Key takeaways from WT's CMMC Summit

gettyimages.com/greenbutterfly

Nick Wakeman By Nick Wakeman,
Editor-in-Chief, Washington Technology

By Nick Wakeman

|

Cybersecurity leaders emphasized that the upcoming cyber and supply chain requirement for industry is more than just a compliance list, plus help to get ready is available to small businesses.

Advice and insights flowed hot and heavy at the Washington Technology CMMC Summit that covered the intricacies of that four-letter acronym for the Defense Department’s cybersecurity initiative.

The Cybersecurity Maturity Model Certification is DOD’s program to ensure the defense industrial base's systems that contain sensitive government data are secure.

CMMC's concept and goal are easy to grasp, but it has several complexities and nuances that the speakers at Thursday’s event tried to convey.

Government contractors have up to three levels of CMMC certification they can obtain, with Level 1 the lowest and Level 3 the highest.

To reach Level 1, companies can self-attest to the National Institute of Standards and Technology Standard 801-171 that describes the needed controls for securing systems.

But when the final CMMC rule is out next year, most defense contractors will need to be at Level 2 and that requires third-party assessments of their systems.

The final rule will also describe how to attain Level 3. The catalyst that will force companies to move from Level 2 to Level 3 is not clear yet.

March 2023 is the earliest timeframe for the final rule's release, but it likely will not go into effect for a few more months. The requirements will not be retroactive, but will begin to appear in certain new contract requirements.

DOD will phase the requirement in over several years until all defense contracts carry it.

Here are four key takeaways we gleaned from the speakers at last week’s event.

Waiting is the wrong way to go

As Robert Metzger made abundantly clear in his opening keynote, it’s a mistake for defense contractors to wait for the final rule before making moves to comply the NIST standard.

Metzger is considered by many to be the "father of CMMC" for co-authoring a report that lays out the standard's guiding principles.

He urged companies to use CMMC and the NIST standard as starting points for building secure networks and systems.

“Be secure beforehand for the sake of your employees, your lenders, your clients, your customers, your investors,” Metzger said.

One size will not fit all

NIST Standard 801-171 describes 110 security controls. What controls companies should focus on depends on the systems and the data in them. Metzger said a “spread the peanut butter smoothly” approach is not the right thing to do.

Speakers said these basic steps are where companies can make the most impact: understanding systems and the data in them, how that data flows through systems and focusing security investments on areas that will make the most impact.

For example, some companies may only have contract and procurement data in their systems. They will only need CMMC Level 1. Other companies whose systems have engineering plans may need to invest more in other areas to protect that information.

That is a guide to determine whether CMMC Level 1 is enough or whether to move to Level 2.

Small business resources are available

CMMC has been a challenge for many small businesses. But after DOD paused the initiative and then relaunched it as CMMC 2.0, the department also has stepped up efforts to provide resources and support for small businesses.

Also speaking at summit was Kelley Kiernan, director of Deep Blue Cyber -- an Air Force effort she is taking to the Navy in order to make training and other information available to small businesses free of charge.

She holds a weekly "Ask-Me-Anything" session for small businesses through the Deep Blue Cyber website. The site also includes upcoming training events on a range of topics including policy and guidance, oversight and a variety of how-to presentations.

Complementing Deep Blue Cyber was a presentation on Project Spectrum, another DOD organization focused on cybersecurity. They work with companies one-on-one to help them achieve a better cybersecurity posture.

Kareem Sykes, Project Spectrum's program manager, said that organization can help small businesses take a step-by-step approach that starts with current cybersecurity posture and identifying next steps, then moves to measuring progress.

“When you know your starting point, you look at risk differently,” Sykes said. “The risks you thought you had sometimes aren’t the risks you have.”

That is the starting point for determining where to invest, the needed training and how to stay up-to-date.

Make cybersecurity a way of life

Sykes and other speakers emphasized that cybersecurity, and the CMMC standard when it is in place, is more about the people and organizational culture.

“Your business is your fortress and your employees are the guards,” Sykes said.

Looking at CMMC as a checklist is the wrong approach. Getting a Level 2 certification requires documentation but that is not the point, several speakers said.

Companies need to show how they implement policies and procedures, or in essence that actions must reflect the policies. That stretches from the network administrator to the receptionist at the front desk.

More resources

The entire CMMC Summit is available on demand at the Washington Technology website. Click here.

NEXT STORY: CISA Issues vulnerability-management tools dependent on industry action

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.