USA: Is CMMC enough to protect my business? Three things to consider today
In the first two articles in the series12 Alex Sharpe, Principal at Sharpe Management Consulting LLC, discussed low-cost things you can do today and what is not readily apparent until you start moving through your assessment. In this article, Alex addresses what the Cybersecurity Maturity Model Certification ('CMMC') does not cover that you will want to consider for your business.
Let's not forget - the CMMC is not a bureaucratic exercise. It is a concerted effort to improve your business's security posture, the nation, and our allies. Making it a maturity model makes it easy for a third party to have a readily identifiable sense of your security posture, enabling them to make informed business decisions. Leaving us with a simple question: "Is CMMC sufficient to protect my business, my customers, and my business partners?"
What is not covered by CMMC that you will want to consider?
The obvious answer is whatever your business and your industry require of you. Regulators, governing bodies, and the like impose requirements. That is what they do. Publicly traded companies still need to comply with the U.S. Securities and Exchange Commission ('SEC') and the exchanges they trade on. Healthcare companies still need to comply with the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'). Companies processing personal financial information still need to comply with the Gramm-Leach-Bliley Act ('GLBA'). The list goes on and on. CMMC compliance is required to be a card-carrying member of the Defense Industrial Base ('DIB').
Here are some additional items to consider to keep your customers and your partners safe while remaining a going concern3.
1. Business continuity
For as long as I can remember, the cybersecurity community has debated if a business's ability to operate is a security concern. There have been many debates about including it in this framework or that standard. I have heard more times than I care to remember that a business not connected to the Internet is the most secure. What good is that?
Statements like that erode the perceptions of security professionals' forcing business owners to rely on non-security professionals to make security decisions. Every action a business owner takes is to ensure the business continues to thrive.
The best working definition I know for business continuity comes from Adaptive organizational resilience: an evolutionary perspective: "the ability [...] to withstand changes in its environment and still function."4
Short and sweet. Security and business professionals often wonder if they can operate if they get hit with a ransomware attack or what they will do in times of a natural disaster. Ask yourself the broader question, "how would I continue to operate if an adversary or a nation-state wanted to put me out of business?"
2. Security in the Software Development Life Cycle ('SDLC')
The CMMC touches upon this subject. Not at the same depth or breadth as the more traditional areas like network security and access control. Given the rise of exploits within custom and commercially available code, this area requires further attention. Besides, it is good security practice.
Once an adversary has penetrated your perimeter - which is far more likely in this ever virtual world - you do not want to make it easy for them to run a muck or leap to your partners or customers. You also do not want someone injecting code during the process to facilitate exploitation or post-release, as we saw recently with SolarWinds.
In our ever-increasing interconnected world, our applications are no longer behind the castle walls. In 2019:
- 83% of web traffic was API traffic5.
- 43% of breaches were from attacks on web applications. More than double from 20186.
One of my colleagues, Kyle Lai, Founder, and CEO of KLC Consulting, recommends:
"Companies are writing more automation code, infrastructure as code, using more APIs, open-source software components, and containers... Hundreds of software vulnerabilities are found daily. Software is only as secure as how you make it, test it, use it, and patch it. When you integrate effective software security testing and vulnerability remediation in your SDLC, it's like your software is protected with a two-inch thick lead shield. If you skip software security, your software may look like Swiss-cheese, placing your organization at significantly higher risk."
3. Operational information
At its core, the CMMC is focused on Controlled Unclassified Information (CUI)7. As a general rule, CUI is associated with a defense contract. It comes into your possession because of a contract or is generated because of a contract. It may come to you directly or through somebody else like a prime contractor. No matter how it comes to you, it is incumbent for you to protect it as if it were your own. By extension, derivative works also need to be protected.
CUI does not include information required to run your business or the secret sauce that provides a sustainable competitive advantage. With few exceptions, only you and your stakeholders need it to be protected. Why? Simply put, you want to remain an ongoing concern. Your investors want their investments protected. Your employees want to have a job. So on and so on.
Have you asked yourself if you would remain in business if a competitor or foreign government got access to your employee list? Your intellectual property? Your trade secrets?
Trade secrets are especially interesting. These are items valuable to your business only protected by your efforts. Trade secrets are not protected in the same way as patents, trademarks, and copyrights. Once your trade secrets are in the public domain, they are gone, and there is no way to get them back. You have very few legal remedies. Even if successful, your business may have suffered a deadly blow from which you cannot recover. There are some very famous (and valuable) examples of trade secrets. Coca-Cola's famous formula, 7X. Kentucky Fried Chickens' secret mix of 11 herbs and spices. WD40. You can be sure these well-known companies ask themselves, "what would we do if our trade secrets were lost?"
The CMMC was developed for all of the right reasons. In the end, it will make your business stronger and the world a safer place. Having a handle on what it covers and what it doesn't will only help you make better, well-informed decisions. After all, you want to apply your energy to securing your enterprise and running your business, not reading documents.
Alex Sharpe Principal
Sharpe Management Consulting LLC
1. USA: CMMC as a competitive advantage and five things you can do today
2. USA: CMMC - what lies beneath
3. Wikipedia, https://en.wikipedia.org/wiki/Going_concern
4. Ian McCarthy; Mark Collard; Michael Johnson (2017). "Adaptive organizational resilience: an evolutionary perspective."
5. Akamai State of Internet Security
6. Verizon Data Breach Investigation Report
7. The National Archives, https://www.archives.gov/cui/about