Sunday, February 4, 2024

6 Golden Tips To Get Prepared For The CMMC Certification

 


For those companies in the defense sector, you know very well that the Department of Defense (DoD) is pretty much your main bread and butter.  But as the Cyber Threat Landscape has evolved, so have the security precautions that the DoD has set into place to make sure that whatever information is transmitted to during and after the bidding process remains confidential.

To this end, they have implemented what is known as the “Cybersecurity Maturity Model Certification”, also known as the “CMMC” for short.  Long story short, this is where the Defense Industrial Base (DIB) and their subcontractors have to reach a certain level of Cyber certification before they will even be allowed to bid on any kind of contract. 

The CMMC framework has been going on for a number of years now.  In fact, there are two different versions of it.  In the first one, there were five different levels of certification that could be achieved, but with the newer version of it, there are only three.  In fact, the requirements have actually eased up a bit in this round to help defense contractors get their certifications quicker.

Although achieving CMMC certification at any level can be both a herculean and daunting task, as a CISO of a defense business, you have to realize that simply achieving it is not the end of your Cybersecurity efforts to beef up your  lines of defenses.  You will have to keep pushing through, no matter how hard and long the journey might be.

To this end, I came across an article in which a 30-year-old veteran of the Cyber industry who echoes these same thoughts.  His mantra is “Harden”, and he has a six-step approach to this:

1)     Harden your people:

This includes both the members of your IT Security team and the other employees in your company.  The best way to do this is through constant security awareness training programs, and holding mock simulation attacks.

2)     Harden your Cloud:

Whatever Cloud platform you make use of, such as the AWS, Azure, or the GPC, make sure to use all of the tools that are available to you in your subscription to protect your IaaS, PaaS, and your SaaS environments.  An important thing to keep in mind here is that you are ultimately responsible for the configuration of these tools, not your Cloud provider!!!

3)     Harden they endpoints:

The term “endpoint” can be confusing, but for purposes of this blog, it simply means all of the devices in your company that are being used by your employees, whether they are on site, hybrid, or remote.  The best level of protection that you can offer here is to use what is known is known as an “Endpoint and Detection Response” (also known as “EDR”) solution to fortify all of those devices.

4)     Increase your levels of both visibility and detection:

This simply means collecting all of the information and data from your network security devices into one central repository, such as that of a SIEM.  This will show you all activity on a real time basis from just one point of view.  You can also make use of both AI and ML tools to help filter out for the false positives, so that only the real and authentic ones are presented to your IT Security team for appropriate triaging.

5)     Keep hunting:

As a CISO, you can never assume that all of your weaknesses and gaps have been filled.  There will always be some, so therefore, you should always on a regular basis, be engaged in both Penetration Testing and Threat Hunting exercises on a regular basis (at least on a quarterly basis).  Also, conducting Vulnerability Scans would be a good thing here to do as well.

6)     Respond quickly:

The bottom line here:  If you detect a threat, respond immediately!!!  Don’t wait for seven months or so in order to detect it (that is currently how long it takes Corporate America to detect a security breach).  For this to happen, you have the right Incident Response (IR), Disaster Recovery (DR), and Business Continuity (BC) plans in place, and they must be rehearsed also on a regular basis.

My Thoughts On This:

Don’t wait to get CMMC certification to take these above-mentioned steps.  In fact, the DoD even recommends that the best way to get certified is for your company to be proactive on the Cyber front at all times, and take all of the steps that are necessary to protect your lines of defense.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...