Adversaries Show the Way for CMMC
Assessment guides will help companies prepare to pass the test.
Recent actions by cybermarauders have illustrated the importance of the Cybersecurity Maturity Model Certification (CMMC) thrust by the Defense Department, and new assessment guides can help lay the groundwork for companies to meet CMMC requirements, according to government officials.These and other key points were presented at the AFCEA CMMC Lunch and Learn session held on March 19. The last of a series of CMMC lunch presentations, this session focused on requirements for the National Institute of Standards and Technology (NIST). But, government experts addressed several other key issues related to CMMC implementation.
“The adversaries really do have an advantage because of the complexity of the infrastructure that we’ve built,” pointed out Dr. Ron Ross, a fellow at NIST. “This is not accusing anybody of anything. This is just the reality of where we are today. Whether you’re in the [defense industrial base] DIB or whether you’re outside the DIB, we have a national problem with regard to these cyber attacks.”
Ross continued that the SolarWinds attack was “particularly instructive” because it demonstrated how adversaries can grab low-hanging fruit, compromise a single credential and escalate privileges to operate as trusted insiders. “They can create software, they can sign that software and send it out to hundreds of thousands of customers who trust that software.”
The CMMC has taken big steps to close that gap, but no one should have any illusion that this will be easy, he continued. At a previous CMMC luncheon, panelists offered that CMMC Level 3 would not have prevented SolarWinds, but Level 4 might have. Nonetheless, Ross said, “We have to start somewhere,” as single-dimension protection will not work.
“Through architecture and engineering, there are ways today to limit the damage adversaries can do—by increasing their work factor once they’re inside the system, making it harder for them to move laterally,” he explained. “That would have been a great thing in SolarWinds.”
And that capability ultimately may move beyond defense organizations. Stacy Shank Bostjanick, director of supply chain risk management for the Office of the Undersecretary of Defense for Acquisition and Sustainment, offered that law enforcement may be a future CMMC customer. “For law enforcement, [especially] at the state level, it may be a couple of years from now,” she offered. “We do have some of the other federal agencies interested in CMMC that want to come in and start looking at it. It does line up with some of the tenets in some of the [executive orders] that have come out for cybersecurity and for the supply chain.”
She noted that available assessment guides can describe how and what will be assessed. CMMC assessments begin with a kickoff meeting where company officials meet with CMMC provider assessment organizations (C3PAOs) to learn the processes and procedures companies will go through when assessors visit the company. “The assessment guides will give the how-to and the steps that need to be gone through in the assessment,” she elaborated. “The guides will give somebody a great idea of what is going to be looked at, and we give examples of what kind of artifacts are acceptable—those kinds of things—in those guides.” This will help people know what the C3PAOs need to do when they come in for the assessment, she states.