Last Updated on June 29, 2021
A wise man once said that the only thing worse than too little information security guidance is too much information security guidance. With the US Department of Defense (DoD)’s Cybersecurity Maturity Model Certification (CMMC) now shouldering its way to the front of the line, how will other “competing” third-party attested InfoSec frameworks, particularly ISO 27001 and SOC 2, fare going forward?
This topic came up on a recent episode of The Encrypted Economy Podcast, hosted by industry thought leader Eric Hess and featuring special guest John Verry, Pivot Point Security founder, CISO and Managing Partner.
The DoD’s mandate for CMMC will drive it into hundreds of thousands of organizations worldwide. Meanwhile, other US government mega entities—like the Department of Homeland Security and the General Services Administration—are putting CMMC compliance language into their contracts even faster than the DoD.
According to John, discussions are also in the works on leveraging CMMC within the Securities and Exchange Commission (SEC)’s Sarbanes-Oxley (SOX) program and the US Department of Education’s Family Educational Rights and Privacy Act (FERPA) program. That could put CMMC on the agenda for every US public company, plus a high percentage of colleges and universities.
Why the CMMC snowball? CMMC is specifically designed to protect Controlled Unclassified Information (CUI), which encompasses everything from technical drawings to student records to financial data to health information to legal material. Lots of federal agencies (if not all of them) need to protect CUI within their supply chain/vendor base.
“So now [with CMMC] you have an attestation framework from the US government, which we’ve never had before,” John notes. “So, who’s in more trouble due to CMMC—ISO 27001 or SOC 2? I’d say SOC 2, because ISO 27001 is outside our borders.”
“SOC 2 is inside our borders and is now competing with a framework that’s government mandated and government centric. And an inordinate percentage of the US economy is tied into the federal government,” adds John.
But CMMC could slow the growth of ISO 27001 certification as well, and not only in the US.
“Where ISO 27001 could be in danger is within the NATO Alliance,” explains John. “In order for those organizations to participate in our defense food chain, they’re probably going to use CMMC. If the NATO Alliance starts to use CMMC, and most of those firms are now ISO 27001 entities, we may see ISO take a bit of a back seat to CMMC.”
To add some perspective, John remarks that perhaps 40,000 to 50,000 entities worldwide have earned ISO 27001 certifications since 2005. About the same number of organizations will need to achieve CMMC Level 3 certification, which is comparable to an ISO 27001 certification, in less than five years—and that’s just within the defense supply chain. Never mind the 250,000+ firms that will need to comply with CMMC Level 1, and never mind non-defense entities.
“If you want to pitch that CMMC is going to become the be-all/end-all, that’s the path that it’s happening on,” concludes John.
To listen to The Encrypted Economy podcast episode with special guest John Verry in its entirety, click here.