Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • Cybersecurity Maturity Model Certification (CMMC) – A Model for Everyone
  • Data Breach

Cybersecurity Maturity Model Certification (CMMC) – A Model for Everyone

4 years ago Bob Covello
Cybersecurity Maturity Model Certification (CMMC) – A Model for Everyone

Data breaches have reached a fever pitch over the last few years. The rapid frequency of successful attacks coupled with the rising costs to businesses has raised attention at the highest levels of global governments. In the past, breaches were relatively “localized,” that is, they affected the targeted company only. However, the newer attacks have disrupted entire supply chains. While many companies have invested large sums to protect against such attacks, part of a fulsome security program requires the ability to demonstrably validate this security readiness.

What is CMMC?

Government agencies are an attractive target for attackers. The Defense Industrial Base (DIB) as well as the Department of Defense (DoD) supply chains are tempting goals. The DIB sector contains more than 300,000 companies that contribute to all aspects of the Defense Department. Multiple groups within the DoD have created a uniform system for all of these companies to demonstrate compliance. It is known as the Cybersecurity Maturity Model Certification (CMMC).

Many security professionals are familiar with the Cybersecurity Framework. Developed by the National Institute for Standards and Technology (NIST), it has been a recognized standard for many organizations that aim to show security readiness with a formalized security program. The CMMC gives a company the ability to prove readiness through a variety of tiers that can be objectively assessed.

The CMMC offers five tiers of conformity against two separate columns of achievements. To clarify, processes and practices are matched to higher compliance levels.

The arrangement of processes and practices is a welcome addition to the canon of cybersecurity guidance. It gives a clear understanding of what processes are expected against their respective practices. This removes a lot of the seemingly discretionary judgement that exists in many other evaluation criteria. 

Against that background, the CMMC goes further than just the levels. Quoting from the document:

“In addition to the CMMC level descriptions, the specification and mapping of processes and practices to a particular level take into account multiple considerations . . .”

It also states that,

“The CMMC model, in effect, provides a means of improving the alignment of maturity processes and cybersecurity practices with the type and sensitivity of information to be protected and the range of threats.”

It would seem that these statements are provided to show an understanding that not all data are the same. More specifically, particular types of information are aligned at each level. For example, the protection of Federal Contract Information is classified at a lower level than protecting Controlled Unclassified Information. 

Getting into the details

The level of granularity of the CMMC is reminiscent of auditing tools of the private sectors such as the Control Objectives for Information Technology (COBIT) and other assessment standards. The CMMC criteria are spread over 17 “domains.” These domains cover all aspects of a thorough cybersecurity practice. As one examines the separate requirements to fulfill each domain, it becomes evident that there are a total of 171 “best practices” that comprise the CMMC. (This is also stated in the summary of the document.)

As one progresses along the path of the CMMC, it would appear that the processes of CMMC are arguably more easily attained than the practices. This is because the processes can be approached as a practical set of behaviors, whereas the practices are based upon a “cultural” adherence to those behaviors. “The term institutionalization characterizes the extent to which an activity is embedded or ingrained in the operations of an organization.” That sounds a lot like what we security professionals have been trying to articulate within our organizations for a very long time! Hence the reason why it seems like a more challenging undertaking.

If an organization has a mixture of any of these levels across the organization, then the certification prescribes that the company will be classified under the lowest two designations: Performed, or Documented process; and Basic, or Intermediate Cyber Hygiene practices.

It should be noted that the CMMC is an organizational certification much in the same way that a System and Organization Control (SOC) audit is an avowal of an organization’s effectiveness of controls that are in place. The CMMC is not a personal certification in the security industry, although an individual can become certified as a CMMC or as a higher designation across a set of CMMC “Assessor” levels. As one of the newer DoD requirements, these will prove to be a valuable credential to possess in the cybersecurity community.

The CMMC is in full effect for all organizations that are part of the supply chain for the U.S. Department of Defense.  The certification is well developed, and cybersecurity professionals in any organization should become acquainted with it. Like many of the NIST guidance documents, adoption of the CMMC can elevate every organization’s cybersecurity profile. This is a model for everyone.

If you are starting on your path to achieving a CMMC designation for your organization, see how Tripwire can help.

You can also learn more about achieving the DoD’s top three compliance requirements here.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

The post ” Cybersecurity Maturity Model Certification (CMMC) – A Model for Everyone” appeared first on TripWire

Source:TripWire – Bob Covello

Tags: Compliance, Encryption, Goverment, TripWire

Continue Reading

Previous How to Report a Data Breach per GDPR
Next Cybersecurity Priorities in 2021: How Can CISOs Re-Analyze and Shift Focus?

More Stories

  • Cyber Attacks
  • Data Breach

Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

34 mins ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

5 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach

Securing the Mid-Market Across the Complete Threat Lifecycle

5 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users

8 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

11 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm

11 hours ago [email protected] (The Hacker News)

Recent Posts

  • Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos
  • ⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats
  • Securing the Mid-Market Across the Complete Threat Lifecycle
  • Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users
  • eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT