What Does CMMC's Creation Signify? Why did the DoD Create this Certification?
Updated: Sep 14, 2022
Title: Why CMMC Adoption Is Crucial
Headline: Cyberthreats Make CMMC A Top Priority
The history of U.S. public and private cybersecurity standards have evolved over the last couple of decades. After the attack on 911 there was a push for increased intelligence and innovation in defense methods. This initiative, published in the Homeland Security Act of 2002, encourages public and private partnership and calls for “mutual support to address homeland security challenges; and assisting in the development of private sector best practices to secure critical infrastructure.” Since this Security Act there have been a multitude of changes in how private and public sector work together to secure sensitive information and prevent terrorist attacks. One major and recent change in policy is the new Cybersecurity Maturity Model Certification (CMMC) that will obligate the Defense Industrial Base (DIB) to comply with cybersecurity practices in order to continue working on defense contracts. CMMC includes 5 levels of certification, all with the intent of providing consistent cyber compliance to prevent cyberattacks on the Department of Defense (DoD).
Over the years there have been evolving and new creative cyberattacks that compromise national security. One attack that is currently in the headlines is the 5,550-mile and largest gasoline pipeline system in the United States, Colonial Pipeline. The ransomware attack hit Colonial Pipeline on May 7th, 2021, forcing the oil company to shut down their Operating Technology (OT) which included their refined oil supply to the East Coast. This oil delay came with major impacts including a spike in gasoline prices, public distress, and fear that gasoline would not be available when needed. Many gas stations throughout the East Coast were forced to shut down their pumps due to a lack of supply and public unrest. After a few days Colonial Pipeline made an incredibly tough decision to pay the $5 million cryptocurrency ransom that the cybercriminals demanded. Although the pipelines were restored and the gas shortage lifted, the damage on public trust and Colonial Pipeline's brand remains scrutinized.
Attacks like the one on Colonial Pipeline are not unusual and it is reported there are approximately 4,000 ransomware attacks on any given day. The organization that is thought to be behind the Colonial Pipeline ransomware attack is Darkside. Darkside is an Eastern European cybercriminal group that provides ransomware as a service (RaaS). A recent hearing with Colonial Pipeline and the Department of Homeland Security Committee sparked a new reality in the world of cyberwarfare. It is speculated that Colonial Pipeline is not a lone victim in their ransomware attack, however it is suggested that they are one of the few that alerted the federal government and the public on the cyber invasion.
Another cybercriminal encounter that made major headlines was the vicious SolarWinds malware attack that occurred in 2020 and infected around 18,000 users across private and public sector. Organizations like Microsoft, Cisco, Department of Homeland Security, and the Department of Energy were among the agencies that fell victim to the assumed routine software update that held the well-hidden code that allowed cybercriminals to access sensitive unclassified data and emails. Although it is not certain who the cyber criminals are behind this widespread attack, it is suspected that is the same Russian group that interfered with various executive level public agencies like the White House, State Department, Joint Chiefs, and the Democratic National Committee.
There is no guarantee that anyone of us is immune to falling victim to a ransomware attack. A ransomware attack can affect you on something as simple as a personal device at home and can target a large enterprise on multiple devices and systems. With the increasing reality of the creativity and complexity cybercriminal groups possess, the more vulnerable our current cybersecurity standards become. The attacks like SolarWinds and Colonial Pipeline prove that our cyber defenses are not prepared for the attacks we face, and this is one of the many reasons CMMC is an important part of national security.
Because the Department of Defense (DoD) relies on the DIB for critical services and products, it is important for those partners to be able to defend themselves against cyber-threats. Until recently defense contractors have been able to self-assess their cybersecurity posture and work with contracts handling Federal Contract Information and Controlled Unclassified Information. In November of 2020 contractors became required to use the NIST SP 800-171 DoD Assessment Methodology and report their findings to the Supplier Performance Risk System (SPRS).
As CMMC approaches its final stages there will be mandatory compliance for contractors that want to continue bidding on defense contracts. The level of compliance will vary, with the most basic requirements starting at level 1 and increasing the most complex requirements at level 5. One common challenge that DIB contractors face is not having the resources on hand to assess, implement, and test their environments. For organizations that handle CUI, it can be a large task to learn and understand where CUI exists in their physical and cyber environments. Working with a Registered Provider Organization (RPO) will give you the opportunity to work with someone who has expert experience and existing relationships with the CMMC Accreditation Body (CMMC-AB).