CMMC is a culture shift: Is your organization ready?
As much as cybersecurity tools and methods have evolved, cyber threats continue to hang ominously over the head of business leaders. And if this is for a good reason: one report notes that nearly one-third of U.S. businesses have fallen victim to a data breach.
Not wanting to continue to sit in a reactive stance, the U.S. Defense Department (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC). CMMC aims to ensure that the suppliers and contractors meet cybersecurity standards equal to the types of data they are handling on the DoD’s behalf.
Verified through assessments and eventually, a requirement for being awarded a DoD contract, the CMMC Accreditation Body (CMMC-AB) designates suppliers with one of five Levels of sophistication, increasing in scale and scope until level 5 certification.
But with so many aspects of an organization’s structure, policies, systems and security tools playing into the evaluation, the thought of experiencing a CMMC assessment can seem daunting.
So what can an organization do to not only ready their security professionals but get their entire enterprise culture ready for the CMMC?
Why is alignment with the CMMC important?
The CMMC-AB states, the goal of the CMMC is “intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information.”
Directly or indirectly, various functions within a business supporting the DoD will come in contact with controlled unclassified information (CUI), which is the target of many cyberattacks. Whether it is finance professionals handling contract data, HR staff supporting professionals working on projects or engineers and technicians directly interacting with sensitive CUI, the CMMC assessment will account for how an entire organization manages and controls risk.
Even Level 1 certifications, which include basic cybersecurity best practices like consistent use of strong passwords, antivirus software and access controls, rely on every member of an organization to demonstrate alignment.
Reaching higher levels of certification requires organizations to meet a wide range of security requirements. For example, CMMC Levels 1 to 3 require contractors to meet 110 security requirements specified in the NIST SP 800-171, which CMMC Assessors confirm are in place and institutionalized across the contractor’s business operations.
Finally, in November 2021, the DoD introduced the CMMC 2.0, which adjusts the “strategic direction” of the certification program. The CMMC 2.0 keeps the program’s original purpose while also “simplifying the CMMC standard and providing additional clarity on cybersecurity regulatory, policy and contracting requirements.” In practice, organizations will be able to self-certify compliance in some instances and create “Plans of Action and Milestones” to identify their ongoing plans to reach a standard as of the date of an award while maintaining the need for independent Maturity Level assessments.
In any of these cases, organizations are relying on their employees to abide by the documented security standards affirmed by the CMMC assessment and help with building a security-minded culture that helps maintain and grow a more robust security consciousness and aptitude over time.
Why is CMMC alignment an organization-wide initiative?
While the goal of a CMMC assessment is to achieve the necessary certification to meet the procurement requirements of DoD contracts, ultimately, the CMMC confirms that the necessary security and organizational controls are in place to protect sensitive data and information.
This is particularly important when working to achieve Level 3 certification, where advanced controls are employed and consistently applied and the Level 4 and 5 certifications levels, where organizations need to proactively prepare for advanced persistent threats (APTs). In these cases, security tools and policies only go so far. One of the best ways to reduce cyber risk is to create a mindset in every employee that the risk is real and that their daily decisions can influence the success or failure of their security protocols.
In other words, alignment with the CMMC needs to be a part of a broader organizational culture that encourages employees to make purposeful decisions that fit security best practices. In practice, this will result in an organization where employees — and not just security professionals — act on cybersecurity best practices on their own, taking ownership for identifying unusual activity, actively looking for issues and taking ownership for the security of their accounts and devices. With over 90 percent of cyberattacks involving an employee’s interaction — knowingly or not — the stakes can be higher than just maintaining a CMMC certification.
What are some of the potential big organizational changes?
While each CMMC Certification Level requires alignment with cybersecurity standards and best practices, making these changes a reality and maintaining them will require a shift to a security-minded organizational culture. This can be especially true as certification levels increase, where employees will be expected to adjust their workflows and behaviors to secure the CUI and Federal Contract Information (FCI) their organization has been entrusted with against more complex and sophisticated threats.
For example, some of the more common security-focused changes the CMMC can spark implementation of could include:
- Adopting multi-factor authentication
- Establishing separation of duties
- Creating network segmentation and private networks
- Implementing a patch management program
- Establishing an employee training and awareness program
- Creating and practicing an incident response plan
- Securing mobile devices
- Encrypting and backing up data
- Establishing a performance measurement program
The success of each of these changes and the impact they will have toward meeting the CMMC standards and establishing the controls needed to mitigate cybersecurity threats will rely on building a strong security culture where every employee feels that security is part of their job, too.
In other words, while the CMMC may be a recent initiative and goal for an organization to achieve, implementing and integrating the changes required commitment, resources and leadership.
Bringing it all together
A strong cybersecurity culture means more than just achieving CMMC certification; it is one where employees are:
- Aware of their role in mitigating risk
- Knowledgeable about the threats to the FCI and CUI to which they are entrusted
- Open to security technology and processes
- Empowered to protect data and their customers
Ultimately, these are the qualities and foundational elements for a strong defense against evolving cyber threats. The NIST Standards that underpin the CMMC Model from which they are developed are looking to achieve.
- 90 percent of data breaches are caused by human error, TechRadar
- Almost One-Third of U.S. Businesses Had a Data Breach, BusinessWire
- The Cybersecurity Maturity Model Certification, Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification
- Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, National Institute of Science and Technology
- Strategic Direction for Cybersecurity Maturity Model Certification (CMMC) Program, Department of Defense