CMMC Take Aways for the NON-DIB Business
The United States Department of Defense (DoD) is serious about securing the nation on all fronts: in the air, on the land, in the sea, in space, and in the digital realm. Cyber defense is critically important to protect the infrastructure of the United States and her allies. The DoD is migrating to a new Cybersecurity Maturity Model Certification (CMMC) to standardize and implement cybersecurity in the businesses that make up the defense industrial base (DIB) that support the US government. After billions of dollars of losses, national secrets shared, disruption, and sabotage by bad actors and nation states, the DoD now has a methodology to verify that those business are practicing good cybersecurity hygiene. The DoD is working through an accrediting body, the CMMC-AB, to inspect and verify that the businesses are cyber-safe, cyber-secure, and cyber-resilient. The CMMC framework synthesizes several frameworks and standards already in use and builds on them: Before CMMC, as long as businesses had a plan with milestones to fix gaps, and self-attested that they had would be remediated, they were able to work and bid on contracts. That model is no longer accepted: to bid on DoD contracts going forward, businesses must meet all CMMC security practice domains, scoring a 100%.
There is a great deal for businesses in the commercial space to glean from the CMMC standards to apply to their organization’s cybersecurity. Securing your data, defending the integrity and infrastructure of your business from cyberattacks and disruption is undeniably one of the most important roles for business leaders.
During World War II, civilians who worked in the factories and storefronts to support the war effort were referred to as “soldiers without uniforms.” In this present age, the tremendous increase in cyber threats resembles the sally of relentless wartime assaults. One can’t help but consider that the roles of cybersecurity professionals resemble those of soldiers, but on the digital front instead of land, air or sea.
Even if your business is not part of the DIB supply chain as a government contractor, or as a cybersecurity professional, businesspersons have a responsibly to fellow employees, clients, and their country to remain cyber-safe, cyber-secure and cyber-resilient.
Here are a few take aways from CMMC for commercial businesses:
Regularly assess your cybersecurity posture— and consider a third party to assist you.
CMMC is currently scheduled to be reassessed every 3 years, with the standards to be maintained continuously and enhanced during that time. Businesses should schedule time to assess their cybersecurity on a regular basis. Whether a yearly review, with milestones to improve security practices during the year, or a semi-annual review, having a process baked into operations will ensure that what gets inspected, gets done.
Not many businesses have the training, experience, and know-how to advise implement best practices in cybersecurity. Having an unbiased third-party to review cyber hygiene and provide guidance will help the organization to reach security goals faster. Plan to choose a staff resources who will lead the effort to review and revise the policies and procedures at regular intervals. An expert advisor outside of the corporate hierarchy can serve to unite separate business units around efforts to standardize and effectively meet cybersecurity goals while serving as partner for accountability.
What data you store, and where you store it, matters.
The DoD recognizes that security is not one-size-fits all: CMMC has five different levels of cybersecurity progression, from basic cyber hygiene to advanced, with the levels related to the types of information stored. A few examples of a baseline standard cyber security standard includes whether anti-virus and anti-malware are deployed, password management policies are in place, physical entry of the workspace is secured, and regular updating and patching of software and systems. In CMMC, as the levels increase, the controls grow build on one another and become more advanced and include things in Level 5 like advanced persistent threat detection, the establishment of an incidence response team that is capable of investigating incidents within 24 hours, and boundary protections deployed specific to the organization’s needs. In the same way, businesses can begin good cybersecurity practices and plan to build and hone them over a period of time.
Businesses should begin with the data they have. Sensitive information like employee files, banking, and credit card information should be stored and treated differently than other corporate information. Do you have industry secrets that need to be secured? Are policies created around the protection of that intellectual property? Additionally, if your business stores protected health information (PHI), there are extensive regulations around privacy, data retention, and data disposal that needs attention and documentation. Who has access privileges to that information? Is multifactor authentication (MFA) deployed as a second or third method of identity verification? Where is that data stored?
There are many manners in which to store information. While some businesses do not have the requirements typical of many government contractors, thought should be given to the benefits and drawbacks of data secured on-premises vs off-premises, whether an in-the-cloud storage or a hybrid solution is appropriate, as well as how back-ups are handled. Authorization to access data should be limited to only the people who need access: the larger the number of people, the greater the probability of accidents, theft, or misuse of data.
Maturity- security procedures and processes proven out over time is a must.
Cybersecurity is not one-and-done program, it is an ongoing commitment. To achieve CMMC, organization need to be able to prove that they have in place cybersecurity practices and procedures that are proven and documented over time. For businesses in the commercial space, start with physical security, hiring policies, anti-virus and anti-malware. Create a password policy, require MFA, and consider investing in a password vault for company use. Examine whether a personal device at work or at home policy needs to created and if consumer software is allowed for business use. While this can feel overwhelming, having as a goal to implement policies and standards over time, not necessary right away will take the some of the strain off of employees. Education and a reasonable implementation schedule allow staff to willingly support the effort and adopt continuous practices.
Regular cybersecurity training for employees is non-negotiable.
One of the largest areas of cyber security vulnerability for any organization are mistakes made by employees. Targeted phishing through email, phone calls, texts messages, and social media have increased precipitously since the COVID-19 lock downs and are projected to increase in quantity through 2021. Phishing attempts provide opportunity for staff to accidental click on links or respond to emails that infect networks or allow access to data. Investing in regular training for employees is a highly effective way to protect your business again the barrage of phishing.
Defined cybersecurity practices and implementation are a must for government, government contractor, and commercial businesses. Businesses can learn a great deal by studying the security practice domains in the CMMC framework and apply portions as appropriate to their business to achieve cybersecurity maturity.