The reason the Cybersecurity Maturity Model Certification program is so critical to national security can be traced back to the second World War: To counter German submarine attacks against Allied supply chains, British intelligence hacked a German Enigma machine, stole the code, intercepted enemy communications, and neutered the Nazi U-boat threat. Today, foreign adversaries are turning the tables against us. The Sea Dragon hack, reported in 2018, included the theft of communications and cryptography data for our submarine fleet. The important difference: we detected the theft. But what if we hadn’t? Would our submarine fleet truly be an effective nuclear deterrent today, or would we be living with a false sense of security?
Facing down threats like this has become one of the Department of Defense’s most critical missions. As a result, every executive leader within the Defense Industrial Base is responsible, and should prioritize and accelerate their adoption of CMMC. CMMC’s purpose is nothing less than preventing the DoD and its 300,000-plus contractors from losing the next war before it gets started.
Though CMMC benefits from NIST and other compliance standards, it’s important to understand that the foundation behind CMMC strongly reflects the adage that “compliance is not security.”
Compliance frameworks favor lowest cost “check the box” solutions. CMMC attempts to form a unified standard focused on maturity – this means that certification and enforcement are based on what the organization is actually doing and how capable it is of preventing the theft of sensitive defense information by nation-state bad actors bent on breaching IT systems. Maturity refers to how well DoD contractors have not just met a series of requirements, but how well they live by them.
A maturity model evaluates the efficiencies of the organization’s security controls and provides a roadmap for performance improvement through the five CMMC levels of progressive accomplishment. Getting this roadmap right the first time is a critical step in accelerating the CMMC process. Organizations that handle sensitive defense information that qualifies as CUI (Controlled Unclassified information) must focus on achieving CMMC Level 3, which implies “good” cyber hygiene. Organizations that handle only FCI (federal contract information) must achieve at least Level 1, “basic” cyber hygiene.
The challenges in satisfying CMMC requirements include having access to specialized IT and Information Security resources, the time required, the cost, and risk. Organizations that work or intend to work with the Department of Defense need to understand how to address these challenges by effectively adopting a reference architecture for CMMC implementation, leveraging cloud service providers, and working with qualified advisors.
Use a Proven Blueprint
As your company begins the CMMC process, it’s critical to start with an established blueprint to assure your compliance program remains on time and on budget. This is the reference architecture, the owner’s manual that provides structures and integration of IT products and services into a compliant environment. Again, getting this right is critical to managing risk, controlling costs, and measuring the benefits of CMMC over time.
One of the most efficient paths you can take in developing your blueprint is to work with a Cloud Service Provider (CSP) like AWS. They have done the research and made the investments to create reference architectures and cloud services that help organizations satisfy and manage CMMC in a timely manner.
Especially for the smaller and mid-size enterprise, finding a technology or Cloud Service partner helps you to understand what needs to be done, and to plan and budget accordingly. The reference architecture provides “assembly instructions” for creating a bespoke solution that supports your business processes and requirements and satisfies many CMMC requirements.
Leverage Cloud Services
When using a cloud service, some of the CMMC requirements that need to be satisfied are already satisfied by the CSP. One of the most important benefits of working with a CSP is this advantage of shared responsibility. Understanding which practice requirements are inherited and where customer responsibility starts and stops is a key consideration among executive leadership teams and CISOs.
A CSP shared responsibility matrix can outline a wide range of inheritable controls and processes such as equipment maintenance and domain protection; patch and configuration management; continuous auditing and prevention measures; the automation of API inputs and outputs; software updates and data storage; and even physical security if housed at an AWS data center, for example. Not to mention access to trained employees with specific IT, Information Security and CMMC knowledge that the organization thus avoids having to recruit, hire, salary, and benefit.
Shared responsibility needs to be carefully and clearly understood between the parties. By leveraging cloud services organizations get the benefit of using existing solutions built to satisfy CMMC requirements plus their resource-rich providers’ deep institutional knowledge and experience. The smaller enterprise can get on the same playing field with the big dogs, and get there quicker than if they tried to do it independently.
In a nutshell, CMMC certification is going to be less expensive, less risky, and faster using cloud services that have already met some of the foundation CMMC requirements. They are going to be far more familiar with and able to identify missing pieces and the gaps that must come to closure.
Engage an Advisor
The requirements for CMMC are exacting. There’s not a lot of wiggle room for interpretation, and taking a wrong turn or two can add tremendous expense on top of an already resource-heavy process.
Not all advisors are created equal. It is important to work with qualified and experienced providers. A firm that is both a C3PAO (CMMC Third-Party Assessment Organization) and Registered Provider Organization (RPO) like Coalfire Federal brings a deep understanding of the framework and its requirements. More important, a C3PAO/RPO understands the assessment criteria and what an assessor will find acceptable. Coalfire Federal was among the first to be designated with these qualifications, and with our CMMC Advisory and Assessment Services, we are uniquely qualified to help navigate the path.
CMMC is focused on protecting CUI, which can reside in many places – so many places in fact, that it often comes as a surprise to organizations how far and wide their data is dispersed. This is especially true when we look at contractors that serve both commercial and government clients. They may follow the same processes for both, but the CUI and FCI can be located almost anywhere. Identifying where everything is, organizing it, and then protecting it are sequential, mission-critical tasks in satisfying CMMC requirements.
You start by looking at business processes; they determine where CUI exists You may need to re-engineer business processes and re-design the IT that supports those business processes to isolate CUI and FCI. The hard costs of CMMC compliance and the time it takes to achieve accreditation are what make CMMC so challenging. Finding the right advisor can make it less so.
The first steps are straightforward:
- Boundary workshop to determine the systems environment relevant to CMMC
- Gap analysis between current state vs CMMC requirements
- Remediation planning and support to close gaps and achieve cyber maturity
CMMC is going to be at ground zero underlying everything contractors do every day. Like best-practice cybersecurity itself, CMMC is now a process, not an event, and will inevitably be ingrained into every interaction with sensitive data.
My World War II analogy should be inspiring to us all. Our side cracked the German code, helped end the war faster, and saved thousands of lives. That’s the spirit behind the CMMC framework. It’s a new paradigm that merits fast adoption and working together faster to get ahead of this certification cycle. There’s no time to waste.