When the Department of Defense (DOD) and its governmental partners announced the Cybersecurity Maturity Model Certificate (CMMC) standard in 2019, and published its first overview in January, 2020, organizations that did or wanted to do business with the DOD scrambled to figure out what it meant for them.
Now that this framework has had a chance to settle in, companies are beginning to put their action plans into place, and are thinking about how to step up their response maturity levels from Level 1, which is “Basic Cyber Hygiene,” to level 5, which is called “Advanced/Progressive.”
While the basic steps to get started were covered in a previous blog post, we also wanted to focus on organizations that have determined they need access to, or will generate, Controlled Unclassified Information (CUI), which requires a level 3 “Good Cyber Hygiene” certification.
To find out how to put a roadmap to level 3 in place, we talked with Mona Ghadiri, Senior Product Manager at Trustwave.
Q. Please give us a brief overview of what CMMC is and how it’s impacted organizations.
Mona: The CMMC program came out of another government program called DFARS, which is part of a regulation for NIST called 800.171, and they are all focused on cybersecurity maturity frameworks and implementation. The goal is to ensure your perimeter, your endpoints, your cloud and your network configurations are all documented and that there are incident response procedures, there is continual monitoring, and ideally there is proactive threat hunting.
Q. What should organizations know about the different levels of certification?
Mona: Anyone who has the government as a customer has to abide by these programs, or else they will have trouble responding to RFP’s. So, don’t just think about the documentation for phase 1 that gets you the bare minimum, because your competitors will view this as a competitive advantage. You should be aiming for at least level 3. And it’s important for organizations to know that this requires an upfront investment but, because the government wants us protected, it will provide funding in the awards to cover those investments.
Q. Focusing on level 3 and higher, what advice do you have for organizations that are ready to put an action plan in place?
Mona: At this level you would be talking about Security Operations Center (SOC) and SOC monitoring, so it’s important to realize that they are not all the same. For customers who are out there shopping, simply going for the cheapest option might not get them the support they need in building the necessary program and running the needed incident response plan.
Think about the overall integrity of what you need to execute. Don’t just look to check boxes – because it might come back to bite you. If you buy a SOC service, and it doesn’t have 24/7 monitoring, rethink your choice. Sharing the burden in off hours or weekends between different teams introduces a lot of complexity, and you could be introducing a single point of failure or hand-off issue between your security spheres. A comprehensive 24/7/365 service with integrated threat detection and response can provide a quicker route to coverage than trying to outsource the people doing the work.
Q. How can organizations turn CMMC into a competitive advantage?
Mona: The government will be using these standards to separate the wheat from the chaff. Folks notice who are meeting the most stringent requirements—who’s putting the most skin in the game are those demonstrating that they are partners in helping solve threats against national security.
Implementing services like SOC aren’t an overnight process. The first RFPS to include these requirements will begin in November 2020, and you’ll only have 3-6 months after a contract is awarded to get your services set up. Just remember that there’s a longer lead time than you might expect, so the folks that are planning properly for implementation right now will probably reap the biggest rewards.
Q. What kind of services could make the process easier—and possibly more cost-effective?
Mona: From a cost-effective point-of-view regarding SOC monitoring, what really matters is what sources are being ingested, and whether you have tools that can provide the actionable alerts. That’s how you get the highest value for your budget.
With my clients, I advise them to focus more on endpoint detection and response and security incident event management (SIEM) tools, because those are going to give you much better and more actionable intelligence.
One way to think of approaching a low-cost threat detection response program that meets the requirements of CMMC would be to focus on collecting end point, network and cloud logs, but only the logs that are security relevant. Then focus on what to do with the information, once it’s collected. Automation can help reduce detect to response time, but there’s a fine line between too much automation and not enough. When you hear people talk about fully automated threat detection… slowly back out of the room. You can’t get away with automated threat detection and still be CMMC compliant.
Find out how Managed Threat Detection and Response services from Trustwave can help your business on their CMMC journey.
