Since its announcement, there has been a lot of discussion about the Cybersecurity Maturity Model Certification (CMMC) and how it will impact the defense industrial base (DIB). Given how much of a shakeup this is to the status quo, it’s no surprise; Moving from a mostly voluntary system of self-attestation to a certification conducted by third-party auditors is a step change in safeguarding some of our most essential data and supply chains. This is especially true in todays’ environment where upstream attacks have proliferated. Compliance with CMMC will be critical for government contractors moving into the future and starting off on the right foot is important. First though, we need to understand what CMMC is and why we need to care about it.
One of the core principles behind the framework laid out by the certification is that cybersecurity best practices are a mix of both process and technical maturity. As such, the certification breaks each maturity level into two requirement categories; practice requirements for the technical security control implementations, and process requirements for documentation and policy requirements that govern the implementation of security controls. Every certification level (1-5) proscribes higher and higher levels of practical and process maturity, requiring greater levels of sophistication. Critical to note here is that current and future DoD contracts will require specific levels of CMMC certification to qualify depending on the sensitivity of the information that would be handled by the contractors. For example, any contract that would require the handling of Controlled Unclassified Information (CUI) would require Level 3 CMMC certification, the baseline certification level for CUI. Level 3 certification happens to align with full NIST 800-171 requirements, so it makes sense that that is the baseline for CUI hygiene standards. For more information about CMMC, you can find the CMMC model, its appendices, and the CMMC-AB’s assessment guides here.
We’ve written previously about how organizations can build a compliance dashboard to monitor organizational compliance status, but there’s more to the CMMC than just compliance. The reason that the CMMC incorporates a separate set of process requirements in addition to technical control implementations is to push back on the notion that compliance is all about doing the bare minimum to check the box. It is in these scenarios where you can find yourself with a slew of checked boxes indicating that you are “doing everything right,” but the reality can be vastly different on the ground. It doesn’t matter what the policy says or if the most recent audit came back clean if you have individuals shirking protocol for their own convenience.
Passing compliance DOES NOT mean being secure!
Compliance: Putting a sticker that says "Keep locked at all times"
Security: Training staff not to leave the key in the lock for their convenience. pic.twitter.com/bIdosS6gTe
— Tom🌶(^-^)/ (@TomLawrenceTech) August 30, 2021
This is where CnSight comes into play. By tying compliance requirements to Cybersecurity Performance Indicators (CPIs), it becomes possible to map organizational controls to a specific performance metric that allows real-time visibility into the day-to-day performance of the organization. The spirit of the CMMC certification is one of process maturity and supporting a continuous monitoring program that applies performance management principles to continuously reinforce cybersecurity performance is a significant step in validating compliance. Tools that automate the tracking of cybersecurity performance KPIs, such as CnSight, give key insights into asset inventories, and create easily digestible reports that empower key decision-making individuals in reducing risk and ensuring organizational compliance. Get a head start on your CMMC compliance program with CnSight.