The cybersecurity compliance standard known as CMMC (Cybersecurity Maturity Model Certification) has been in play for the Defense Industrial Base² (DIB) for some time now. But amid headline-stealing cybercrime (Colonial Pipeline, JBS Foods, etc.¹), there’s talk that a military-grade standard like CMMC is needed to protect our nation beyond just the Department of Defense contractors that make up the DIB.
Already, CMMC is being co-opted by the Department of Homeland Security.² Next up may be the General Services Administration, which oversees all federal government contracts.³ The recent Executive Order from the White House is thought to work in tandem with CMMC.4
There is precedent to have verification mechanisms broadly applied as a prerequisite for contracting with the U.S. government. Whether the verification mechanisms related to cybersecurity come in the form of CMMC or another standard, the underlying concept will generate steam and get broadly adopted.
Industries potentially in the compliance bullseye are many. Obviously, the list starts with the DIB (which can include academia, not-for-profits, manufacturing, energy, healthcare, etc.) but also the government has a major role in the implementation. It means that the days of signing a contract and assuming you are good to go will go away. Instead, you will get verification of compliance and assume you are good.
This is a mistake.
If your eyes are on compliance, you’re staring at the wrong finish line. Compliance trails risk and risk driven by cybercriminals is your real adversary -- not the auditor. Plus, the CMMC standard is evaluating your ability to protect the Controlled Unclassified Information (CUI) in your care, but not your business, mission, critical systems, etc. CMMC is a 6-foot fence, and bad guys can always build a 7-foot ladder.
Verified compliance matters. But compliance in and of itself doesn’t ensure an effective program. You can make the determination that what really matters is your single point of failure in an industrial process. Protect that, and you are effective. Meanwhile, the plans that you used to configure the Autocad are replaceable. Lose them, and you can have the customer resend. Not so much when those plans are to a submarine. Your program is effective based on your determination of risk but not that of the U.S. government customers.
Things like that are why we need compliance, maturity, and effectiveness.