SHARED INTEL: The cybersecurity sea change coming with the implementation of ‘CMMC’ – Security Boulevard

Finally, Uncle Sam is compelling companies to take cybersecurity seriously.

Related: How the Middle East paved the way to CMMC

Cybersecurity Maturity Model Certification version 2 . 0 could   take effect as early as May 2023 mandating detailed audits of the cybersecurity practices of any company that hopes to do business with the Department associated with Defense.

Make no mistake, CMMC 2 . 0 , which has been under development since 2017 , represents a sea change. The DoD is going to require contractors up and down its supply chain to meet the cybersecurity best practices called out in the National Institute of Standards and Technology’s SP 800-171 framework.

I sat down with Elizabeth Jimenez, executive director of market development at NeoSystems , a Washington D. C. -based supplier of back-office management services, to discuss the prominent role managed security services providers (MSSPs) are sure to play as CMMC 2 . 0 rolls out. For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:

Passing muster

CMMC 2 . 0 sets forth three levels of cybersecurity certification a company can gain in order to provide products or services to the DoD, all having to do with proving a certain set of cybersecurity controls and policies are in place.

Level 1, for instance, requires some 17 controls to protect information systems plus limit access to authorized users. Meanwhile, Degree 3, calls for several more tiers of protection specifically aimed at reducing the risk from Advanced Persistent Threats ( APTs ) in order to safeguard so-called Controlled Unclassified Information ( CUI . )

In addition , every DoD contractor must conduct, at the very least, an annual self-assessment. Crucially, this includes accounting for the cybersecurity posture associated with third-party partners. In general, contractors must be prepared to divulge details about the people, technology, facilities and external companies — just about anything that intersects with their position in the source chain. This includes cloud suppliers and managed services providers.

“It’s a milestone, for sure, ” Jimenez told me. “All these settings need to be fulfilled from a compliance perspective plus internal practices need to be put into place. This is all to attest that the service provider has a robust security posture, and, in the event of an audit, could pass muster. ”

Auditable reviews

To get to square one under CMMC second . 0, the contractor needs to get a couple of very basic, yet widely overlooked, things done; those that handle controlled unclassified information, or CUI , must implement both a formal protection management program and have an in place.

This comes down to reviewing IT systems, identifying sensitive assets, cataloguing all safety tools and policies plus, last but not least, implementing a reporting framework that can be audited. This particular seems very basic, yet it is something many organizations within the throes of digital transformation have left in disarray.


“Having both a security program and incident response plan in place is really important, ” says Jimenez. “This should include continuous monitoring to highlight that the security environment is constantly being reviewed and refreshed with data that has an audit trail available for future reference. ”

Doing basic best practices to pass an review suggests doing the minimum. However , companies that will view CMMC 2 . 0 as a kick-starter to stop procrastinating about cyber hygiene basics should reap greater benefits.

Performing auditable security reviews on a scheduled basis can provide critical insights not just to improve network protection but also to smooth digital convergence.

“You can reconcile your current controls with your risk tolerance, plus align your IT risk management programs with your security and business goals, ” Jimenez observes.

Raising the particular bar

In short, CMMC 2 . 0 is the stick the federal government is using to hammer cybersecurity best practices into the defense department’s offer chain. In doing so, Uncle Sam, should, in the long run, raise the cybersecurity bar plus cause fundamental best practices in order to spread across companies of all sizes and in all sectors.

This is much the way we got fire alarms and ceiling sprinklers in our buildings and seat belts and air bags in our cars. In getting us to a comparable level of safety within digital solutions, managed safety services companies (MSSPs) seem destined to play a prominent role.

It was a natural progression for MSSPs to advance through supplying endpoint protection plus email security to a full portfolio associated with monitoring and management providers.   In a dynamic operating environment, rife with active threats, it makes perfect sense to have a trusted consultant assume the burden of nurturing specialized analysts and engineers and equipping them with top shelf tools.

Full-service MSSPs today focus on improving visibility of internet assets, detecting intrusions, speeding up mitigation plus efficiently patching vulnerabilities. This reduces the urgency for companies to have to recruit and retain in-house protection teams.

Meeting the dire need

Thus, MSSPs have advanced rapidly over the past five years to fulfill a   need, a trend that only accelerated with the onset of Covid 19. The leading MSSPs today typically maintain crack teams of inhouse analysts and engineers myopically focused on understanding and mitigating emerging cyber threats.

They leverage leading-edge, cloud-centric security equipment – often by hooking up with best-of-breed partners with regard to vulnerability management, endpoint safety and threat intelligence gathering. Many of these experts in the MSSP trenches helped develop NIST best practices — and continue to help refine them.

MSSPs are increasingly assuming a primary role in mid-sized enterprises for maintaining endpoint security, vulnerability patch management and even things like firewall management plus configuration administration.

NeoSystems, for its part, offers all these protection services, within modular packages, with a focus on eliminating compliance hurdles regarding federal government companies. It’s gaining a lot of traction with small businesses and mid-sized enterprises that will can’t spare resources to suddenly infuse security into their networks, Jimenez told me.

CMMC 2 . 0, coming in Might 2023, puts defense contractors’ feet to the fire – and it sends a signal to all companies. “It’s the first real, definitive step from the federal government saying this has to be in place, you must have securities posture and it has to be robust, ” Jimenez says. “Once it really takes hold, it will be paramount intended for companies in order to step into line and make sure that they’re ready for an audit. ”

Companies could have, and should have, embraced NIST’s cybersecurity best practices a decade ago. Hopefully, CMMC 2 . 0 will nudge them forward in the 2020s. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services towards the vendors all of us cover. )

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido . Read the original post at:

Leave a Reply

Your email address will not be published. Required fields are marked *