For Defense Industrial Base (DIB) companies, it has been a long 3 years in cybersecurity. In 2020 the DoD published the interim-final Cybersecurity Maturity Model Certification (CMMC) 1.0 rule and standards.
The three years that followed this announcement have included a series of very significant changes (... and yes, I can hear the collective cry from the cyber professionals, “but the underlying NIST 800-171 security requirements have not changed!”). My point is that how the standard will be assessed, not to mention when it will be assessed, has changed enormously. These changes directly impact the amount and tempo of work DIB companies have to perform to become compliant…so in a practical sense, there really has been a lot of change.
This pace of change is ramping up, and we have a lot more to come in 2024 with the finalization of the new NIST 800-171 Revision 3, and possibly the CMMC 2.1 rule. What is a DIB company to do?
Be better, not perfect.
Most compliance approaches have focused on perfection, but for many companies, perfection is not an achievable goal just now. The costs, especially in the face of uncertainty surrounding what will really be the final standard, are just too high. Given this, many have chosen to throw their hands up
and say, “Let me know when the DoD figures out what they really want.” However, this is not the wise strategic approach for any company. This is because all the pragmatic reasons the DoD has for pushing cyber compliance (extreme risks, stolen intellectual property, nation-state conflict, current and future wars…) are valid, and represent high risk for companies. The majority of the DoD requirements contained in 171 are really good things to reduce your cyber risk. Not all, but a lot.
This brings us to the “be better, not perfect” strategy.
Be better next month, next quarter and most certainly next year. Do not “just-forget-about-it” until the specter of extreme accountability shows up at the door.
Start with realistically knowing where you are at today. That means eliminating wishful thinking that all is well, and that if you ignore things for long enough, then they will all just work themselves out. Really not happening. This also requires you to work to truly understand what the requirements are. They are neither easy nor straightforward in many cases. To start with, this is because they are written in “NIST speak,” a highly technical means of communicating the standards that can require a great deal of time and expertise to translate.
Once you’ve worked to grow your understanding of your cyber enterprise and the CMMC standard, it’s best to identify your organization’s low hanging fruit. Standard stuff. What can we correct now for little to no cost? Ok. Make a plan and do it. Then move on to the harder things. Put these requirements into your
strategic business decisions. “Do we go with that company for the new proposal system? Well if those proposals have CUI, then that system had better be FedRAMP.” Be better, not perfect. Close the gap with the standard. Move in the right direction.
If we all took this approach, it would almost begin to sound like a real maturity model.