How can we measure an organization’s effectiveness in applying cybersecurity controls across an enterprise? What checks are in place to enforce those controls?
If you are a U.S. Department of Defense (DoD) contractor with a role in the Defense Industrial Base (DIB), the answer is clear. You must obtain Cybersecurity Maturity Model Certification (CMMC).
Version 1.0 of CMMC framework was released on Jan. 31, 2020, and you can see FAQs, updates and other related materials at this Office of the Under Secretary of Defense for Acquisition & Sustainment website.
Here’s an excerpt from CMMC version 1.0:
“The model encompasses the basic safeguarding requirements for FCI specified in Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for CUI specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 per Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 [3, 4, 5].
The CMMC framework adds a certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.
When implementing CMMC, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for particular segment(s) or enclave(s), depending upon where the information to be protected is handled and stored.”
Still seem confusing?
To help understand the importance of the CMMC framework and how this model can / will impact and help both DoD and non-DoD entities, I turned to a friend and experts in the area – Mr. Taiye Lambo.
Taiye is a: “Thought leader, author, visionary, pioneer, serial entrepreneur, former CISO, virtual CISO and cyber security strategist.” This new website highlights many of his unique skills and successes. He currently leads several industry (for profit and nonprofit) efforts, and is most recently the founder and chief technology officer (CTO) at CloudeAssurance Inc.
I first interviewed Taiye for this blog back in September 2016, when he just ended his role as the first CISO in Atlanta city government. He is always energetic and engaging in conversations, and his new ideas always demand industry attention. I continue to learn a lot from every conversation with Taiye, which are eye-opening and fun exchanges. I am thrilled to bring you this exclusive interview with him now.
Exclusive Interview Between Taiye Lambo and Dan Lohrmann on CMMC.
Dan Lohrmann (DL): Welcome, Taiye. It is great to speak with you again on another very important cybersecurity topic.
Taiye Lambo (TL): First of all, thanks very much Dan, for giving me another opportunity to share my thoughts with you and your audience, 4 years after you first interviewed me in 2016, regarding my former role as the first CISO of the city of Atlanta. That interview gave me a unique opportunity to showcase my innovative approach to cybersecurity executive leadership at one of the major city governments in the United States and I cannot thank you enough for the opportunity.
DL: Why is the CMMC so important right now?
TL: According to the DoD, the theft of intellectual property and sensitive information undermines our nation’s defense posture and economy.
Global costs of cybertheft last year were estimated at $600 billion, with an average cost of $4,000 per American. CMMC was created to tackle this challenge head on.
The current projection is that 300,000+ DoD prime contractors and subcontractors down to 7 to 8 levels will have to comply with CMMC by 2025-2026.
DL: How is this certification different than the NIST Cybersecurity Framework, or other standards that governments have committed to support?
TL: CMMC Maturity Levels actually enables one entity to do a true apple to apples comparison against another entity.
This is the first maturity-based cybersecurity certification mandated by a U.S. government entity with global reach and implications. Existing cybersecurity standards have proven to be ineffective at reducing breach probability due to their compliance focus vs maturity level focus.
CMMC includes an actual maturity model. However, NIST Cybersecurity Framework does not, so without overlaying the NIST Cybersecurity Framework with proven maturity models such as the decades old Capability Maturity Model Integration (CMMI), like I did for the Federal Reserve Bank of Atlanta, most organizations stop at just compliance.
DL: What are the benefits to using CMMC for state and local government security leaders?
TL: Ability to use CMMC to take your cybersecurity program beyond compliance to maturity.
Ability to use CMMC to measure and benchmark the current state maturity of your cybersecurity program.
Ability to use CMMC to measure and benchmark the current state maturity of your vendor partners cybersecurity program.
DL: If an organization wants to go down this road, what are the practical first steps?
TL: Build a business case for CMMC Maturity Levels 1 – 5 based on stakeholder requirements.
Second, perform an objective validation assessment to determine your current CMMC maturity level.
Third, determine your desired future state CMMC maturity level based on stakeholder requirements.
DL: What help is available?
TL: Subscribe to the CMMC-AB mailing list, to receive information about the CMMC-AB program.
Join the CMMC Group on LinkedIn to contribute to discussions and also learn from industry perspectives related to the CMMC rollout.
CMMC-AB is in the process of vetting third party professional services providers as registered provider organizations (RPO). These organizations are authorized by the DoD to deliver non-certified CMMC Consulting Services. My company, eFortresses, happens to be one of the organizations that is currently under consideration for RPO approval by CMMC-AB.
DL: Are there tools that can help?
TL: In my vCISO work as described in latest LinkedIn article, I currently use this CMMC ScoreCard platform to perform independent CMMC validation assessments, which is a critical first step for organizations pursuing CMMC Maturity Levels 1 – 5.
It is also important that organizations should start with building out or maturing their cybersecurity programs with a focus on strengthening their people and processes before leveraging tools to strengthen people and automate processes.
DL: Where do you see this going over the next few years?
TL: The impact of CMMC would most likely be felt in every industry vertical globally, from paint manufacturers to fighter jet manufacturers.
DL: Can we get to one cybersecurity standard rather than so many different approaches?
TL: Very unlikely due to the fragmented nature of cybersecurity standards globally. However, continued harmonization of these standards (NIST, ISO and CMMC) is going to be very key.
The jury is still out on whether CMMC will really gain adoption as it is intended. I said the same thing about ISO/IEC 27001:2005 one year after it was published in my 2006 article in the ISSA Journal. In that article, I raised the question of whether ISO 27001 is the future of Information Security Certification. I think you would agree 14 years later, that while ISO 27001 has not become the ONE cybersecurity standard, it has become the gold standard for implementing, certifying and maintaining an information security management systems (ISMS).
DL: Is there anything else that you would like to add?
TL: Achieving CMMC could be a competitive advantage and leveler for small, disadvantaged businesses. Achieving CMMC may be compelling if it actually reduces cyberinsurance premiums because it is proven to help reduce breach probability.
These businesses can also take advantage of the opportunity that the cost of achieving CMMC is an “allowable expense” by the DoD at contract award.
DL: Thank you, Taiye, for providing your expertise in this important discussion.
Unless you are familiar with DoD language, the acronyms and buzzwords are often confusing. The details surrounding CMMC are no exception. However, I believe it is a worthwhile discussion for state and local governments to consider CMMC. Many organizations profess to be supporting the Cybersecurity Framework, but they do little to actually verify and measure their progress toward their maturity goals.
If you want more specific details on what CMMC contains and who is required to comply, I recommend these two articles from Varonis and CSO magazine to answer questions. Or just read the CMMC framework directly, which explains the program.
I agree with Taiye that this more detailed guidance is the future of cybersecurity — because we can measure progress. Whether another (different) model is used for non-DoD situations (in conjunction with NIST and others) remains to be seen. Nevertheless, the CMMC mandates are important to understand and apply in many situations and organizations.
Finally, don’t forget that these same companies that are obtaining CMMC maturity levels are also supporting many state and local government technology and related security efforts.
Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.