CMMC requirements open door to modernize security

New DOD mandates for the defense industrial base create an opportunity to refresh security strategies and mitigate supply chain vulnerabilities.
CMMC
(Getty Images)

Andy Stewart is a Senior Federal Strategist at Cisco and advises federal partners on strategies to implement that innovated cybersecurity and AI/ML solutions.

At the end of 2020, the Department of Defense finalized security requirements that the defense industrial base (DIB) must meet as part of contractual obligations to handle controlled unclassified information with defense agencies.

CMMC

Andy Stewart, Senior Federal Strategist, Cisco

The trust-but-verify model, known as Cybersecurity Maturity Model Certification (CMMC), assesses contractors on a five-level scale of cybersecurity maturity — a major change from the DIB’s prior cybersecurity requirements, under which companies could self-attest their compliance.

This couldn’t come at more critical time. The aftermath of the SolarWinds hack is a sharp reminder of the importance of securing supply chains from cybersecurity vulnerabilities. The DIB has long been targeted by malicious cyber-actors, and supply chain vulnerabilities are particularly large with a community of roughly 300,000 organizations that support the warfighter and contribute towards DOD systems.

Leaders at these organizations cannot afford to view cybersecurity as an area for just the IT department to focus on. Rather, to stay ahead of threats, these organizations need to commit to well-established cybersecurity practices as a core strategy across all lines of business — and implement them from the top down.

Better protect the government’s information

CMMC constitutes an important, practical checkpoint for every organization wanting to do business with the Defense Department. It is a prescriptive, standards-based approach that requires organizations to be assessed and certified by an accredited C3PAO assessor organization. The goal is not just to ensure the security of individual suppliers, but to drive broader change across the DIB community to safeguard the security of technology and information that supports military operations.

Security threats are growing in size and complexity and organizations are not going to be able to buy their way out of security challenges, hire enough cybersecurity professionals or purchase every vendor solution on the market to meet the growing number of threats.

At the end of the day, CMMC is about delivering trust throughout the greater supply chain security landscape — by ensuring products are trustworthy. It extends trust down to the device and software. And it gives organizations the means to verify that their products are free of counterfeit parts or that the software running on them hasn’t been corrupted.

Using a platform-based approach to security can provide organizations deep visibility into their enterprise and enable them to implement the required security controls and processes. This approach embeds tools into the enterprise network, at scale, and are designed to work together to support the streamlined implementation of CMMC capabilities and processes.

A security partner to ensure compliance and greater visibility

Organizations can sometimes fall into the trap of meeting compliance guidelines without getting the full benefit of their security tools. Therefore, as leaders look to meet CMMC requirements, it’s important to understand that it’s not just about securing technology, but rather how the technology supports and enables the implementation of mature processes.

Cisco recently partnered with the Cyentia Institute to conduct a study which surveyed nearly 5,000 IT, security and privacy leaders from across 25 countries to gain a clearer picture about where organizations are in their security journey.

The study examined what organizations are doing to meet security objectives, drawing from security standards such as NIST Cybersecurity Framework. According to the results, organizations wanting to maximize the overall success of their security programs ideally start with a modern, well-integrated technology stack.

The survey looked at 275 possible combinations of security practices and their resulting outcomes — 45 percent showed a significant correlation. In all, the results indicated seven practices that best contribute to key security outcomes: a proactive technology refresh, well-integrated technology, timely incident response, prompt disaster recovery, accurate threat detection, program performance metrics and the use of effective automation.

As the industry leader in zero trust, and from the breadth and depth of customers we serve, Cisco is uniquely positioned to help organizations excel in these practices, and implement an open, standards-based platform to achieve visibility and security controls that can meet or exceed CMMC requirements.

We work rigorously with leading technology partners to help ensure and attest to the security of products throughout the supply chain. And because our products are so prevalent throughout the DOD and global infrastructure, we implement very rigorous value chain security on our products to ensure that they are genuine. That’s why we are in the number one position on Gartner’s Supply Chain top 25 for 2020.

Add that to how our solutions work together — providing an open, standards-based platform that easily integrates with existing capabilities in a corporate enterprise — and you get an unequaled approach to providing products with embedded trustworthy technologies that help ensure security throughout the entire supply chain.

Mitigating cyber risk proactively

The study also makes it clear that in addition to gaining greater visibility of the supply chain, enterprises must also devote constant attention to detecting and remediating threats as they’re happening.

Cisco understands the threat environment better than anybody. We contribute to that by sharing threat information with the entire community, via Cisco Talos — our threat intelligence and vulnerability research organization at the center of our security portfolio.

Because the Cisco Security system covers email, networks, endpoints and everything in between, Cisco Talos provides more visibility than any other security vendor in the world. Cisco Talos understands the threat landscape — providing powerful intelligence to the DIB.

Meeting the requirements laid out under CMMC may prove challenging for many organizations in the DIB. Taking advantage of Cisco’s unique expertise, however, can help not only reduce those challenges, but also help underpin the security of the whole supply chain as well.

Learn more about how Cisco is helping the defense industrial base meet DOD security requirements.

Latest Podcasts