Connections Are Key to Making CMMC Work
All levels of contractors must cooperate and apply the new security standards.
The success of the new Cybersecurity Maturity Model Certification (CMMC) will hinge largely on diverse types of contractors sharing information and following security standards, said a panel of experts exploring CMMC ramifications. Speaking at AFCEA’s Virtual CMMC Symposium, the government officials emphasized that the CMMC will be both an opportunity and an obligation to the defense community
Ty Schieber, chair, CMMC Accreditation Body, explained that community input will be valuable to defining and implementing the CMMC. “We’re not intending to create tools as an AB [accreditation body],” he declared. “Our thought is, ‘Let’s harness and harvest the great thinking that has already been done.’ Our goal is a clearly identified requirement. We want to allow the user community to make the determination.”
He noted that his office issued an initial request for proposals on LinkedIn for continuous monitoring—not for anything that would run afoul of privacy concerns, but to guarantee that the security is doing its job. “Our intent is to explore mechanisms that ensure that CMMC is effective,” he explained.
Schieber continued that his office’s website—CMMCAB.org—is the authoritative place for information from that office. “You’re going to see a tremendous amount of information posted there in the next couple of days,” he added.
Katie Arrington, chief information security officer for defense acquisition, reiterated a point she offered earlier at the symposium. “Don’t wait for the CMMC to take effect to take good security measures.” Arrington noted that the CMMC is what is needed now to validate the prime-sub contractor relationship.
And that relationship is a key part of contracting security. Robert Hanson, senior cybersecurity advisor, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security, pointed out that a lot of opportunity exists for security posture improvement in the defense industrial base. Many simple activities have the potential to reveal vital information to adversaries.
“If you’re on a video chat and you have a whiteboard behind you, there might be some information on that you don’t want to share,” Hanson pointed out. “That’s basic cyber hygiene.”
Arrington also touched on the importance of the supply chain. The CMMC will lay bare the supply chain and the reliability of its suppliers, she noted, observing that the COVID-19 pandemic has provided a new awakening in the importance of the supply chain. “We are focusing on illuminating the supply chain,” she offered.