If you’ve ever played Jenga, you know there’s that one key piece that – if you pull it – will cause all the other wooden blocks to fall. When it comes to developed nations, it can be argued that the Defense Industrial Base (DIB) could be considered that piece. The DIB is everything and anything relating to the process of national defense and consists of “more than 100,000 Defense Industrial Base companies and their subcontractors”, plus materials providers and facilities. The supply chain is enormous, and the Cybersecurity Maturity Model Certification (CMMC) program wants to protect it.
Cyberattacks Continue to Barrage the Physical World
What CMMC brings to the table is uniformity in cybersecurity standards within the Department of Defense and among anyone who even remotely works with them. It’s an “all employees must wash their hands before returning to work” regulation, and that means all employees (and suppliers, subcontractors, and the like.) They’re all the “other blocks” that support the structure and make a difference.
In theory, this is great. Who wouldn’t want to avoid another global supply chain debacle as we’ve been seeing in recent years, some of which were caused by software flaws? Similarly, who wouldn’t strive to avoid the possibility of a compromised SCADA system leading to water shortages, power outages, or worse? Or the far-reaching ransomware incident involving Colonial Pipeline and a portion of the nation’s gas viability.
Stuxnet was touted as the first time a cyberattack affected the “real world.” Since then, we have seen an increase in these real-world attacks, as noted above. Each retail operation, school, and critical national infrastructure agency has a responsibility to tighten controls and protocols surrounding security, or the next few years will be as volatile as the last. However, to go straight to the key piece, the Defense Industrial Base has the responsibility to protect them all. And that’s what this comes down to.
CMMC Standards Solve a Major Issue
Before now, it’s been a cybersecurity free-for-all. Yes, there’s GDPR and CCPA (mostly consumer-side data protection), HIPAA (largely the same, and applying to health-related data, mostly), PCI DSS (the payment card data protector), and SOX (Sarbanes Oxley Act, which is specific to financial organizations.) Those are great. But they don’t get to the heart of the matter.
For people to exist to even make use of their personal data, healthcare plans, or business ventures, they first have to live in a safe society. It has to run smoothly. The power can’t go down, weapons can’t malfunction, and there can’t be a crack in the national defense supply chain. Those looking to undermine defenses will see what they can do from a digital standpoint (APTs, ransomware attacks, SCADA-compromising exploits) before ever launching a physical attack.
Up until now, however, there were no uniform regulations regarding how those digital defenses would be protected. A crack in the chain could leave malicious code in a military aircraft because there was no upstream code-signing process. A manufacturer of smart communications devices could have used an open-source repository to improve functionality, but inadvertently allowed latent bugs into critical systems. A volunteer at a federal assistance department could fall prey to a ransomware attack by clicking a malicious link and suddenly halt much-needed disaster relief.
As the stakes rise and threats, attack vectors, and risks increase, CMMC looks to stay ahead of the game. The FBI has already warned about latent cyber threats hiding in the sectors of critical national infrastructure, and the Defense Industrial Base is not about to be next.
All of this to say, it’s important. CMMC regulations matter, and it matters how you go about it.
How to Comply With CMMC
The CMMC framework (now CMMC 2.0) breaks down into three essential levels:
- Level 1: Self-Assessments. This is for organizations that only have Federal Contract Information (FCI), or information by or for the Government that will not be publicly released and was obtained under the contract. This is based on 17 controls found in FAR 52.204-21.
- Level 2: Third-Party Assessments. This is for organizations who handle Controlled Unclassified Information (CUI) and only needs to be done every 1-3 years, depending on the data type. This is compliant with NIST SP 800-171.
- Level 3: Government Assessments. Organizations with high-priority CUI will undergo government-issued assessments every three years. This uses as its base NIST SP 800-171 and a subset of NIST SP 800-172 requirements.
Like all cybersecurity initiatives, compliance is not an easy task. However, when it comes to something as important as the Defense Industrial Base, fortifying it, and assessing its strength is the key to the stability of the entire tower that it helps to hold together.
