Today in news that should surprise nobody: a new analysis of defense contractors finds that many are still struggling to understand their current cybersecurity posture, and to implement the controls that will keep the firms in compliance with the U.S. government’s heightened cybersecurity expectations.
The report comes from CyberSaint, which sells software to help businesses automate their cybersecurity and IT governance practices. CyberSaint pulled together data from more than 250 anonymized risk assessments benchmarking defense contractors’ current cybersecurity systems against the NIST 800-171 standard. That standard is the foundation for the Defense Department’s new cybersecurity compliance requirement, the Cybersecurity Maturity Model Certification (CMMC).
The Defense Department is phasing CMMC compliance into effect over the next five years. Only the largest defense contractors are subject to CMMC this year, but the plan is to extend compliance to all businesses in the defense industrial base — some 300,000+ firms — by 2026. Compliance will include implementing tough new cybersecurity controls and having those controls audited by an independent third party, so it won’t necessarily be an easy ride.
The CyberSaint report today suggests that those bumps are already happening. The company looked at those anonymized assessments and then scored the group’s “average” compliance with NIST 800-171 on a scale of 0 to 100. Some of the weak spots included…
- Configuration management, where the group scored 65. That suggests companies struggle with defining baseline configurations for their software, hardware, and firmware — and if you don’t understand what your IT infrastructure even looks like, good luck trying to assess and fix vulnerabilities that might exist.
- Governance capabilities, with an average score of 64. Governance capabilities include establishing a cybersecurity policy for the whole enterprise, designating employees with defined cybersecurity roles, and managing all the legal and regulatory requirements you have.
- Risk management strategy, with a score of 64. That suggests that companies are struggling to identify and rank the risks that they have, especially against whatever risk tolerance levels were defined by the board. Without that executive clarity, the default will be to slip into the bad habit of going through known cybersecurity risks as more of a check-the-box exercise.
- IT asset identification. CyberSaint used a different scoring formula here, where the score was 1.35 on a scale of 1 to 3. Trouble on this front shouldn’t be a surprise, considering the proliferation of employees using personal devices on corporate networks and of companies using cloud-based tech vendors. Still, this leaves companies exposed to the same threat we mentioned above: if you can’t even identify everything in your IT landscape, good luck securing it.
Now, obviously these weak spots align nicely with the products and services that CyberSaint sells; the company has a commercial interest in conveying this message of alarm. That doesn’t mean the message itself is wrong. Cybersecurity is difficult these days, and compliance with the CMMC standard will be difficult for plenty of defense industry firms about to be swept into its orbit.
Building a Cybersecurity Response
The CyberSaint report is worth a read for CISOs, auditors, and risk managers because it does illuminate how various control families with CMMC should fit together. Then you can approach your own cybersecurity program with a better understanding of which remediation tasks might be more important to undertake first.
For example, configuration management is critical to effective cybersecurity. Controls in that family govern tasks like who can authorize changes to the IT system, who can install new software, and when software patches should be implemented. (Bad patch management is a particular sore spot, since it can lead to all manner of security threats. It even turned up in an SEC enforcement action announced just last week.)
But you can’t have good configuration management if you don’t understand the IT assets that exist on your network. So an even more important need is the ability to identify devices and applications running on your network.
We should also talk about that governance finding, since successful governance involves documentation. Defense firms will need to document all those roles, responsibilities, policies, and risk processes accordingly.
This is important because to achieve CMMC compliance, you’ll need to pass an external audit — and the auditor is going to ask for that documentation. I’m not worried about the Tier 1 defense contractors wading through this documentation exercise ahead of a CMMC audit, but I do fear for the huge number of smaller sub-contractors in the defense industrial base. They’ll need to provide documentation too, and I wonder how many of them have sufficient resources to get that work done.
Anyway, CMMC compliance is coming for a large portion of the U.S. business sector. It will be a significant undertaking that involves multiple parts of your enterprise. If you want a better sense of how significant that undertaking might be, give the CyberSaint report a read.
Then let me know your thoughts about CMMC challenges at [email protected].