VIEWPOINT CYBERSECURITY
Comments (4)
Cybersecurity and Physical security are two of the many important policies and processes that a business must have. A DIB company, especially small businesses, can literally go bankrupt trying to maintain the required certifications, processes, enterprise systems, and software needed to weave through all of the Department of Defense and Code of Federal Regulations (CFRs) rules. CMMC is just another one of those tasks placed on industry. Certification is not a process that keeps data safe, it is a combination of training, education, and government contract team oversight that gets the job done. The other key factor that must occur is the prosecution of cyber criminals. It is treason and an act of war, in my opinion, to attack our infrastructure, steel our data, and destroy our systems for any reason. It is time our three letter agencies go after all cybercriminal thugs and seek prosecution to the fullest extent of the law (change the law to get tougher). DIB companies have the responsibility to maintain good heathy cybersecurity and physical security, but it should not be burdened with costly processes that, like most certifications, do not fix anything. My opinion and my opinion only...
Chuck Petty at 3:52 PMCMMC is being propelled by certifiers with direct financial interests in its survival. We need to go back to Zero, and realize that in the end, it is all about following the DoD, not IT Information (IS) side of existing standards, policies, laws and regulations. the cost study repeatedly asked for is exactly where? A quick and cheap means of protecting our data, the prime concern from Cyber Threats including the Insider Threat is using Blockchain code already in place. If one reads the existing Congressional language or the DAF SSECG v5.0, one would discover that the DoD is liable to pay for a contractor trying to implement CMMC in part or in while (as it is unspecified as such for now). Regardless of one's enterprise or communication modes or staff, existing DoD directives, instructions and DFARS/FARS cover what we need for System Security Plans, Cybersecurity Strategy, and a slew of other service peculiar Cybersecurity authoritative references for IS and NSS alike. The failure to put these existing mandates into contracts, to monitor them, and enforce them with penalties or contract defaults rests of the DoD and USG. The failure of contractors not follow a civil IS standard such as those from NIST (e.g., SP800-53, -160, -170, ...) is one of business development common sense these days. If the price of doing business with the DoD is complying with these existing NIST standards (they are not requirements) as they already do within their contractual related line items and CDRLs/DIDs, then let's make CMMC by any other name an ISO certification Quality Assurance item. Then the burden is not paying repeatedly for the same things by the DoD during proposal Technical Review to include the organization's ISO Quality Plan (something the Government pay for in other ways, but already exists for ISO certified contractors). In my opinion, no standard without measurable specifications secures anything to include NIST SP800-53 RMF Controls for IS and the CNSSI 1253 Technical Controls for NSS. It is time to do something measurable, cost effective and quickly implemented and protect the data with a self-monitoring/logging Blockchain implementation as a DoD standard communications mode. Certification of people and organizations has only resulted in a business for certifying bodies with no real gains as seen in practice to date save for COTS Operating Systems and software applications.
Joseph Yuna at 3:35 PMWithout substantial financial backing, level 2 entities are set up for failure, trying to adhere to complex standards that starkly deviate from their core compentcies. I’ve worked with many level 2 SMBs. These folks manufacture highly customized widgets for level 1 primes, and do it well. To their peril, they wouldn't know an IP packet if they tripped over one; and why should they? If the DoD wants to turn these family businesses into digital fortresses, it leaves itself no choice but to pony up.
Pete Sfoglia at 2:21 AM
While some may see CMMC as "a well-intentioned misstep," let us not forget that CMMC is the result of a majority of DIB contractors failing to accurately, credibly, and/or properly self attesting to the NIST 800-171 security requirements since 2016. These requirements did not just fall off a truck yesterday, last week, last month or last year. The requirements have been around since 2016 (32 CFR and DFARS 7012 and became a final rule in December 2017 (DFARS 7012). And the majority of contractors (small, medium and large) did nothing. They just waved hands over their contracts and attested they were compliant. In July 2019, an IG audit found that self-attestation (self-inspection) was not working and DoD was not enforcing its own rules. So, here we are today. The CMMC 2.0 does place any new compliance or security requirements on us...save one. When CMMC 2.0 is implemented, DIB contractors seeking a Level 2 or 3 (Level 3 not ready yet) certification due a clause in an awarded DoD contract will need a 3rd independent (C3PAO) assessor to determine if they are compliant with NIST 800-171 (the rule since December 2017) because we cannot be trusted to self-attest. Yes, it will have cost. Yes, it will require resources. However, if we had been gradually investing into this since 2017 and doing it right...we might not be here today.
Al Wilson at 5:38 PM