As the government contracting world has been learning through repeated outreach and DFARS compliance regulations, Cybersecurity Maturity Model Certification (CMMC v2) is a high on Government contractors’ lists to secure their networks, as a contractual requirement. As a framework and upgrade from the NIST 800-171 requirements, CMMC provides a much more detailed methodology to secure networks and prove this security to 3rd party assessment organizations (3PAOs).
Each level of cybersecurity guidance has been an evolution, based on CMMC 2.0: https://www.acq.osd.mil/cmmc/
Other websites to reference:
It’s different this time because …
the stakes are higher
Adversaries around the world have learned to combine old school and new school techniques to compromise and perform many types of activities for power, money, or control. Old school ranged from looking through trash and infiltrating targets or compromising employees, to new school from long-game insertion, modification, or deletion/encryption of data or controls. The result is a monumental task, which appears in the news as the tip of the iceberg through ransomware attacks, DDoS impediments, supply-chain modifications such as with Solar Winds, and many other attacks never visible to the general public. Public disclosures of any cyber event mean that it’s already gone too far and either needs emergency remediation outside of a community of interest, or is part of a larger strategy (or many independent micro-strategies) aimed at influencing behaviors (from funding to framing to implying evidence that may or may not exist, and is effectively a broad psy-ops strategy).
it’s required to stay in businesses
By making cyber assurance and compliance part of the contracting requirements (DFARS 252.204-7012) for suppliers, US Government contractors have more than an encouragement to meet cybersecurity hardening guidelines. Officers from companies need to attest to compliance, and willful or knowing misinformation can be prosecuted under the False Claims Act. So not only is there a company risk, but also a personal risk, a level not previously found in contracting assertions.
But even if there were individual plausible deniability or willful risk-taking by non-compliance, CMMC’s structure of 3PAO (3rd Party Assessment Organizations) and the guidelines and grading criteria listed previously (along with 3-year accreditation cycles) ensures that it’s not “take my word for it,” but also that an assessment organization is staking their business and individual responsibility on accurate and valuable accreditation. CMMC will also have a group “watching the watchers,” to ensure that their work is accurate and representative of a system’s compliance.
It’s different this time. And that’s a good thing.