AFCEA Solutions Webinar Series: Clarifying CMMC
During an AFCEA Solutions Webinar on June 10, which is now available to watch on demand, Katie Arrington, chief information officer at IonQ; Stacy Bostjanick, vice president of government services strategy at Cybersec Investments; and Mike Snyder, executive director of ecosystem engagement at The Cyber AB, broke down Cybersecurity Maturity Model Certification (CMMC) to clarify its levels and importance.
The CMMC model measures the implementation of cybersecurity requirements at three levels, which Snyder outlined and defined.
According to Snyder, level one is for federal contract information; level two includes all 110 of the NIST SP 800-171 requirements, which cover controlled unclassified information (CUI); and level three encompasses all critical data, which is mostly classified information critical to the Defense Department.
The levels are cumulative, and more data is categorized as critical today, so Snyder said it’s best “to treat everything like level three.”
Arrington said all data, classified and personal, should be treated with the same security standards.
“What's the critical data tipping point? Well, if you're running a network and you have your HR system on the same network that you're bringing CUI in, you should really be thinking about your entirety,” Arrington advised. “. . . Yes, you have your federal environment. Yes, you have your CUI environment. But that shouldn't be any bit different from how you're taking care of critical information like someone's Social Security.”
Identifying CUI and critical data within a company is the first step to achieving CMMC, the panelists agreed.
To create the best system security plan, Snyder emphasized the importance of companies keeping a working document of every process and procedure within their organization so that security requirements are clear for each level and department.
If companies can already identify and locate their CUI, they won’t have to pay a CMMC third-party assessor organization as much to organize the data for them, Snyder said.
“When you talk to the assessors, the easiest ones, the ones that go the most smoothly, are the ones where the company has all their documentation together. They understand what their policies are, and they can infer that to the assessor,” Bostjanick said.
Since security is becoming a foundational component of federal procurements, Bostjanick said CMMC will ultimately help companies save time and energy. Having CMMC designation removes the extra step the government would normally take to evaluate the company’s security proposal for a contract.
Overall, Arrington stressed the importance of prioritizing cybersecurity because a breach of one company’s data could cause ripple effects. She said immediately reporting security breaches is vital to national security because the intelligence community can figure out how one piece of data connects to others within the government.
With the rise in ransomware attacks and personal information hackers, Arrington warned that adversaries are desensitizing cyber threats, bringing guards down with each small disruption.
“We really need to be cognizant of the fact that the disruption—you going offline for one or two days, the fact that you failed a quality inspection on a manufacturing line one or two times and you had to go back and eat it—for them [adversaries], that's a win,” Arrington said.
Comments