Why Cybersecurity Maturity Model Certification (CMMC) Matters for All Businesses, Not Just DoD Contractors

A Vital Set of Cybersecurity Best Practices

By John Funk, Creative Consultant, SevenAtoms

A new cybersecurity mandate being rolled out by the Pentagon has implications that reach beyond the military industrial base. Business leaders who adopt Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) have an opportunity to upgrade their organization’s security posture from low-hanging fruit to a hardened attack surface.

The U.S. Department of Defense (DoD) has been working on unifying the way military contractors and supply chain organizations protect sensitive information linked to national security dating back to 2010. Prior to developing the CMMC concept (and the follow-up CMMC 2.0), companies followed a variety of security protocols. Inconsistency and failures to maintain adequate cybersecurity measures resulted in unnecessary data breaches. Security officials at the DoD found themselves handing out penalties and fines after hostile nation-state actors had already pilfered off critical data.

“Here’s the bottom-line challenge we all face. If we get this wrong, and we do too little, there is a vulnerable supply system that is compromised and weighed down when we need it,” CEO of the National Defense Industrial Association David Norquist said. “For national security, we need to protect against both disruption as well as tampering. But what makes a market so powerful is exactly what makes this challenge so hard.”

CMMC 2.0 brings more than 100,000 contractors and subcontractors under one policy, requiring ongoing certification. These same protocols required by the DoD can deliver the heightened cybersecurity every operation needs to defend against the relentless stream of cyberattacks.

How CMMC 2.0 Works

This cybersecurity policy evolved from standards published by the National Institute of Standards and Technology (NIST). An initial model included five cyber hygiene levels that applied to outfits based on the type of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) the enterprise stored and transferred. The five tiers were revised down to the following three in the CMMC 2.0 version, which is gradually being implemented.

• Level 1: Considered “Foundational” cyber hygiene, supply chain organizations that store or transmit FCI are required to follow 17 practices to meet 59 objectives. Companies that fall under Level 1 are tasked with self-assessments and reporting the findings to the federal government.
• Level 2: Protecting CUI, this “Advanced” cyber hygiene standard tasks companies with adhering to 110 NIST practices to achieve more than 300 objectives. Depending on the type of digital assets, companies can report annual self-assessments or be vetted by a CMMC Third Party Assessor Organization, also known as a C3PAO.
• Level 3: Recognized as “Expert” cyber hygiene, military contractors and enterprises with critical CUI must meet more than 110 NIST measures, as well as other related defenses. Companies undergo an audit every three years by a C3PAO, with the outcome reported to the Pentagon.

Businesses that fail to meet the CMMC 2.0 mandate will likely find themselves sidelined. Losing revenue streams from lucrative DoD contracts tends to be more whip than carrot in the push to secure sensitive military defense secrets. But that does not necessarily mean businesses should implement CMMC 2.0 solely to gain DoD approval. The cybersecurity policy proves equally effective at repelling hackers trying to infiltrate networks out of greed.

What CMMC Accomplishes

It’s essential for business leaders to understand that cybersecurity measures are not necessarily industry specific. Anti-virus software packages, enterprise-level firewalls, virtual private networks, and other commonly used data protection strategies are deployed across the healthcare, financial, manufacturing, and military industrial base. Cybersecurity professionals and software developers continue to find new ways to protect sensitive and valuable digital assets, including those in the military supply chain, to respond to newly minted hacking schemes. The point is that the following controls, embedded in CMMC 2.0, can deliver a determined cybersecurity posture that benefits any business.

Access Control

The DoD mandate requires outfits to impose network access limits on legitimate users, including internal and remote access to information on a network. The concept of limited data access mirrors that of the “zero-trust” profiles cybersecurity experts recommend companies utilize. This essentially prevents any user from gaining access to sensitive and valuable information that isn’t necessary to complete their respective tasks. Should a hacker learn someone’s login credentials, the criminal runs into the same restrictions.

Awareness and Training

Providing cybersecurity awareness training to employees is not restricted to the military industrial base. Studies indicate that human error accounts for 88 to 95 percent of all data breaches. When companies integrate awareness training into their security plan, employees are far less vulnerable to phishing schemes and social engineering. Instead of being a weakness, staff members become a front line of defense. That’s precisely why CMMC 2.0 insists workforces know the telltale signs of a hacking threat.

Risk Management

Commonly referred to as “cybersecurity risk management,” this concept speaks to how industry leaders invest in data security. A third-party managed IT firm with cybersecurity expertise typically runs a risk assessment to determine a system’s strength and vulnerabilities. Then, business leaders review the risk assessment report to make informed decisions about how to deploy their resources. The conventional wisdom is that critical data and vital systems enjoy the greatest protection and security investment. Only by understanding risk can strategic policies and best practices be established in any organization.

Incident Response

Organizations that operate within the military industrial base face advanced persistent threats from America’s adversaries. These threat actors possess the funding, tools, technologies, and sophisticated hacking skills to penetrate networks with robust defenses. The DoD understands these cybercriminals can drill down and find a way into critical systems. That’s why CMMC 2.0 tasks companies with crafting an incident response plan. Each company requires a nuanced incident response plan that fits its processes, goals, and secures its digital assets. However, the fundamental idea of having an up-to-date strategy to respond to emerging threats and protect digital assets remains ubiquitous across sectors.

Why CMMC 2.0 Makes Sense for Wide-Reaching Businesses

Foreign threat actors typically attack U.S. military supply chain businesses to gather bits of information to better clarify America’s national security plans. This may entail stealing CUI and FCI or infecting a subcontractor’s system with malware in hopes it will spread to high-value targets. Similar supply chain attacks are taking place across the private sector, leaving no organization safe from ransomware, spyware, or other malicious applications. By adopting CMMC 2.0 as a comprehensive data protection strategy, businesses have the ability to deter, detect, and expel garden variety hackers and sophisticated cybercriminals alike.

About the Author

John Funk is a Creative Consultant at SevenAtoms. A lifelong writer and storyteller, he has a passion for tech and cybersecurity. When he’s not found enjoying craft beer or playing Dungeons & Dragons, John can be often found spending time with his cats. John can be reached online at [email protected] or at www.sevenatoms.com