The Department of Defense Cybersecurity Maturity Model Certification (CMMC) was released today (Version 1.0), and is available on DoD’s OSD website here.
This is a cyber security standard, with 5 maturity levels, created in partnership between the SEI Institute and the DoD.
The DoD has announced that future RFIs and RFPs, will require that prime contractors and subcontractors/vendors, will need to be externally appraised (audited and certified) at a certain CMMC level to be able to bid on DoD contracts.
They are planning on ‘tagging’ a handful of RFIs in the June 2020 timeframe and a handful of RFPs in the Fall 2020 timeframe with the CMMC requirement, and then phasing in the requirement across DoD contracts over the next 5 years. DoD has said that no existing contracts will get CMMC added to it — instead DoD will add CMMC to contracts as they come up for re-compete.
This morning, Ellen M. Lord, undersecretary of defense for acquisition and sustainment; Kevin Fahey, assistant secretary of defense for acquisition; and Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber, conduct a news conference on cyber security standards for government acquisition at the Pentagon. The video is available online here. The 3 slides presented are shown below.
I recently went to the 2019 Gartner Security and Risk Summit in National Harbor (outside of DC). This was my second Gartner conference, and so far they’re 2 for 2 at delivering high-quality, impactful, intense 5 day conferences. The event was jam-packed with great sessions, roundtables, workshops, and keynotes.
I can tell a conference is going to be great when I try to build my agenda before the event and I want to pick 2-3 sessions for many of the time slots. Fortunately Gartner gives attendees of their events access to the slides and audio of the conference, so you can review what you missed.
I was also very impressed at Gartner’s midsize (companies with $50 million to $1 billion in annual revenue) sessions, where presentations, roundtables, and workshops where leaders from midsize companies could connect, collaborate, (and commiserate sometimes) on best practices related to their size of organization.
My major takeaways (and it’s hard to summarize) were:
- Identity is the new perimeter (not the network, not the device)
- You hear people often now talking about “zero trust networks” (the idea that instead of thinking of the perimeter as your LAN/VPN that you protect and you trust people inside your network, you should instead focus on ensuring your identity and access management (IAM) approach is solid and build security around identify, using things like MFA and risk-based access management)
- This also means that identity is a critical linchpin to security instead of the idea that devices/users inside a network are trusted devices/users
- There was also a key point, from Neil MacDonald, here that non-human entities (e.g. DevOps pipelines) need to have unique identities that they authenticate against securely, so they don’t become a huge security hole in your infrastructure
- Communicate Risk with Business Perspective: It’s critical to communicate risk to executives/non-IT leaders/board in a way that actually articulates/visualizes risk and how cyber risk affects the business’ value chain/business model (and not talking about security technology at all)
- It’s important to strike the right balance between quantifying risk and impact (the board demands numbers), and the fact that cybersecurity risk and impact isn’t a statistically mature field, so sometimes qualitative assessments are the only reasonable way to communicate risk (numbers can be overly precise when we don’t have a solid foundation to build them on) — there was a great session where four Gartner analysts debated this intensely, 2-on-2
- Information Security fundamentals are critical to do well, and organizations still don’t do them well – organizations spend too much energy on new projects/technologies (shiny new objects) instead of refining the fundamentals they do (e.g. log analysis, change management, asset management, vulnerability management)
- Select one primary security framework to orient your Information Security Program around (e.g. NIST CSF (which is dominating the survey data for US and international companies as their standard), ISO 27001) – more than one primary framework leads to confusion, and none means you either have no foundation or you’re trying to reinvent a wheel that industry is rapidly refining
- Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) programs are very hard to run well, both technically and from a privacy compliance standpoint — individual state and international privacy legislation requirements make this very complex
If you want to hear more, check out some of the keynotes from the Gartner YouTube Channel; or check out other’s people’s perspective on the event, check out the Tweets from 2019 Gartner Security Summit or other blog posts like this one.