By Mike Raymond, Federal Sales Manager, Ordr
Cyber threats against the U.S. and the Department of Defense (DoD) are very real, and efforts related to the department’s Cybersecurity Maturity Model Certification (CMMC), released earlier this year, are underway to mitigate risks that affect the DoD and its contractors.
CMMC is meant to help more organizations fix low rates of compliance with NIST 800-171, the standard written to protect controlled, unclassified information (CUI), and it will become a requirement designed to permit only businesses with a valid certification to bid on and win contracts with the US Government. CMMC is a tiered model with the potential to impact every business in the Defense Industrial Base (DIB).
DoD contractors will soon be evaluated against this maturity model, which contains seventeen capability domains, each one encompassing a different area of security baked into the DoD supply chain, adding a lot to the mix.
IoT/OT security is a big piece of the pie
CMMC was created to help organizations understand the complexity and breadth of achieving a true security posture and to help mitigate security failures that have plagued contractors in the past.
Modern exploits and attacks usually cross IT/OT infrastructures at some point as everything is “connected” these days. This means that without IoT visibility and accountability, the entire network is potentially threatened, and CMMC auditors are very aware of that fact.
The good news is that the majority of CMMC domains apply to IoT network devices, as with asset discovery, threat detection, and incident response. These are part of any intelligent and comprehensive response package and securing IoT and other connected devices is an integral part of CMMC requirements.
The capability domains outlined in CMMC (version 1) are very broad and entail everything from physical security and personnel security to asset management and any other applicable security control that the government can think of.
5 steps to ensure device security and compliance
As CMMC covers a lot of territory, it’s critical that any organization wanting to compete and win lucrative contracts heed the call to ensure they consider their IoT/OT security vulnerabilities, as well as their other security controls and programs.
Below are five basic steps and considerations that can help set organizations on the right track to achieving CMMC compliance – specifically related to IoT/OT network devices – and ensure proactive accountability with the government.
1) Visibility is a crucial first step
You can’t defend what you can’t see, and you can’t protect the enterprise if you don’t know the totality of devices in your network. And because embedded IoT/ICS devices often do not support agents and may not be visible to IT teams or tools, it’s impossible to prioritize risks, detect active threats already operating in an environment, or prove that a security posture is strong enough and doing its job.
All of those things are key to CMMC compliance across a variety of domains.
2) Understand device behavior
CMMC focuses on building a stronger cybersecurity posture in DoD supply chain contractors, requiring organizations to detail how they have built a strong overall approach for securing all network connected devices. Part of having a sound security posture is to make sure that all devices only communicate with the internet as intended by mapping communications patterns and baselining device behavior.
3) Identify vulnerabilities
Key CMMC requirements focus on identifying and addressing vulnerabilities across all devices and infrastructure components. For networks with IoT/OT devices, that could mean common vulnerabilities and exposures, malfunctioning devices, or the presence of unauthorized ports or rogue applications.
CMMC requires the ability to detect and prioritize vulnerabilities, so there is a need to understand the risk profile for these devices and to identify anomalous behaviors such as a rogue or infected device communicating to a bad domain.
4) Leverage analytics
IoT and device threats are different from those targeting legacy IT systems and endpoints. Because of this gap in security, an organization may be required to incorporate IoT and device-aware analytics to detect abnormal machine behavior that could help identify an attack.
Enhanced analytics also provide organizations with insights into device utilization to inform budgetary and maintenance decisions, allowing for better management of capital resources.
5) Prepare for audits
Like every other federal certification requirement, a third party is going to audit organizations for compliance, including IoT devices, device security controls, and asset inventory. To minimize the time and costs, it’s imperative to have an accurate inventory and full visibility of every asset – including IoT devices – before an audit takes place.
Automation is essential to ensuring your CMMC compliance program remains accurate, ongoing, and up-to-date. With automation, organizations that need to meet CMMC requirements can quickly discover and categorize each device connected to the network. They can also easily understand device functions and behaviors, as well as devise effective segmentation policies for securing all of these devices. Automation eliminates human error, leading to better operational processes to address IoT device adds, moves, and changes.
About the Author
Mike Raymond leads the Ordr Federal program and has over 25 years of experience working with the government and its agencies to secure their most valuable assets. Based out of Washington D.C., he previously held leadership positions with A10, Riverbed, Cisco, and IBM. Mike has a passion for developing emerging cybersecurity companies in the Federal market. Mike also Co-founded “No Boundaries,” a 501c3 non-profit assisting combat-wounded veterans. Mike can be reached online via LinkedIn and through the Ordr website, www.ordr.net.