How to Make DoD’s CMMC Deliver Value

In January 2020, the Defense Department (DoD) released the final draft of the Cybersecurity Maturity Model Certification (CMMC). CMMC measures the maturity of a contractor’s cybersecurity processes and practices across the IT environment. The first release of CMMC focuses on protecting data that is categorized as controlled but unclassified information (CUI).

DoD plans to incorporate CMMC audits into the procurement process – so there’s a lot at stake for defense contractors. But given its complexity, how can organizations make CMMC compliance manageable? To learn more, GovLoop spoke with Tieu Luu, Chief Product Officer at Qmulos, which provides solutions for monitoring cybersecurity compliance. He recommended three key principles that should guide compliance efforts.

1. Don’t see CMMC as a stand-alone challenge

Any organization that works with DoD is likely already implementing various security standards and requirements, including numerous standards defined by the National Institute of Standards and Technology (NIST).

Many agencies mandate NIST’s Cybersecurity Framework (CSF), the Risk Management Framework, the security controls defined by NIST Special Publication (SP) 800-53, and NIST SP 800-171, which identifies controls for protecting controlled unclassified information in non-government systems.

If organizations try to tackle each mandate individually, they can get buried in compliance work. Instead, they should create workflows for collecting compliance data across the board, then filter by requirements – an “assess once, report against many [frameworks]” approach.

“If you’re treating each mandate separately in a piecemeal fashion, then it’s just inefficient,” Luu said.

2. Make real-time visibility a priority

Cybersecurity is dynamic and evolving. The mix of end-users, applications and services is changing in response to shifting customer requirements. The threat environment evolves as well, as new adversaries emerge, and older adversaries adopt new tactics.

Because of that, compliance assessments often are out of date just days, hours or minutes after they are completed, Luu said. “To have confidence in what you’re reporting, you need to base that on real-time data that you’re collecting about your networks, devices and even your end-users,” he said.

The need for real-time intelligence is best met by building on a scalable big data platform – one that is capable of ingesting, visualizing and analyzing data from a wide range of tools, said Luu.

3. Use many tools but one platform

Many factors go into determining compliance with CMMC, depending on the level of protection required. The challenge is integrating all those factors to provide a comprehensive view of compliance.

For example, among the 17 capability domains are access controls, identification and authentication, physical protection, and system and communications-level protection. Organizations likely are using multiple tools to implement controls and track compliance across each of those areas.

To make sense of it all, they need an underlying platform such as Qmulos’ Q-Compliance that simplifies that environment: Integrating the tools, normalizing the data for analysis and aligning specific security controls with the CMMC’s requirements. Automation is also essential, both in terms of assessing compliance and identifying and remediating potential risks, Luu said.

This article is an excerpt from GovLoop’s recent report, “Meeting the Requirements of the Supply Chain Imperative.” Download the full report here.

Photo credit: Defense Department Flickr

Leave a Comment

Leave a comment

Leave a Reply