Preparing for the Cybersecurity Maturity Model Certification onslaught
For the Defense Industrial Base (DIB), the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) compliance requirement is the hot news topic of 2021. In fact, across the DIB market, CMMC compliance will probably stay a focus through at least 2025.
However, for the long term, many organizations are looking to understand the potential impact that CMMC will have outside the DIB. On January 21, the DoD’s CISO subtly announced that her agency is working with the Department of Homeland Security (DHS) to implement CMMC in their contracts. In other words, companies that contract with other agencies are starting to ask, “How do I get compliant efficiently and cost-effectively?” The answer should include looking to NIST 800-170, hardening their systems, and automating STIG compliance.
Why are agencies jumping on Cybersecurity Maturity Model Certification?
The short story is that CMMC offers the first federal compliance requirement that looks to create clear cybersecurity standards.
The real story is a little longer.
Any company that contracts with the DoD, or any federal agency, needs to meet various compliance requirements already. There’s ITAR, DFARS, FAR, NIST 800-171, NIST 800-53, NIST Cybersecurity Framework (CSF), and CERT Resilience Management Model. Cross-mapping all of these compliance standards is time-consuming, tedious, costly, and challenging. CMMC pulls from all of these, creating a single set of requirements that every DIB member can use to prove its cybersecurity posture.
Outside the DIB, cloud computing companies that want to work with agencies need to get FedRAMP approval. Again, this is another time-consuming, tedious, costly, and challenging compliance requirement. Also, FedRAMP pulls a lot of its compliance requirements from the same standards CMMC uses. Further, in August 2020, the Pentagon said that FedRAMP certified organizations will receive reciprocal authorization for CMMC.
Although not formalized yet, the need to reduce duplicative compliance activities and their associated costs make sense.
The time, effort, and money spent on creating CMMC mean that other agencies that need to secure their supply chain can achieve a faster and better return on investment using what’s already done. After all, as the old saying goes: “If it ain’t broke, don’t fix it.” Then again, at this point, no one knows whether CMMC is broken or not.
What does this mean for companies working with other agencies?
Despite jokes about bureaucratic red tape, the reality is that most agencies lack the resources and funding necessary to control their supply chains adequately. This pain point drives CMMC’s requirement that primes monitor their subs and that those subs monitor their subs. This flow down may not be new to companies already meeting other privacy or security compliance mandates, like the European Union GDPR or the New York Department of Financial Services (NY DFS) Cybersecurity Rule. For organizations working directly with agencies, this responsibility model may be concerning.
Fundamentally, this model creates two new requirements. Companies need to step up their own cybersecurity maturity, but they also need to get their supply chain to mature its cybersecurity. Supply chain management can impact a company’s ability to meet its contractual obligations.
First, the company that falls within these requirements needs to mature its cybersecurity. Conversations within the DIB supply chain already estimate a total industry cost of $6.5 billion to get compliant. Now, any company that works with an agency that contracts with the DoD will need to apply the same compliance requirements. Companies with DHS contracts that apply to the contracts DHS has with the DoD create an entirely new supply chain that needs to accelerate their cybersecurity maturity. As of yet, no one knows how many suppliers this involves. However, now is the time to start figuring that out.
Second, companies need to find solutions that help them monitor their subcontractors. If a subcontractor fails to meet the appropriate CMMC Level compliance, then the company can no longer maintain that relationship. Consider this scenario: Company A makes software that requires Subcontractor 1’s services. Subcontractor 1 fails to meet CMMC compliance requirements. Company A needs to replace Subcontractor 1 and find a compliant subcontractor. Until Company A finds that new, compliant subcontractor, it can no longer bid on contracts.
The biggest problem CMMC causes for organizations contracting with government agencies who look to adopt CMMC as a common cybersecurity maturity standard is their supply stream.
Gain visibility and get compliant
One way organizations can get themselves compliant faster is to automate Security Technical Implementation Guide (STIG) compliance. The cross-references and cross-mapping in CMMC lead back to NIST 800-128, ultimately giving organizations a faster way to get compliant.
Getting to STIGs
After mapping out the references between all of the different NIST requirements, the interconnectedness looks like this:
- CMMC makes hundreds of references to NIST 800-171. NIST 800-171 makes 7 references to NIST 800-128.
- CMMC makes hundreds of references to NIST 800-53. NIST 800-53 makes 76 references to NIST 800-128.
- NIST 800-128 makes 5 references to the CMMC Assessment Guide for Level 3 compliance
- NIST 800-128 leads directly to NIST 800-70
What really stands out for organizations that need to get compliant quickly are the references that NIST 800-128 and NIST 800-70 make to STIGs:
- NIST 800-128 makes 9 references to STIGs
- NIST 800-70 makes 4 references to STIGs
Leveraging STIGs for CMMC compliance
NIST 800-70 “National Checklist Program for IT Products – Guidelines for Checklist Users and Developers” explains that security configurations checklists provide a series of instructions for hardening or benchmarking IT product configurations. NIST specifies STIGs as one of the approved checklists.
Organizations use checklists to enhance their security posture which ultimately leads to enhancing their cybersecurity maturity. Another way they use checklists is to prove governance over their security posture. When complying with checklists, organizations often document their reviews, exceptions, and updates. This documentation acts as an audit trail.
Functionally, DIB members and others that need to meet CMMC compliance requirements can leverage STIGs as a way to accelerate their NIST 800-171 and 800-53 strategies. When setting up their STIGs, many companies find that compliance can break their systems, keeping them from functioning. Also, the STIGs are updated every 90 days. Getting STIG compliant might get the company secure, but it comes with costs such as productivity loss from downtime or operational costs from manually updating.
Automating STIGS: Get CMMC compliant faster and for less
Automation gives companies a way to make STIGs a value add. The checklists are considered best practices for securing data, and their connection to CMMC shows that documenting STIG compliance can streamline the process. Also, when automating STIGs with the right technology, organizations create an audit trail that reduces compliance costs.
Cybersecurity Maturity Model Certification is here to stay, and with it, DIB members need to get ready as fast as possible. Non-DIM members must start watching the signals coming from the DoD and other agencies. As the DoD applies CMMC to its contracts with other agencies, those agencies will likely begin to start implementing CMMC within their own supply chains. At the end of the day, the goal for organizations that want to bid on US federal agency contracts at any level should be looking to get compliant sooner rather than later and in a cost-effective way.