Cyber Hygiene is the Key to CMMC Compliance Preparedness
By Ralph Kahn
Across all sectors, theft of intellectual property and sensitive information due to malicious cybercriminals threatens economic and national security. There are a number of initiatives aimed at simplifying and standardizing IT risk management, all with the same goal: stronger, more streamlined and more consistent cyber risk management to help keep federal systems and data secure. To achieve this, IT decision-makers must first determine what is on the network, and in order to do that, they need reliable data and improved real-time visibility.
The Defense Department’s Cybersecurity Maturity Model Certification, or CMMC, auditing process aims to create consistent cybersecurity practices for contractors that do business with the federal government—and protect the defense supply chain from security breaches.
Defense contractors will be required to prove they have—and they are using—the mandatory cyber practices to achieve each level of cyber maturity.
Cyber Hygiene Challenges
To prepare for compliance, contractors need a formalized approach to cybersecurity, as they will be required to demonstrate their cyber hygiene to the CMMC Controlled Third Party Assessment Organization (C3PAO) accreditors.
The challenge is that many contractors don’t have full visibility into their organization’s network and security, which leaves their networks—along with DOD networks—vulnerable to attacks. They need complete, continuous threat monitoring and visibility into all assets on the network—an increasingly complex goal in the internet of things, bring-your-own-device, and work-from-home world.
As contractors work to address individual cybersecurity vulnerabilities, most have implemented a complex patchwork of point products that don’t integrate, are difficult to manage and keep patched, and can’t give the IT leadership team a full view of the threats. If contractors continue to install different point products to resolve each individual problem, they will continue to increase complexity, cost and risk. And, they won’t achieve the visibility needed to manage risk and meet CMMC requirements.
Preparing for CMMC Implementation
Contractors need the capability to track and report network security status aligned with requirements in real time. This means identifying risks and vulnerabilities as well as prioritizing them across the networks, and the ability to respond and remediate when needed. Contractors should consider a holistic approach that integrates IT operations and security. IT leaders need a platform—a single pane of glass view—to understand their environment. This platform must provide the capability to integrate endpoint management and security (i.e., gather data from all endpoints, make needed updates, and gain the ability to reduce risk in real time).
CMMC compliance can be accelerated by addressing use-cases across the CMMC’s 17 security domains and 43 capability areas ranging from basic IT hygiene to advanced persistent threat hunting. A solution that helps to achieve many of the CMMC’s targets by mapping to key capability requirements, facilitating continuous reporting, and supporting progression through the CMMC’s defined maturity tiers is essential.
Technology is constantly evolving, and so are the tactics and approaches of cybercriminals—especially given a newly distributed workforce. When you consider the added layer of BYOD, most personal devices don’t have a protective perimeter, they have the tools the device came with. If these endpoints have periodic connectivity to the agency network, cybercriminals no longer have to penetrate a multi-layered protected perimeter to get into the main server. They can use the unprotected device as an entry point into the network. Defense contractors should leverage a solution that can run discovery and asset tools in their organization’s network, so they can locate and evaluate the unknown devices discovered.
Having a single, unified platform that aligns endpoint management and security, helps contractors compile data from all endpoints. The platform should provide comprehensive threat monitoring with detailed incident analysis so that contractors can identify, isolate and mitigate threats in real-time. This helps simplify management of hybrid environments, gives contractors a better understanding of their environment, and prepares them for future CMMC audits. These steps help the defense community achieve the ultimate goal: stronger resiliency against cyber risks.
The DOD is only as strong as its weakest link—and a healthy central IT infrastructure is critical to identifying, preventing and mitigating cyber risks for every organization. Contractors must start by achieving good cyber hygiene. As they work to stand up a CMMC-compliant IT infrastructure, it’s important to ask the following questions:
- How many computers do you have on your network? And are they authorized to be there?
- What applications are installed? And are they all up to date?
- What are users doing? And is it authorized?
- How comfortable are you with your patch/vulnerability/risk posture?
- Have you recently been breached or had an outage that could have been prevented?
Reducing risk at a point in time to achieve CMMC compliance is beneficial to the security posture of both contractors and the DOD—but the real goal is to understand the environment and reduce risks continuously—protecting systems, data, and the mission.