers shouldn’t have to worry about the age, accuracy, or integrity of the data. When pulled from a single source in real-time, not only does decision time decrease but the confidence and the efficacy of those decisions increases.
Standing Up a CMMC-compliant Infrastructure
Contractors should consider a holistic approach that integrates IT operations and security more tightly than in the past. If you’ve worked in the DOD for any amount of time then you’re aware of the various efforts to consolidate and unify–from data center consolidation efforts to organizational realignment, but integration and consolidation efforts don’t have to be difficult. IT leaders need a platform–a single pane of glass–to understand and monitor their environment and make decisions in real-time. This platform must provide the capability to integrate endpoint management and security (i.e., gather data from all endpoints, make needed updates, and reduce risk).
The newly distributed workforce means that tighter integration of endpoint management and security is more important than ever. Every organization is managing more endpoints; there are more unmanaged devices; and we see elevated activity from bad actors. A platform approach that integrates endpoint management and security allows you to see your environment, quickly gather data from endpoints, make needed updates, and reduce risk.
The goal is to simplify management of complex hybrid environments–and most importantly, keep teams productive and resilient.
While contractors work to stand up a CMMC-compliant IT infrastructure, it’s important to start with the following questions:
- How many computers do you have on your network? And are they authorized to be there?
- What applications are installed? And are they all up to date?
- What are users doing? And is it authorized?
- How comfortable are you with your patch/vulnerability/risk posture?
- Have you recently been breached or had an outage that could have been prevented?
There will always be new, unaccounted for risk–and risk can take many forms. Risk can increase if you don’t protect your data, if you don’t patch your systems, or if a new vulnerability is discovered in the wild. While external factors within any given area might change, organizations have more command over the areas with security controls in place–such as data protection, cyber hygiene, and prevention. In today’s cyber environment, every organization is at risk–some more than others but each has its own level of acceptable risk. That’s why this new certification model was created–to minimize the overall risk to the DoD by enforcing a risk standard to improve basic security practices and administer more stringent practices based on risk levels and the type of data being handled.
When a new threat is identified, look at existing controls, identify where there is risk, and determine how to adapt your security posture to remediate. Historically, this is where many contractors and organizations have turned to multiple point products–but it’s critical that the Defense Industrial Base shift from this approach and instead pursue a single platform so that they are able to not just reduce risk at a single point in time to meet compliance requirements, but they are also able to identify and assess risks on a continuous, ongoing basis for real-time cyber defense.
Colby Proffitt is a cyber strategist at Tanium.