SHARED INTELLIGENCE: Cybersecurity changes dramatically with the implementation of “CMMC”


Finally, Uncle Sam compels companies to take cybersecurity seriously.

Related: How the Middle East paved the way for CMMC

Version 2.0 of the Cybersecurity Maturity Model certification could go into effect as early as May 2023, making detailed audits of cybersecurity practices mandatory for any company hoping to do business with the Department of Defense.

Don’t make a mistake, CMMC 2.0which was in development since 2017, represents a radical change. The DoD will require contractors throughout its supply chain to adhere to cybersecurity best practices outlined in the National Institute of Standards and Technology’s Frame SP 800-171.

I met Elizabeth Jimenez, Executive Director of Market Development at NeoSystems, a Washington DC-based back-office management service provider, to discuss the prominent role that Managed Security Service Providers (MSSPs) are sure to play when deploying CMMC 2.0. For a full in-depth, please give the companion podcast listening. Here are my takeaways:

Passing Gathering

CMMC 2.0 defines three levels of cybersecurity certification that a company can obtain in order to provide products or services to the DoD, all of which have to do with proving that a certain set of cybersecurity controls and policies are in place.

Level 1, for example, requires some 17 controls to protect information systems and limit access to authorized users. Meanwhile, Level 3 requires several additional layers of protection aimed specifically at reducing the risk of advanced persistent threats (APT) to protect so-called unclassified controlled information (UI.)

In addition, each DoD contractor must perform, at a minimum, an annual self-assessment. Crucially, this includes considering the cybersecurity posture of third-party partners. In general, contractors should be prepared to disclose details about people, technology, facilities and external suppliers – just about anything that intersects with their position in the supply chain. This includes cloud providers and managed service providers.

“It’s a big step, for sure,” Jimenez told me. “All of these checks need to be done from a compliance perspective and internal practices need to be put in place. All this to attest that the entrepreneur has a solid security posture and, in the event of an audit, could pass the test.

Auditable reviews

To get to square one under CMMC 2.0, an entrepreneur must do a few very basic, but largely overlooked things; those that process unclassified controlled information, or UImust implement both a formal safety management program and have one in place.

This means reviewing IT systems, identifying sensitive assets, cataloging all security tools and policies and, last but not least, putting in place a reporting framework that can be audited. It sounds very basic, but it’s something that many organizations in the throes of digital transformation have left in disarray.


“It’s very important to have both a security program and an incident response plan in place,” says Jimenez. “This should include ongoing monitoring to emphasize that the security environment is constantly reviewed and updated with data that has an audit trail available for future reference.”

Following the basic best practices for a successful audit suggests doing the minimum. However, companies that see CMMC 2.0 as a nudge to stop dithering on the basics of cyber hygiene stand to reap greater benefits.

Performing auditable security reviews on a scheduled basis can provide critical information not only to improve network security, but also to facilitate digital convergence.

“You can balance your current controls with your risk tolerance and align your IT risk management programs with your security and business goals,” observes Jimenez.

Raising the bar

In short, CMMC 2.0 is the baton the federal government uses to enforce cybersecurity best practices in the Department of Defense supply chain. In doing so, Uncle Sam should, in the long term, raise the bar for cybersecurity and ensure that fundamental best practices permeate businesses of all sizes and across all industries.

This is largely how we have fire alarms and overhead sprinklers in our buildings and seat belts and airbags in our cars. To bring us to a comparable level of security in digital services, managed security service providers (MSSPs) seem set to play a leading role.

It was a natural progression for MSSPs to move from providing endpoint protection and email security to a full portfolio of monitoring and management services. In a dynamic operating environment plagued by active threats, it only makes sense to hire a trusted consultant to train specialist analysts and engineers and equip them with state-of-the-art tools.

Full-service MSSPs today focus on improving visibility of cyber assets, detecting intrusions, accelerating mitigation, and effectively remediating vulnerabilities. This reduces the urgency for companies to have to recruit and retain internal security teams.

Respond to a crying need

Thus, MSSPs have grown rapidly over the past five years to meet a need, a trend that has only accelerated with the onset of Covid 19. Today, major MSSPs typically maintain dedicated teams. in-house analysts and engineers myopically focused on understanding and mitigating emerging cyber threats. .

They leverage industry-leading cloud-centric security tools, often partnering with top partners for vulnerability management, endpoint security, and threat intelligence gathering. Many of these experts in the trenches at MSSP helped develop NIST’s best practices — and continue to help refine them.

MSSPs are increasingly taking on a primary role in midsize businesses to maintain endpoint security, vulnerability patch management, and even things like firewall management and configuration management.

NeoSystems, for its part, offers all of these security services, in modular packages, with a focus on eliminating compliance barriers for federal government contractors. It’s gaining a lot of traction with small and medium-sized businesses that can’t spare resources to suddenly infuse security into their networks, Jimenez told me.

CMMC 2.0, which will arrive in May 2023, puts defense contractors on fire – and sends a signal to all businesses. “It’s the first real and definitive step of the feds saying this needs to be in place, you need to have a security posture and it needs to be robust,” Jimenez said. “Once this really takes hold, it will be paramount for companies to align and ensure they are audit-ready.”

Ten years ago, companies could and should have adopted NIST’s cybersecurity best practices. Hopefully CMMC 2.0 will take them forward into the 2020s. I will be monitoring and continuing to report.


Pulitzer Prize Winner Business journalist Byron V. Acohido is dedicated to educating the public on how to make the Internet as private and secure as it should be.

(LW provides advisory services to the vendors we cover.)

*** This is a syndicated blog from the Security Bloggers Network of The Last Watchdog written by bacohido. Read the original post at:


Comments are closed.