The CMMC Paradox

October 18, 2024

Well, it is finally here…after several years and the failed launch of CMMC 1.0., the Department of Defense (DoD) has finally formally published the Cybersecurity Maturity Model Certification (CMMC) 2.0 program guidance. In my community, the angst around CMMC has been building over the past several years, with one company after another fretting on the cost and complexity of meeting the CMMC requirements. Now that the requirements are finalized, they can move from fretting to worrying about how to meet the requirements.

Recently, I was asked my opinion on what a Defense Industrial Base (DIB) cybersecurity assessment should look like. CMMC did not jump to mind when I was putting my response together, and this is the paradox of CMMC. Before I explain why, you should probably know a bit more about my background.

I spent 24 years in the Air Force where my primary task was systems engineering responsible for the development of new Air Force systems. I worked together with many DIB contractors, both small and large. Of those 24 years, for four of them, I was assigned to the Defense Intelligence Agency where I led cybersecurity threat assessments for large DoD programs (plus a bunch of other stuff). There, I got to learn how nation state threat actors engage in cyberwarfare and how they are similar and different from the common cybercriminals.

So, I looked at this question with a mindset of how a moderately advanced threat actor would target a DIB company.

Why you ask?

CMMC was never designed to implement sufficient cybersecurity controls within a DIB company. That has not and will never be its purpose. It is designed to ensure that a DIB company properly protects Controlled Unclassified Information (CUI) in accordance with NIST SP 800-171 and NIST SP 800-172. It is about protecting the DoD information handled by the DIB company, and not the DIB company itself.

This isn’t to mean that CMMC is useless and a waste of time, certainly not. It means that get the most of CMMC, a company should look beyond the minimum required to meet the CMMC requirements. Right now, the scope of the CMMC assessment is limited to those corporate systems that handle CUI and the supporting security systems that monitor those CUI handling systems.

Overall, the CMMC controls are well thought out. The quality of the implementation of these controls will vary from company to company, and some companies will do the bare minimum to pass the audit, as others embrace CMMC as an opportunity to radically improve their security posture. DIB security would be much improved if the CMMC controls applied to corporate systems that handle or store critical corporate intellectual property, and to the corporate systems that are required for the company to produce its product or service.

Back to having an adversarial mindset.

If I’m an adversarial nation state and I decide to conduct cyberattacks on a DoD contractor, my goals are likely to be: a) steal the intellectual property about the product/service being developed to support my countermeasures development, b) disrupt the production capabilities of the company, or c) subvert either the design or production such that the product/service has an inherent weakness that I can exploit during a time of conflict. While these goals would be easier if I have access to the CUI stored by the contractor, that access may not be necessary to successfully achieve these goals.

If CMMC isn’t driving a sufficient level of cybersecurity, then what? Well, there is SOC 2 and ISO 27001 for starters. But again, minimum compliance doesn’t necessarily translate into an implementation that is resilient to the actual threat. If you are on a DoD network, you have the much more robust Risk Management Framework to leverage. However, I honestly don’t think this is addressed through a cybersecurity compliance framework. I believe that this is addressed through leadership driving improvements across a company that are responsive to the expected threat and respectful of the cost and complexity of implementation of the necessary controls.

My hopes are that companies will embrace CMMC as an opportunity to go beyond CUI handling systems and will implement those controls corporate-wide as practicable for starters.

To summarize, there is no such thing as perfect cybersecurity. The goal is to deter potential threat actors, and if that fails, to be able to detect and effectively respond to an attack. Part of that deterrence is having a robust security infrastructure in place, as well as having the procedures and processes in place to support an effective response. CMMC is a step towards this for those systems handling CUI, and hopefully companies will use CMMC to implement a resilient cybersecurity posture across the critical systems across the company.

Follow Optiv
LinkedIn: www.linkedin.com/company/clearshark
Facebook: www.facebook.com/optivinc
YouTube: www.youtube.com/c/OptivInc
Blog: www.optiv.com/explore-optiv-insights/blog