Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: Would CMMC have prevented SolarWinds?

Spoiler alert - "No." At least not as written, and, maybe more importantly, it is not a fair question. Digital supply chain attacks are highly sophisticated and require an investment of time and money. They require patience, finesse, and dedication. Lots of tradecraft. So why? Because the rewards for the adversary can be enormous. In this article, Alex Sharpe, Principal at Sharpe Management Consulting LLC, looks at the SolarWinds attack in light of a series of articles Sharpe has been writing on the Cybersecurity Maturity Model Certification ('CMMC')1.

yrabota / Portfolio / istockphoto.com

Compromising an enterprise through monitoring software was first demonstrated in the 90s. With the increased dependence of modern enterprises on IT, attacks on the digital supply chain are more likely and justify the investment.

If I were your Chief Information Security Officer ('CISO'), I would be investing in Third-Party Risk Management ('TPRM'). There are cybersecurity grassroots efforts you can leverage and lots of non-cyber efforts in this area. Cyber needs to be on the train.

In a future article, we will discuss why individual companies, sectors, and governments cannot go it alone. Public / private partnerships are necessary, along with increased collaboration across sectors and geographies.

The CMMC is a significant leap forward securing the Defense Industrial Base ('DIB'). It is also long overdue. The U.S. Department of Defense ('DoD') and CMMC Accreditation Body ('AB') have done a tremendous job developing a comprehensive program that will go a long way towards improving our country's security posture and keep us competitive on the global stage. For now, it is only for defense contractors. I would not be surprised (actually excited) to see it rolled out across the entire Federal Government and adopted by our allies.

Let's face it. It is unreasonable to believe anything as sweeping as CMMC could be perfect the first time. Also, the missing items are tricky and will take a while to shake out. History shows us, waiting for perfection more often than not slows down adoption and would place the DIB at greater risk. Let's not forget we are dealing with Version 1.x. There is lots of room to grow and evolve.

The SolarWinds attack

It is important to remember the sophistication and tenacity of the actors. SolarWinds was a multi-year effort requiring lots of homework and professionalism. The official timeline shows the attacker undertook a discovery phase of unknown duration followed by about two months of testing and a trial run. The exploit went undetected for about 9 months2. Along the way, the attacker covered their tracks. Very sophisticated.

What is not usually discussed:

  • January 2021: Malwarebytes reported a similar penetration3.  About a month after FireEye detects the SolarWinds hack.
  • June 2018: SolarWinds is commended for its dedication to GDPR compliance: "What’s impressive is that SolarWinds has looked at every product and implemented processes and procedures designed to meet the obligations outlined in GDPR."4
  • 2015: SolarWinds Security issues are made public5.

In the end, the digital supply chain was penetrated prior to distribution. The digital supply chain did its thing - delivering the payload to 38,000 organizations infecting about 18,000 of them globally, including the private and public sectors. About 30% of the affected organizations did not use SolarWinds. Truly impressive.

The attackers placed the payload in a network monitoring product that nobody gives a second thought. It is akin to having your couch coming alive and eating the family while watching television.

Where does CMMC fit?

CMMC is very much akin to other Governance, Risk and Compliance ('GRC') frameworks, and Enterprise Risk Management ('ERM') practices. In those terms, we would say the protective and detective controls failed6. Keep in mind FireEye detected the penetration while investigating the loss of some Intellectual Property (IP). At best, it was detected indirectly.

Let's presume we are talking about an organization with Controlled Unclassified Information ('CUI')7 complying with at least Maturity Level Three ('ML3'). CMMC is required where CUI and FCI are stored, processed, or transmitted. We are talking about a penetration from network monitoring software. It is not hard to paint a scenario where the affected systems were deemed out of scope of CMMC.

Let's not lose sight that SolarWinds is the tactics to the strategy. An attacker only needs to find a single way into your enterprise. The defender needs to be forever vigilant and relentless. This is why we have multiple layers of defense. It is why we also put detective measures in place and why we plan to respond to incidents. Multiple lines of defense along with detection are always the best.

There has been a fair amount of chatter about running malware and malware detection regarding SolarWinds. Keep in mind the malicious code was injected into the source code prior to distribution. Once in the enterprise, it exploited known features and weaknesses of products commonly found in a modern enterprise. Not the kind of behavior most (any?) malware packages are designed to detect. Malwarebytes itself reported being penetrated in January 2021.

Detecting suspicious behavior remains one of the holy grails of cybersecurity. Research and forays into this area continues. Advances in artificial intelligence and data analytics make it feel close.

Concerns over SolarWinds internal security practices were in the news five years before anyone detected the penetration. Did that provide the attackers with the idea?

CMMC does touch upon TPRM. Given the forever expanding virtual world and remote workforce, we will only see increased adoption of the Cloud, SaaS, PaaS, IaaS, Commercial-Off-The-Shelf ('COTS'), and the like. TPRM is more than just cybersecurity. It is an enterprise need. It is a business imperative. As global citizens, we are best served to have cybersecurity baked into every business activity. Coincidently, there are between 90 and 100 risks a business must manage. Cybersecurity is the only risk that crosses all of the rest.

CMMC as written does not place requirements on the Software Development Life Cycle ('SDLC') of COTS products.

The old adage of 'being only as strong as your weakest link' is even more true in a virtual world. As third parties grow in significance and increasingly more important, they become a highly lucrative target. I would not be surprised if more attacks on third parties make the news.

CMMC does touch upon these areas. I suspect they will be further developed over time.

  • Third-Party (Risk Management).  RE.3.139, RM.3.144, RM.3.147, RM.4.148, RM.4.151
  • Cloud.  MA.2.111, CM.2064, SA.4.173, AC.1.003
  • Defense (asset).  RM.2.141, AM.3.036, AM.4.226, CM.2.061, CM.2.064, SC.3.180, SI.1.2138

Closing remarks

The CMMC is for all of the right reasons. In the end, it will make your business stronger and the world a safer place. Having a handle on what it covers and what it doesn't will only help you make better, well-informed decisions. After all, you want to apply your energy to securing your enterprise and running your business, not reading documents.

Alex Sharpe Principal
[email protected]
Sharpe Management Consulting LLC


1. USA: CMMC as competitive advantage and five things you can do today, USA: CMMC - what lies beneath, USA: Is CMMC enough to protect my business? Three things to consider today
2. https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/
3. https://www.zdnet.com/article/malwarebytes-said-it-was-hacked-by-the-same-group-who-breached-solarwinds/
4.https://www.solarwinds.com/general-data-protection-regulation-core-it
5. https://www.washingtonpost.com/technology/2020/12/15/solarwinds-russia-breach-stock-trades/
6. https://en.wikipedia.org/wiki/Security_controls
7. https://www.archives.gov/cui
8. Thank you to my friends at CMMC-Solutions for their help in pulling this together.