The Cyber Edge Home Page

  •  Cyber program managers must review their plans to respond to today’s evolving threat environment.  Shutterstock
      Cyber program managers must review their plans to respond to today’s evolving threat environment. Shutterstock

Cyber Compliance Is Not Necessarily Cybersecurity

The Cyber Edge
June 1, 2021
By Mark Spangler

To succeed, improve defenses at the speed of the threat.

Cybersecurity program managers are facing the dilemma of appropriately balancing compliance with threat tracking and mitigation. Today, amidst the ever-growing problem of data breaches, organizations are investing in protection. But simply complying with security and privacy standards seldom means systems and data are automatically secure.

A well-publicized and much-studied 2013 data breach of the Target Corporation is one example of the numerous challenges organizations encounter when balancing compliance with effective cybersecurity. Target had completed a successful Payment Card Industry (PCI) audit in September 2013; yet by December 2013, an estimated 40 million customer credit card numbers had been exfiltrated.

Target had invested heavily to ensure PCI compliance. It also had a sizable investment in network auditing and monitoring. In addition, the company hired a cyber industry leader to assist in malware detection. Despite these safeguards, a small architectural flaw in the organization’s trusted relationship with a vendor’s network unraveled the entire effort.

An important takeaway from this case is that compliance with industry standards alone cannot be interpreted as having a secure system or architecture.

The U.S. Defense Department Cybersecurity Maturity Model Certification, or CMMC, was developed to address the wholesale intellectual property theft from the defense industrial base. In 2012, Gen. Keith Alexander, USA (Ret.), former director of the National Security Agency, characterized the Chinese harvesting of vital data as “the greatest transfer of wealth in history.” According to Gen. Alexander and a multitude of FBI indictments, the Chinese military and other nations actively pilfered U.S. national defense-related information from across the defense industry.

The case of the theft of the technical plans for the Defense Department’s Joint Strike Fighter, the F-35, illustrates how significantly troubling these exploits have become. According to analysis, China exfiltrated staggering amounts of design data related to the United States’ state-of-the-art fighter jet from multiple defense contractors tasked with development of the fighter.

The Defense Department’s goal is to help the defense industrial base protect its intellectual equity by mandating minimum cybersecurity controls for implementation on systems supporting defense programs. These compliance standards, or maturity levels in the CMMC example, will raise the bar by ensuring a baseline of security controls are implemented. The challenge, however, will be to consider the maturity levels as “minimum” expected security controls and certainly not a guarantee against dedicated nation-state targeting.

Over the past two years, many nation-state and cyber industry exploitation tools have been released into the wild. As a direct result, every would-be cyber criminal, hacktivist and nation-state now have an ample supply of weapons to exploit any company’s systems. This continuous release of ever-improving exploit tools requires each company to be continuously evaluating, testing and improving its cyber posture. This environment mandates not only adhering to compliance standards but also implementing a dynamic mission assurance program with constantly evolving capabilities. At a minimum, to be successful, a company will need to improve its cyber posture at the speed of the threat.

The challenge, therefore, for any C-suite executive is to understand that being compliant with current standards or certifications does not translate directly to secure systems and data. It is certainly the minimum entry fee for doing business.

While these certification policies and controls may keep many nuisance hackers and some criminal elements out of company systems, they definitely will not be sufficient to keep out well-funded criminal elements and nation-state actors. As a result, it is critical that security managers develop an enterprise corporate assurance program that balances both compliance certification with additional resilience measures. By focusing only on compliance standards, an organization may have expended its allocated security resources to achieve certification and not be effectively secure or resilient for the dynamic threat environment.

Today, many security and privacy compliance standards for business sectors—from health care to payment cards—set a minimum for operating and safeguarding. However, these standards often focus on management practices and technical and nontechnical controls. They rarely emphasize the current exploit methods cyber threat actors use. Balancing investments in both compliance and cyber threat mitigations can be a challenging calculus that weighs legal, reputational and operational risks.

Armed with these concepts, cyber program managers should review their own program plan. Organizations require certification standards with an agile cybersecurity program that can respond to today’s evolving threat environment. Program goals must not be fixed on one point such as certification or standard. The aim should be to build a program proficient in responding to an ever-changing threat environment that requires continuous improvement of cyber defenses.

Mark A. Spangler is an advisory board member for Secuvant, a managed security service provider. He also serves on AFCEA’s Cyber Committee and is the senior cybersecurity advisor to the TriSept Corporation. Spangler has 39 years of experience across information technology and cybersecurity, and served as the chief information security officer for the National Reconnaissance Office.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.


Share Your Thoughts:

Looking to gain additional insight to CMMC and Compliance.

Already seeing this in the NIST and CMMC controls. A simple example is the clash between the requirement to use FIPS 140-2 VALIDATED encryption, and the requirement to keep systems updated to mitigate vulnerabilities. The process for getting that FIPS 140.2 validation is SO slow that waiting can put one countless "versions" behind in almost every critical area!

"As a result, it is critical that security managers develop an enterprise corporate assurance program that balances both compliance certification with additional resilience measures."

A few years back I drafted a new Cybersecurity Mission Assurance (CMA) framework based upon Standards, namely NIST CSF, ISO/IEC/IEEE 15288 and 12207 amplified for security by NIST SP 800-160 Vol 1. and provided guidance for its use by both acquirer and suppliers in a lifecycle framework.

Intent is to have war fighters describe protection needs and their CMA levels using the CSF (modified or not) Categories and sub-categories. The new CMA framework uses the principles, process, activities and tasks of ISO 15288/12207 and NIST SP 800 160 to methodically fully integrate security protections into the very fibre of all systems and system integration.

Using a published security assessment method the tech and project managers can progressively assess the Verification & Validation evidence of the left and right 'V' activities from requirements derivation, Architecture, design, implementation, integration, platform tests and trials, assessments certifications to Approval to Operate.

This provides a progressively managed program to integrate cybersecurity directly into systems using standards based developments. By having the war fighters express their needs and setting CMA targets and the method provide means to take designs and solutions and assess them to these target values it is possible to build trustworthy and resilient systems.

Finally, through the use of a strong continuous monitoring plan and command reporting the CMA capability can be maintained in operations and through engineering change.

Share Your Thoughts: