CMMC: An ounce of prevention is worth a pound of cure

The world is awash in data, and the amount of data continues to grow at an astounding rate. According to some estimates, global data storage will amount to more than 200 zettabytes by 2025. When you consider that one zettabyte is the equivalent of about one trillion gigabytes, you realize the sheer volume of digital information vulnerable to cyber exploitation. By 2025, cybercrime could annually cost companies $10.5 trillion.

No industry is safe, all sectors of the economy are at risk, and all government agencies are targets of cyber theft - including the Department of Defense (DOD) and members of the nation's military-industrial-technological base, also known as the Defense Industrial Base (DIB). To address the threat cybercriminals and foreign adversaries pose to DOD data, the department recently introduced the Cybersecurity Maturity Model Certification (CMMC).

The CMMC program is designed to protect against unauthorized access to sensitive DOD information residing on the networks of the tens of thousands of companies and research institutions that comprise the DIB. Portions of the CMMC are being implemented now, but full implementation is required by September 30, 2025. Although 2025 is a few years away, companies would be wise to consider building in compliant processes now, both to prepare for the eventual requirements, but also to gain an advantage over those who wait until the last minute to develop the necessary controls.

What is the CMMC?

The CMMC program consists of 5 levels of certification. 

Each level corresponds to an incrementally enhanced cybersecurity posture. In addition to assessing a company's implementation of cybersecurity practices, CMMC also evaluates the company's maturity processes. A company is recognized as possessing a certain CMMC level only after undergoing an extensive cybersecurity audit performed by a specially trained and qualified auditor. CMMC is, at its core, a "go / no-go" assessment model. In other words, a DIB company either achieves certification by meeting every cybersecurity requirement at a specified level, or it fails certification. Beginning in Fiscal Year 2026, companies that fail certification will be prevented from bidding on DOD contracts or continue supporting current contracts. 

CMMC Maturity Levels (MLs) 1 and 2 certify that a company possesses a basic capability to secure its computer network.

At ML 3, CMMC begins assessing a company's capability of handling and protecting Controlled Unclassified Information (CUI). CUI is "information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls." In addition to demonstrating adequate proficiency in performing the tasks associated with CMMC MLs 1-3, CMMC ML 4 requires the company to establish a capability of taking corrective actions in the face of a cyber intrusion event and maintaining procedures that allow it to consistently and accurately inform authorities on the operating and security statuses of the company's network. CMMC ML 5 requires all of the controls required at ML 4 proficiency, as well as a capability to protect against nation-state cyber actors and Advanced Persistent Threats.

CMMC is an excellent example of the federal government exercising its regulatory might in an area where it determines private industry is unable or unwilling to protect itself. The DOD was forced into implementing the CMMC due to the private sector's reluctance to address the problem itself. One of the pitfalls of the government working with the private sector is that the private sector has a fiduciary responsibility to the company and its shareholders, and the national security interests of the United States are sometimes subordinated in the name of protecting company interests and resources. CMMC addresses this reality by instituting across-the-board cybersecurity requirements on all DIB members, thus imposing at least a minimum level of responsibility to be good stewards of their networks and the government information entrusted to them.  

Cyber Threats are only Increasing

CMMC also represents an excellent opportunity for DIB companies to take ownership over the protection of their networks and improve the chances that the company can survive a cyberattack. 

Although the upfront costs of establishing a cybersecurity infrastructure may be expensive and the recurring costs for a company to maintain the cybersecurity infrastructure of its networks may feel like a resource-intensive burden at times, this program is a pragmatic approach to a serious and intractable problem - cybercrime and cyberespionage.  As costly as CMMC may appear, the costs to a company failing to adequately protect its network can be potentially catastrophic to the company's long-term viability.

"Defense contractors must change how we think about cybersecurity, and specifically take a more proactive approach to cyber hygiene," said Tony Good, a cybersecurity subject matter expert with Darkblade Systems (Darkblade), a leading National Security Solutions provider and one of the first organizations accredited by the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) as a Candidate Certified Third-Party Accreditation Organization (C3PAO). According to Good, "none of this is easy; we must make strides to fortify our collective cybersecurity posture while simultaneously driving technical innovation and protecting national security. CMMC is the best way we can achieve these critical goals." 

