How to shift CMMC for the future

While the goal of Cybersecurity Maturity Model Certification is to establish a unified standard for cybersecurity practices across the DOD, it does not directly address specific control expectations or risks associated with organization-specific threat actors.

Information sharing
 

As the security of IT systems and intellectual property move closer to the center of American economic strategy, they deserve more investment and better defense. While critics from the legacy defense industrial base have questioned the value of the Department of Defense's Cybersecurity Maturity Model Certification (CMMC), it enables three key strategies: collecting actionable metrics and enabling risk scoring, balancing prevention and response capabilities and investments and augmenting dedicated funds with cyber insurance and risk transfer via public-private partnerships and capital pooling.

Actionable metrics and risk scoring are needed to complement maturity-based benchmarking efforts. While the goal of CMMC is to establish a unified standard for cybersecurity practices across the DOD, it does not directly address specific control expectations or risks associated with organization-specific threat actors.

While contractors remain responsible for their security programs and practices, CMMC requires third-party assessments of contractors' compliance with the program's mandatory procedures based on vendors' maturity levels. These levels or tiers are statically defined and do not link to risk modeling. CMMC maturity data would be much more useful if data breach and incursion reporting requirements were strengthened and additional operational data was used to help enrich understanding of which types of exposures, threat actors, and breach events are linked.

If the public is ultimately expected to foot the bill for companies' compliance and the more expensive and onerous third-party assessor process, CMMC should include the breach and exposure data sets ultimately required to judge program efficacy in real terms.

Without breach and exposure data sets, learning will remain localized and collective improvements will be harder to come by and more opaque. Further, those who refuse to produce consistent, objective, and sufficient data to the DOD and Congress should be publicly named. Disclosure is a necessary step towards accountability. Our interdependence across the DIB and the integrated supply chain is far too strong to fail to enforce standards here.

The second way to improve CMMC is to help organizations attain a balance between prevention and response capabilities. Investing in a response system that extends across multiple supply chain entry points would increase resilience and help protect the public and private sectors' shared intellectual property and their common interest in innovation and security. In designing for more resilience and investing in preparedness, contractors must understand their relative level of exposure to common mode failures. If better incident disclosure requirements were enforced, then tracking measures like mean-time-to-respond (MTTR) and mean-time-between-failures (MTBF) over a certain severity threshold is a good start. As we've just seen with global health, properly investing in prevention can preclude the spread of a crippling outbreak that can damage systems and whole economies.

Finally, CMMC participants attaining higher certification levels should be able to access some pool of dedicated funds designed as a stop loss to make cyber insurance and risk finance efforts more cost-effective and improve coverage. Improving consistency and overall maturity of defense industrial base cybersecurity programs via CMMC is a good and fundamental first step, but ultimately private firms react to financial incentives.

CMMC could be made more powerful by providing caps on liability for firms that meet and exceed higher CMMC readiness levels. Let's be clear that the CMMC standard as written is not yet appropriate for this -- but a future version may be appropriately extended and linked to quantitative measures of security. The government will ultimately bear part of the financial risks associated with cyber, especially in the defense industrial base, but managing those risks and transferring them correctly is best left to the insurance industry. There are recent precedents for government intervention cases where private balance sheets are insufficient; first, the Terrorism Risk Insurance, passed in the wake of the 9/11 attacks; second, the Pandemic Risk Insurance Act, as part of the broader response to COVID-19.

In the first case, the pricing and availability of terrorism insurance in the aftermath of the attacks became both chaotic and expensive, leaving the federal government as an insurer of last resort. The TRIA created a government reinsurance facility to provide insurance companies with reinsurance coverage following a declared terrorism event. This helped the insurance markets recover after 9/11 and gave them space to create correctly priced risk insurance. In the second case, the seismic impact of COVID-19 on businesses worldwide has once again made the government the insurer of last resort. The draft legislation would allow for the purchase of both TRIA and PRIA at an enhanced premium. It is easy to imagine that this should be the future trajectory of CMMC, given the rising risk that cyber incidents pose to contractors and the government, and the rate at which the world continues to become both more interconnected and interdependent. The inevitable associated complexity that comes with such a program should not be ignored or avoided but rather actively embraced, priced, and managed via appropriate collaboration between public and private entities.

CMMC's time has come. The current steps forward can provide incremental pressure to aid in compliance-driven modernization of the DIB, which remains far behind sectors such as financial services where regulatory oversight has had an overall positive effect on readiness. Instead of viewing CMMC from the perspective of defense contractors and the special interest groups that surround the sector, we should focus on emulating effective, innovative strategies from other sectors of the American economy -- preparing the DOD and the broader federal government for the future is too important to ignore our broader societal learnings. A future powered by data with a deep and determined demand for data sharing in the interest of our collective defensive and readiness efforts. Let's make sure it pays to be a part of the solution, and let's ensure that an economically driven approach to CMMC is the ultimate end state.

NEXT STORY: CMMC clears key regulatory hurdle

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.