What business leaders need to know about CMMC

[ad_1]

Perspective: What Business Leaders Need to Know About CMMC


3/3/2023


By Rachel A. McCaffrey

Example of iStock

CMMC, or the Department of Defense’s Cybersecurity Maturity Model Certification, is the chosen accountability mechanism for widespread cybersecurity implementation in the supply chain.

Despite a rocky start and delays, he keeps moving forward. Expect accountability “soon” in the form of a third-party review.

Along with understanding third-party assessments, business leaders need to understand the threat and their role in mitigating the risks of sensitive defense data remaining in or passing through their organization’s systems.

First, leaders need to understand that this is not just an information technology problem. IT cannot provide full implementation of this standard for any organization.

Business leaders cannot say, “It has ‘cyber’ in the specification, so IT will take care of it.” IT alone cannot meet all CMMC requirements. Implementing CMMC is fundamentally a business requirement because the IT department’s solution depends on knowing and understanding how businesses ingest, create, store, transmit, and manage sensitive defense-related data. Without proactive leadership and cooperation from business leaders, IT will fail the CMMC implementation challenge.

As a business problem, the second thing that every business leader should know is that effective implementation is really difficult. Defense Cyber ​​Security Group CEO Vincent Scott argued, “CMMC is the toughest certification in the industry as developed by the DoD. He is the only one who needs 100 percent compliance with every regulatory objective.

Some commenters describe the CMMC as “the basics”, while implementing the standards is simply “good cyber hygiene”. Some Defense Department officials report implementing CMMC in-house within 30 days, perhaps leading some to conclude that IT can meet all requirements with a little effort.

This is misleading. Ryan Heidorn, CTO at C3 Integrated Solutions, expects that even small organizations can take 12 to 18 months from “zero” to evaluation readiness.

“Building an IT environment that supports the technical requirements at CMMC is the easy part,” he said. “We’ve found that many of our clients need a lot of help with the basics of compliance programs – everything from how to document [controlled unclassified information] It flows through the organization to develop and implement a corporate security policy. Prior to these exercises, many organizations had never really tried to understand what risk management should look like for their business.

Implementing CMMC requires improvements to business operations, followed by changes to information systems to enable new business operations. Combining business operations, sales, finance, human resources, and IT, your business’ cybersecurity program requires senior leadership involvement to create successful design and implementation across those areas to ensure government-mandated data protection.

Some leaders may believe, according to recent reports, that the third-party assessment requirement could be delayed, delaying the work necessary to implement the CMMC. Any delay will result from the Department of Defense’s decision to conduct additional rulemaking around CMMC, including establishing in Title 32 of the Code of Federal Regulations major rules and regulations issued by United States federal agencies relating to national defense.

CMMC will not go away, but the requirement to pass a third-party review will be determined when rulemaking is finalized when it first appears in contracts. Completion could happen as early as this summer, but many predict it could be delayed until 2024 or 2025. As a reminder, the delay affects the need for a third-party evaluation. For federal contracts.

What hasn’t been delayed are the Department of Defense’s cybersecurity requirements or the ongoing series of cyberattacks on companies in the U.S. defense industry base. As of 2017, the Pentagon has mandated National Standards and Technology Special Publication 800-171, “Protection of Controlled Unclassified Information by Non-Federal Systems and Organizations,” in all contracts.

Although these requirements are contractual obligations, many companies have made little effort to implement them, as the government does not assess compliance, rather companies self-assess. As companies begin to accurately assess their compliance with NIST SP 800-171, a recent CyberSheet report found that less than 30 percent of companies self-reported a score of 70 out of a possible 110. Most experts believe these statistics underestimate compliance.

And non-compliance poses a threat to our warfighters. Foreign enemies attack company systems every day, stealing intellectual property.

Many years ago, the telecom company led the world in manufacturing and selling telecom equipment. In the year Between 2000 and 2010, the company went from being the world leader in business, to being replaced by Huawei. Significant evidence suggests that the company’s failure was partly due to the company’s lack of effective information security. You cannot find the company name in an internet search today.

Don’t mistake CMMC’s third-party review requirements as an “IT problem.” CMMC’s implementation will influence operations to promote accountability. Protecting sensitive business information, potentially valuable information, is a business problem that requires business leadership attention and ownership.

Rachel A. McCaffrey is senior vice president of membership and chapters at the National Defense Industrial Association.


Topics: Infotech

[ad_2]

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *