The Department of Defense’s CMMC (Cybersecurity Maturity Model Certification) program has undergone multiple changes, revisions, updates, and organizational shifts over the last two and a half years. As a result, DoD officials expect to include CMMC requirements in federal contracts as soon as May 2023.
The CMMC program is focused on protecting sensitive DoD data held by government contractors. CMMC Level Two—the compliance level most of the DIB will need to maintain— requires companies to meet 110 controls on handling controlled unclassified information (CUI) from NIST Special Publication 800-171.
Pentagon cyber chief David McKeown says there are ongoing discussions to create a “cyber secure framework” for the defense industrial base (DIB) that will go beyond the CMMC program and be based on the NIST cybersecurity framework. However, the Pentagon is in regular contact with only one percent of its DIB partners, which presents a problem when notifying companies about potential threats and building resiliency.
Cybersecurity policy compliance is always in your best interests.
There has been a recent increase in the number of commercial organizations mandated or have voluntarily chosen to standardize on the Center for Internet Security (CIS) or STIG benchmarks as cybersecurity best practices. But updating and making sure you are compliant is not enough.
In most cases, updating, vulnerability scanning, and configuration management processes are individually managed to match the underlying technologies. However, the devil is truly in the details, such as specific controls and compliance requirements set against each type of infrastructure. And then, there is ongoing management and maintenance of your secure baseline to prevent compliance drift.
But cybersecurity is not just about compliance and a secure baseline. It’s about resiliency, too. While a cybersecurity strategy can help prevent a data breach or reduce the risk of malicious activity, a cyber resilience strategy helps specifically mitigate the impacts of these attacks. Cyber resilience is aimed at continuously delivering the intended outcome, despite the attack. It mitigates the risks and severity of attacks and includes practices such as Zero Trust and continuous diagnostics and mitigation (CDM) for good management configuration.
The upshot is that it shows your government clients you value and understand their security needs and are willing to go the extra mile for the sake of security. As Brian Hajost, COO of SteelCloud, says, “Compliance puts a halo around your proposal” and moves it to the top of the stack.
Moving toward CMMC and NIST compliance in the DIB.
The CMMC program suggested for the DIB is focused on protecting sensitive DoD data managed by government contractors. CMMC Director Stacy Bostjanick says the DoD plans to send the new CMMC rulemaking to the Office of Management and Budget for review in “mid-July to early August.” They intend to release an “interim rule” in March 2023 that will go into effect 60 days after publication.
“Day one, not everybody will be required to have a certification to handle CUI. It’s going to be a phased-in approach,” Bostjanick said. “We have promised to make sure companies would not end up in a scenario where [they] can’t get a certification but [they] want to participate in a contract.”
Another aspect of CMMC certification the DIB may want to prepare for is DFARS 7020. It requires contractors to provide the Government access to its facilities, systems, and personnel any time the Department of Defense (DoD) is renewing or conducting a medium or high assessment.
Putting it all together into a cohesive cybersecurity roadmap.
All you need to do is seamlessly knit together regulations, cybersecurity standards, and best practices to meet each CMMC maturity level and reduce your risk against threats. By next summer. Clear as mud? Here are some tools that can help:
- NIST 800-128 outlines the National Checklist Program (NCP) that helps you find the specific controls you need to target to get your organization and its products and services secure and compliant
- Security Technical Information Guides (STIG) and Center for Information Security (CIS) controls are long-established pathways to help you get where you need to go
- Automation is key to achieving compliance in a timely, affordable manner. SteelCloud’s ConfigOS is the STIG and CIS hardening and automation standard in the DoD, and 8 out of the top 10 system integrators use it. It can accomplish what it would take qualified engineer’s weeks or months to do…in just an hour
You will need specialists to understand all the best practices, how they interlink and how to identify all the controls. But, with automation, you won’t need a whole team of them to make you compliant and keep you that way. And, even if you start tomorrow, you can easily beat your 2023 deadline and show your customers you are just as proactive and dedicated to cybersecurity as they are.
Automation is the key to making security compliance a more efficient and affordable process, particularly when hardening government-mandated STIG and CIS controls. Yet, some are still doing the same things the same way while encountering the same recurring problems repeatedly. After all, it’s familiar and how it has always been done. And if configuration management and compliance weren’t so important and increasingly complex and demanding, that would be fine. But as demands grow, so does the need for an automated helping hand.
SteelCloud’s approach to configuration management is automated—and ConfigOS was built from the ground up specifically to address every phase of DevOps security and in every type of environment, from air gap classified environments to regular on-prem environments to the cloud. Furthermore, it is purpose-built, to attain authority to operate (ATO) and maintain it over time, scanning and remediating endpoints 24/7.