Those of us who work within the DoD community have spent many hours over the last few months discussing the Cybersecurity Maturity Model Certification (CMMC) and what it will mean for the defense community if, or when, it rolls out.
All the discussion of permutations and possibilities is leading to some confusion regarding how or when to move forward.
Let’s take a closer look at the CMMC, why it matters, and what it means for current and potential DoD vendors.
Led by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S), the purpose of the CMMC is to provide formal accreditation for any organization within the defense industry base (DIB) that handles controlled unclassified information (CUI) or federal contract information (FCI).
Of course, adhering to security requirements is not new for DoD vendors. These organizations are already required to comply with existing government regulations (such as the NIST SP 800-171 standard as well as other requirements under DFARS 252.204-7012). Under these provisions, individual organizations were responsible for their security standards, which DoD never reviewed or confirmed. However, DoD and its broader community recognize this self-assessment is no longer enough to protect government data.
That’s partially due to the growing threat landscape facing federal agencies and their associated vendor communities.
The Council of Economic Advisers (CEA) released a report in 2018 that said malicious cyberattacks were responsible for $50 billion to $100 billion in losses to the U.S. economy in 2016 alone.
Katie Arrington, chief information security officer for DoD’s acquisition and sustainment office, also noted that cyber adversaries have successfully targeted DoD contractors who haven’t fully secured their networks.
It’s no wonder the DoD is taking extra precautions around the government’s ability to secure the immense quantities of data it accumulates and shares with the DIB. Whether it’s a DoD contractor, corporate partner, or academia, anyone who touches that government data needs to be responsible for its security—to some degree.
In the way that FedRAMP provides security assurances for cloud computing, CMMC accreditation will provide security assurances for government data that these DIB organizations possess within their defined security boundaries.
Despite the size of the impacted community and the amounts of data to protect, CMMC provides a straightforward approach. The DoD vendor community must meet controls around data. Many of these controls already exist under other rules and accreditations. The only difference is that the wording is specific to the DoD community and its relationship with the DIB.
At this time, the CMMC Accreditation Body is figuring out how to facilitate reciprocity between other accreditation programs. In fact, to help provide clarity, they are developing a matrix to map the controls among different accreditations. It is in review now and should be published in the next few months.
If security rules and accreditation exist, why add another one? It all comes down to the protection of the government's data in applicable scenarios.
Since the days of the initial DARPANET, the DoD has been developing better ways to share sensitive government data with the DIB. Yet, there has never been any kind of body overseeing how these partners are securing that data on the government's behalf.
Of course, it is in each contractor’s own best interest to protect the data or risk losing current (and any future) contracts. The same applies to reporting any data or security breaches. However, DoD vendors are not currently required to prove their security at the outset to win a contract.
Due to the complexities of government contracting and acquisition, there is not the same level of competitiveness across all companies within the United States to compete for these contracts. That fact could possibly lead to accepting additional risks on contracts that should not be acceptable. CMMC addresses that.
None of the above answers the big question: “How do we proceed today?”
One answer is to look for a partner that has proven to be 100-percent compliant—a partner such as Zscaler.
Zscaler has achieved all major government and commercial certifications, authorizations, and reporting requirements, including FedRAMP (Moderate and High), ISO 27001, SOC 2, FIPS 140-2, CSA-STAR, ISO 27018, ISO 27701, CJIS, and more. With the support of our independent assessors, Schellman and Company, LLC, we have no doubt that we will achieve certification when CMMC is codified. As sometimes happens with these government initiatives, if CMMC morphs into something different, we will also garner that accreditation.
Zscaler products provide security on top of an organization's network environment and associated risks. If your company is working on behalf of the government and you’re concerned about how you will contractually meet the security of the government's data while you’re accessing it, or providing the security to prevent unauthorized access to it, then Zscaler is the partner you're looking for.
At the same time, we can secure your environment. Because we're the security partner in the greater information assurance ecosystem, we can secure your corporate environment at the same time we secure the government data you have access to with the same capability.
That means you’re not bound to build a network security stack for the government and then another one with a little looser security for your user base. Rather, partnering with a global leader in zero trust and SASE, Zscaler empowers the organization to transform its security architecture to a Zero Trust Exchange overlay of all aspects of the organization's IT environment.
We offer, and always will, a natural transformational shift in how you're managing transport or network security. We fit that roadmap regardless of what the policy may be called, as our core competency is to deliver world-class security globally while improving user experience.
Everyone involved with government data needs to be held accountable for managing that data. CMMC acknowledges that the industry cannot self-assess anymore. We've had too much intellectual property leaked, and sensitive unclassified information exposed due to a lack of good cyber hygiene.
CMMC will help fix that.
One caution, though. As Katie Arrington has pointed out numerous times, many companies claim to offer accreditation, guidance, and even “pre-certified” vendor solutions. That is not the case.
The best advice for a DoD vendor is to turn to the official source for information and work with a partner who has a proven track record of achieving government accreditation.