CMMC’s ‘father’ warns companies not to wait for the final rule

CMMC’s ‘father’ warns companies not to wait for the final rule

Many consider Robert Metzger to be the father of the Cyber ​​Security Maturity Model Certification, a standard implemented by the Department of Defense to ensure that its industrial base has secured information systems and supply chains.

Metzger owns this distinction primarily because he co-authored “Deliver Uncompromised,” a report from the nonprofit research firm Miter that describes many of the principles behind CMMC.

He is now co-chair of the cybersecurity practice at Rogers Joseph O’Donnell’s law firm and remains a consultant to Miter.

As the opening keynote at the CMMC Washington Technology Summit on November 9, Metzger set the tone for the event with a sense of urgency about CMMC and organizations facing cyber threats. The CMMC’s final rule is expected in March, but no one should wait to act.

Below is an edited transcript of the conversation between Metzger and GovExec360 GovExec360 President Troy Schneider. Washington Technology is owned by GovExec Media.

Schneider: One of the main points of Uncompromised Delivery is that self-certification isn’t enough for contractors’ cybersecurity and CMMC has been very inspired by that. Is there anything you wish you could frame differently?

Metzger: The Relentless Delivery report started from a threat perspective and it wasn’t very good. We were looking at asymmetric campaigns or mixed operations by national adversaries who combined cyber-IT attacks with cyber (OT) attacks as well as a variety of supply chain attacks.

We thought we needed something to define what we called the degree of safety of security.

And we didn’t even think about ransomware, which has become a pervasive threat and arguably represents an even greater urgency for companies.

Schneider: Are there building blocks that companies can put in place now regardless of what the final CMMC rule is?

Metzger: We start with the NIST 801-171 standard, but we need to take a risk-informed approach to the 171 controls. (There are 110 security controls described in 801-171.) It is possible for organizations to assess their risks and identify which customers are most important, and where continuity of service or protection of their information is most impactful. . (Standard 801-171 is a framework of controls from the National Institute of Standards and Technology to protect sensitive information within federal contractors’ IT systems and networks.)

What controls will have the biggest impact for money now and improve security?

It’s not about getting everything done right away, although you’ll need to eventually. It’s about getting the right things done right away.

But we also have to look beyond 171 because it’s just a baseline. They appeared in 2015. We now see forms of attack that were hardly imagined at the time.

Schneider: You touched on ransomware and that NIST Standard 801-171 doesn’t fully anticipate this threat. Are you saying that the CMMC standards need to be expanded?

Metzger: 171 is not the only frame of reference but the one we have to apply. I’ve been concerned about the behavior of insurance companies because it makes it more difficult to qualify for and afford e-insurance.

There is ambiguity among the major insurers that there are 10 to 12 key items they expect to do.

In the commercial world, we see people gravitate towards a certain set of requirements and we expect them to be done in order to be a trustworthy partner for a loan, to be in a deal (merger and acquisition) or to get e-insurance.

Schneider: There are complaints that CMMC can be too difficult, too expensive, too complex for the small businesses that are part of the defense industrial base. How do you strike a balance between not creating a barrier to entry and providing the required security?

Metzger: This is a very difficult question. We know that opponents will go after the so-called hanging fruits and launch attacks against companies that are not well protected.

The problem is that for small businesses: 171 can be daunting, intimidating, frustrating, confusing, and expensive.

But we can’t decide that security isn’t important to small businesses. We cannot give them a concession. But we must facilitate a way in which small businesses can achieve security economically. This takes us away from objective procedures and towards external service providers.

But we haven’t yet established a way for a smaller company to look at a managed service provider, or managed security as a service provider, or some other external supplier and say — “If I do my part and they do theirs, then I will achieve a percentage of the CMMC requirements.”

We need that.

Schneider: The final rule is expected in March. What date will you choose when we see a requirement in the contracts?

Metzger: It doesn’t really matter. The smart move is to protect yourself. Currently. Not because you have to comply but because you want your organization to stay in business.

Don’t let yourself think that it is important the day you get a (Request for Information) or (RFP) that requires an evaluation. Be pre-secure for your employees, lenders, customers, clients and investors.

And then also your organizer.

#CMMCs #father #warns #companies #wait #final #rule

Leave a Comment

Your email address will not be published. Required fields are marked *