It’s not only the auditor with their bureaucratic reporting who you must appease during a periodic audit. Rather, the end result should be to continually frustrate a crafty and committed cohort of cybercriminals who are looking to do real damage to your facilities and functions, and in turn to our utility-reliant way of life.
That doesn’t mean compliance isn’t important; it is. But your long view (as you add CMMC to the alphabet soup of regulations that already includes NERC and FERC) should be on compliance as just one step to the ultimate goal: effectively preventing threats from blossoming into actual attacks. The threats are real, growing, and scary in scope and severity.
Utilities ‘a key target’
“The Nation’s energy infrastructure and digital supply chain present a key target for cyber compromise, and the frequency and sophistication of cyber threats is increasing, including from nation-state actors,” the U.S. Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response said in a 2021 report. “Technological innovation and increasing connectivity are rapidly changing the risk posture for the energy sector.”1
That growing threat is why the Department of Defense (DoD) in 2020 ruled that any businesses maintaining critical energy infrastructure information (like utility and energy companies)2 and serving the DoD may be subject to CMMC requirements, including companies that:
- Manufacture electronic communications systems;
- Supply electricity or other utility services;
- Build, repair or maintain electrical systems;
- And distribute electricity or work with transformers.
While infrastructure elements like power plants can be the lifeblood of military bases, they also provide a vector for malicious possibilities. These can range from simply knocking out electricity service to darken a base, to so-called signals and means intelligence that tracks a base’s power usage to infer what is happening there. So it’s not just infrastructure that’s at harm, but anything and everything that relies on that infrastructure. It’s a serious responsibility that needs an appropriate level of attentiveness.
Learn more: What You Should Know About CMMC
MCCPs can help maintain focus
That’s why utilities should consider using a Managed Cybersecurity Compliance Provider (MCCP) like Conquest Cyber. MCCPs blend monitoring and management of compliance, risk assessment, and defense. That way, you get help in checking bureaucratic boxes, staying aware of who is trying to do harm and how, and making sure you’re actually protected at the end of the day – and every day.
Besides, maintaining CMMC compliance itself isn’t as much of an issue as one may think. CMMC controls map to more than half of the NERC CIP requirements that are already enforced. That means compliance efforts can be approached in parallel.
In evaluating MCCP providers for suitability, you want to consider factors such as:
- Accredited CMMC experience;
- Breadth of knowledge around other compliance frameworks;
- Understanding of the industry they’ll be protecting;
- And a focus on program effectiveness and not just compliance.
The ability of an MCCP to go beyond traditional security monitoring, threat detection, and incidence response services can result in achieving and maintaining compliance 75% faster while elevating your overall security.
Culture and cyber hygiene are key
Utilities must evolve not just the way your organization approaches cybersecurity, but how security becomes embedded in the daily workplace culture through cyber hygiene habits as practiced from the generator room on up. Cyber hygiene, as defined by Cambridge, is the practice of protecting online computer information by using special software, choosing strong passwords, etc.3 Such small oversights can create -- and have created -- opportunities for malice of much greater consequence for the company, and its community.
Again, security isn’t just a check-off; it’s a foundational habit that allows you to do what you do best, without fear or interference but with awareness and diligence.
If we want to maintain our way of life, we all have to be better at cyber resiliency. And cyber resiliency isn’t just about updating procedures and staying compliant with CMMC; it’s about evolving your mindset and keeping your bullseye not on your regulator but on your rival.
Yes, work to deliver compliance. Then, go beyond compliance and get to overall program effectiveness. Because it isn’t just your company that’s counting on you. It’s also the community that you empower in the most literal way.
 https://www.csoonline.com/article/3535797/the-cybersecurity-maturity-model-certification-explained-what- defense-contractors-need-to-know.html