In the not-too-distant future, I can clearly see how ISO 27001, SOC 2 and HITRUST certifications could become a diminished, legacy activity, viewed as a rarity left over from marketing efforts to distinguish an organization’s security posture from its competition. Absurd? Unrealistic? Actually, it is a very pragmatic understanding of what is coming with the Cybersecurity Maturity Model Certification (CMMC) that the US Department of Defense (DoD) is rolling out just a few short weeks away (January 2020).

Compliance with CMMC

The initial scope for compliance with CMMC is a conservatively-estimated 200,000 businesses that make up the U.S. Defense Industrial Base (DIB). This company-level certification requirement impacts every business from the titans of the defense industry (e.g. Boeing, Raytheon, etc.) all the way down the supply chain to small IT providers, janitorial service companies and bookkeepers, since even these small subcontractors have the potential to negatively influence the security of weapons systems and support services that the U.S. military relies upon based on possible access to sensitive data.

Essentially, CMMC is the method the DoD will use to perform independent, third-party audits of companies that fall within scope for NIST 800-171 compliance.

If you are not familiar with CMMC, you are not alone. However, it is something that you should take time to educate yourself on since it is on its way to becoming the “gold standard” of cybersecurity certifications for businesses regardless of the industry.

While NIST 800-171 exists to protect Controlled Unclassified Information (CUI) from a U.S. government perspective, it is ideally suited to protect any type of “sensitive” data from personal data to trade secrets. The DoD is taking a data-centric approach to security where the focus is on CUI as it is stored, transmitted and processed throughout the entire lifecycle of (Read more...)