Calls for a certified baseline of cybersecurity seem to increase with every cyberattack. And the recent ransomware attack that shut down the East Coast's largest fuel pipeline, Colonial Pipeline, is no exception.
The Cybersecurity Maturity Model Certification program is one of several Defense Department efforts to improve both its own cyber defenses and those of its industry partners. CMMC has been touted as a potential standard that could expand beyond the Defense Industrial Base (DIB) to cover all government contractors. But the core CMMC program is still taking shape, and it's unclear how that will look in the future.
"You could be completely CMMC compliant and you still would have been compromised by SolarWinds," David Simpson, former chief of the Federal Communications Commission's Public Safety and Homeland Security Bureau, told FCW, echoing a sentiment that has been stressed by DOD officials. "It's onerous in a way that removes the risk piece of what was intended originally from NIST and the risk management framework, which is we should be incenting companies to apply the resources where the risk is greatest, where either the probability or the impact of a breach is greatest."
CMMC is still in its early stages. DOD is expected to put its requirements in pilot contracts later this year, and there has been substantial industry pushback on both the requirements the means of certifying compliance. But with the urgent need for an independently verifiable way to measure an organization's cybersecurity and protect supply chains, the CMMC program offers a template to bring that to reality.
Click here to read the full article.