The Department of Defense introduced CMMC in 2019 to better defend the vast attack surface that the DIB presents to cybercriminals. Knowing that over $500 billion is lost each year to our nation’s adversaries, CMMC aimed to improve the overall cybersecurity of the nation’s 300,000 defense contractors by requiring them to meet one of CMMC’s five maturity levels. However, CMMC was criticized for being too complex, expensive and onerous. The DoD heard its critics, and last week CMMC 2.0 was announced in its place.
CMMC 2.0 streamlines the CMMC program via significant changes including lowering the number of CMMC levels from 5 to 3, dropping all maturity requirements, and allowing more self-attestation of compliance and POAMs. Importantly, CMMC 2.0 also underscores the importance of compliance with NIST SP 800-171, as its 110 controls align with the requirements for the new CMMC Level 2, Advanced.
Today’s efforts to improve cybersecurity across the DIB ratcheted up in 2017 with the introduction of NIST SP 800-171, aimed at protecting Controlled Unclassified Information (CUI). But in the years since, we have not stemmed the tide of data losses. In fact, losses have continued to increase.
NIST SP 800-171 is a comprehensive set of practices in key disciplines that, if implemented correctly, would increase the cybersecurity posture of any company or organization. However, enforcement of NIST 800-171 has been tepid at best. As a result, large swaths of the DIB have failed to implement many of the standard’s requirements over the past four years.
We could spend a lot of time arguing about why NIST SP 800-171 hasn’t been effectively implemented across the DIB. Instead, I want to tell you why it is more important than ever that we do implement it now, without further delay.
For a comprehensive standard like NIST SP 800-171 to realize its potential and deliver on the promise of data protection, it needs to become an integral part of your business. I know we’ve all heard 110 times that the NIST 800-171 approach makes the security project larger and more complex, but it is the right way to think about it.
By following the NIST 800-171 standard, every person in your organization understands their role in securing information, and every device and system is managed and monitored to ensure data is protected throughout its lifecycle. As a result, all your compliance efforts will add value and help you achieve your mission of protecting CUI and other sensitive data. It takes an entire ecosystem to achieve and sustain the kind of security improvements we need in the DIB now and into the future.
You also need to be aware that the DoD has stepped up enforcement of NIST SP 800-171 while we wait for the federal rulemaking process to make CMMC 2.0 the law of the land. See PreVeil’s blog, What DIB Companies Need to do While they Wait for CMMC 2.0 for more on this.
Although it’s cliché, it’s true that security is a never-ending pursuit. That may be inconvenient for security professionals, but our adversaries never stop working on ways to steal information. As protectors and custodians of information, we can never stop enhancing and improving our security programs’ efficacy. This takes a concerted and focused effort across all functions in your organization, coupled with effective technology, training, metrics, and a desire for continuous improvement. Last cliché—I promise—is that security is everyone’s responsibility and needs to be mission central to every organization in the DIB.