Combining Cyber Standards – Is ‘Unified’ Always A Good Approach?

The CMMC enforcement model will require a significant adjustment to the way contractors conduct government business – from procurement to execution. In Part 2 of this series, I discussed the possible impacts of having your company’s security rating made public. In Part 3, I would like to discuss the impact of having one unified standard for cybersecurity on a company’s compliance practices.

The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard. In the complex world of cybersecurity, standards are good and have been sorely needed in both the government and commercial worlds, specifically when it comes to managing supply chain risk. Keeping standards simple enough for any organization to comply with is equally important.

DevOps Connect:DevSecOps @ RSAC 2022

Add your view to our Twitter poll:

From my perspective, here are the pros and cons of the CMMC’s unified approach:


  • For organizations that currently don’t need to comply with any given mandate, the CMMC’s unified approach is good because it can identify an appropriate level of maturity for the organization’s compliance program, and it will help identify an appropriate level of resources — preventing over- or under-investment in compliance.
  • The DoD is the first to define a security framework that can be used throughout the entire supply chain. As commercial organizations incorporate services into their solutions, supply chain security is becoming more and more of a concern. This DoD supply chain framework might just be a framework that organizations can leverage across industries when customers start asking about the organization’s security posture.

(Read more...)