Recent data concerning cybercriminals' impact on the private industry is alarming and only worsening by the day. No economic sector is immune, and all types and sizes of companies are vulnerable to online hackers. Experts estimate the global costs associated with cybercrime are increasing at a rate of 15% each year and will top $10.5 trillion by 2025. In the first 3 quarters of 2020, cyber intruders took approximately 36 billion online records, resulting in 2020 being the worst year on record in terms of data breaches. Meanwhile, in 2020, IBM estimated the average time to identify a network intrusion to be 207 days, resulting in an average repair and response cost to the victimized company of $3.86 million per incident.  

The problem has not gone unnoticed and is particularly concerning to the DOD. DOD functions through the DIB, a research and industrial complex comprised of more than 100,000 public-sector facilities, academic institutions, and private-sector companies that are responsible for conducting DOD's research and development, as well as the design, manufacture, delivery and maintenance of its weapons systems, subsystems, and components or parts. Like every other element of the U.S. economy, though, DOD recognizes the DIB has a vexing cybersecurity problem.

Recently, SpyCloud, a security company specializing in account takeover prevention, conducted a cybersecurity survey of the 27 largest US companies comprising the DIB. These companies accounted for more than $200 billion in US defense spending and represented companies belonging to the aerospace, manufacturing and technology service industries. In short, these are some of the most important components of the nation's military-industrial-technological complex. Given their size and standing, the average American would assume they would employ robust cyber capabilities and have the wherewithal to prevent most cyber intrusions from occurring in their networks. The research, however, leads to a strikingly different conclusion.

In 2020, SpyCloud reports these 27 companies suffered from 2,227 breaches resulting in nearly 5 million stolen records which amounted to the theft of 23,720,437 individual pieces of information or "assets." An "asset" was represented in the SpyCloud study as an individual email address, password, or data point equivalent to personally identifiable information, such as social security numbers, home addresses and account numbers. 

SpyCloud's findings are particularly troubling because stealing personal data and credentials, like passwords, is typically the easiest method for hackers to use to gain unauthorized entry into a network and maintain a presence in that network - oftentimes for several months before being discovered.  

Unfortunately, the SpyCloud study focused on a very small percentage of the DIB. Nation-state cyber actors thrive by finding the weakest point of the adversary's network and exploiting the vulnerability. What is missing from SpyCloud's analysis is the number of attempts the adversary may have made to gain entry into these 27 companies via the soft underbelly of the DIB - the small to medium-sized DIB members that lack cybersecurity budgets, but are working with larger companies on special projects and causes. Often, the preferred attack vector runs through small, lightly defended DIB member networks to gain a foothold into the networks of other DIB members.  

Is CMMC Certification Worth the Expense?

Depending on the level of CMMC certification, the cost of compliance will likely have an initial cost to companies of many tens of thousands of dollars to purchase equipment and prepare for the audit. Further, there will be recurring costs of maintaining the network and periodically repairing or replacing malfunctioning or obsolete equipment and software.  

These costs are real but nowhere near as costly as being victimized by a cybercriminal or a nation-state hacker. For instance, the average cost to recover from a ransomware attack grew from an average of $761,106 in 2020 to $1.85 million in 2021. 

Ransomware is becoming an increasingly prevalent form of cyberattack, but other exploits, including Distributed Denial of Service Attacks, SQL injections, phishing and spear-phishing emails, and malware, all represent significant dangers to the security of DIB computer networks and come with high costs to address.   

The costs associated with recovering from a cyberattack not only include the tangible cost of replacing damaged equipment and accounting for lost business as a result of an inability to utilize the network, but they also include intangible costs. For many companies, attacks that also result in a damaged reputation, a decreased viability to operate in the defense contracting space, and the loss of its intellectual property present an existential threat to the business. These intangible assets for a company can be the veritable lifeblood of an enterprise, and damage or destruction to these characteristics and attributes can bankrupt the business, and CMMC is one of the best proactive, defensive cybersecurity weapons available.

When viewed in these terms, the costs to obtain the CMMC certification can mean the difference between the company thriving or dying. Private industry should welcome the DOD's CMMC regulatory scheme and accept it as an invitation to shed the old 20th Century model of operating on the Internet and adopt a cyber posture that recognizes and appreciates the dangers of conducting business in the 21st-century version of the Internet. Not only will CMMC help ensure the ongoing viability of each DIB member, but it will also significantly contribute to safeguarding the nation's most sensitive information and help maintain the safety and security of our nation. 

Reprinted with permission from the October 5, 2021, issue of Security. © 2021 BNP Media. All Rights Reserved.