The US Department of Defense (DoD) rolled out Version 1 of the Cyber Maturity Model Certification (CMMC) framework and audit program on January 31, 2020. A comprehensive and flexible guideline, the CMMC (or something very much like it) could well become “the” cybersecurity standard for the entire US federal government. This idea is already gaining traction and generating significant buzz across all government supply chain sectors.
We hope you’ve had a chance to view the amazing opening episode of Pivot Point Security’s new The Virtual CISO Podcast, which featured Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber and the DoD’s point person for the CMMC rollout. Katie had a number of thought-provoking ideas about a unified US government cybersecurity standard, and why it makes so much sense.
The point of the CMMC is to “trust but verify” that the DoD’s supply chain partners are doing what they must do to protect controlled unclassified data. “Not updating passwords, not doing 2FA, not marking data appropriately” were among the commonplace issues that Katie raised. Small wonder that we’ve been taking a beating in the cyber war we’re now engaged in.
“The DoD is the world’s largest buyer, and we’re determining how to do the buy. Therefore everybody will jump on board.”
Katie also raised the issues of quantum computing and 5G, both of which will come online by 2025: “If you think of encryption as the locks on your doors and windows and the 4G network as your house, in 2025 quantum computing is going to eliminate your doors and without 5G security there’s no walls on your house—nothing to keep ‘the elements’ from coming in.”
The CMMC is “the start of a new way of doing business,” in Katie’s words. She sits on the Federal Acquisition Security Council, which was created in 2018 to create unified standards and processes to secure the federal government. Katie stated point-blank: “I’ve talked to many other federal agencies, and this framework [the CMMC] is something they’re all looking to adopt.”
A common security standard for US government supply chain makes undeniable sense and is win-win for everyone—not just for the government and citizens but also for contractors. With a national cyber certification program in place, certified entities could do business with any government agency at their certified security level (1-5) using the same validation mechanism. Today vendors must spend time and money to deal with potentially a number of standards, even within the DoD procurement sphere alone.
Katie likens CMMC certification to the evolution of driver’s licenses: “Back when the first automobiles came out there were no rules—no roads!—you could drive wherever you wanted to. As we realized we’d have to use the same roads to get where we were going, there had to be a common understanding of risk, and everybody needed to be qualified with the same understanding to drive safely together. To reduce the risks we came up with driver’s licenses—at some point you had to get a license to drive, which meant passing a test to show you understood the critical thinking around driving a car. At the end of the day the CMMC is your cyber driver’s license.”
Vendors focused on their upfront costs might resist the CMMC initially, but that will only hurt them in the end because it is definitely not going away.
My suggestion is to heed the words of Katie Arrington: “The DoD is the world’s largest buyer, and we’re determining how to do the buy. Therefore everybody will jump on board.”
Or pull over and watch the world go by…
To get straightforward guidance on how to get your business on board with the new reality of the CMMC, download our free CMMC Compliance Guide.