Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/20/2020
02:00 PM
Nahla Davies
Nahla Davies
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Cybersecurity Maturity Model Certification: Are You in Compliance?

Not only can this framework help companies remain solvent, but it will also protect critical information from getting into the wrong hands.

Let's face it: Cybersecurity threat risk isn't going anywhere, and it's only going to get worse. This realization caused the Department of Defense (DoD) to create the Cybersecurity Maturity Model Certification (CMMC) early this year. This is a unified standard for the successful implementation of cybersecurity across the more than 300,000 companies in the supply chain.

Related Content:

Solving the Problem With Security Standards

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: Securing Slack: 5 Tips for Safer Messaging, Collaboration

The CMMC takes into account how most businesses can't keep up with the influx of vulnerabilities affecting their infrastructure and software. It's the DoD's answer to widespread compromises of critical defense information that is usually stored on the information systems of the contractors.

Why Is CMMC Compliance So Crucial? 
There has been a steady increase in the number of data breaches and other cybercrimes in the past few years. Keeping this in mind, companies have started implementing artificial intelligence and machine learning in cybersecurity to curb cybercriminal activities — such solutions are still a work in progress.

Companies need to work on boosting their security from the prying eyes of hackers to protect their online identities and simultaneously block malware that could potentially harm their network.

Back in 2015, the DoD published the Defense Acquisition Federal Regulation Supplement (DFRS). As a result, contractors needed to ensure compliance with the NIST SP 800-171 cybersecurity framework.

Understanding and implementing DFARS's requirements has been a constant struggle for contractors. While a few firms had the resources to make themselves compliant, others were subcontracting their cybersecurity responsibilities to managed service providers.

Although the DoD took steps to make the adoption of DFARS easier, many companies were still lagging behind with the implementation of the earlier framework. Some companies even falsely said they were in compliance through deliberate deception or claiming ignorance. Hence, CMMC was introduced to solve this issue.

These standards make sure that the appropriate levels of cybersecurity controls and processes are in place, which, in turn, will protect controlled unclassified information (CUI) on the DoD's contractor systems.

CUI is the information that needs safeguarding or dissemination controls agreeable to and consistent with applicable laws and policies under the Atomic Energy Act. In other words, it's the data that must be strictly protected within an information system. This includes many types of data, such as health documents, legal material, technical drawings and blueprints, and intellectual property.

The Four Levels of CMMC Compliance That Venders Should Know About
CMMC compliance has five defined levels that include different areas ranging from basic hygiene to advanced security. Additionally, each one of these levels has its own set of practices and processes. Vendors have to meet the practices and processes of each of these levels, which ends up creating an "all or nothing" approach.

Level 1:
Every company must perform "basic cyber-hygiene" practices. This includes ensuring that companies change passwords regularly to protect federal contract information and using antivirus software for keeping their network secure and safe from threats.

This level excludes public information or specific transactional information.

Level 2:
Companies should document "intermediate cyber hygiene" practices to enhance their efforts to protect any CUI, and they must implement some of the NIST 800-171 r2 security requirements.

National Archives describes CUI as "any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls.” However, it doesn't include certain classified information.

Level 3:
In order to successfully implement "good cyber-hygiene" practices to safeguard CUI, companies must have an institutionalized management plan. This plan includes all the NIST 800-171 r2 security requirements, along with other additional standards.

Level 4:
Company owners should take the necessary steps to implement processes for measuring and reviewing the effectiveness of practices.

In addition, already established, enhanced practices should also be put in place to detect and respond to changing tactics, techniques, and procedures of advanced persistent threats (APTs).

What Can Suppliers Do to Ensure They Are in Compliance With the CMMC?
The following are the five steps through which DoD contractors can prepare to pass a CMMC compliance audit:

1. Learning the 17 Technical Requirements
Contractors have to learn and understand the 17 different technical requirements mentioned in the program, including access control, audit and accountability, media protection, risk management, security assessment, and system and information integrity.

2. Choosing Between In-House Compliance and Outsourcing
Contractors should decide whether they want to achieve compliance in-house, or whether they would like to outsource this process by subcontracting some of their IT infrastructures.

3. Carrying Out a Readiness Assessment and Gap Analysis
Conducting a readiness assessment and gap analysis is necessary for a company's growth. Useful information about data storage, incident response plans, IT staff and personnel training, and security protocol implementation could help them gain key insights about their industry, especially in this era of digitization.

4. Implementing Cybersecurity Monitoring
Contractors who work on high-value projects have to implement robust cybersecurity monitoring, which includes investing in a high-quality threat detection system.

5. Developing a System Security Plan
Developing a detailed system security plan is crucial. Contractors have to clearly outline their company policies, administration tasks, and employee security responsibilities in this plan.

Overall Goal
CMMC is complex, but achieving compliance with this cybersecurity framework could help organizations prevent data breaches and stop unauthorized access into their networks.

Companies must realize that compliance with this cybersecurity framework is for their own good. Not only can this help them remain solvent but will also protect critical information from getting into the wrong hands.

Nahla Davies is a software developer and tech writer. Before devoting her work full time to technical writing, she managed -- among other intriguing things -- to serve as a lead programmer at an Inc. 5,000 experiential branding organization whose clients include Samsung, Time ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
altazv
50%
50%
altazv,
User Rank: Author
12/16/2020 | 4:22:33 PM
Making it sustainable
Thank you, Nahla. One thing I would add, from a sustainability perspective, is to ensure the processes are continually monitored for compliance. This will serve to reduce the audit overhead while integrating into key value stream processes for delivery.
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-35519
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel i...
CVE-2021-20204
PUBLISHED: 2021-05-06
A heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. This vulnerability may lead to arbi...
CVE-2021-30473
PUBLISHED: 2021-05-06
aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
CVE-2021-32030
PUBLISHED: 2021-05-06
The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_chec...
CVE-2021-22209
PUBLISHED: 2021-05-06
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.