Check it out what you will find on this article about cybersecurity threats:
The United States Department of Defense (DoD) is no stranger to cybersecurity threats. Case in point, highly sensitive data on the US’s latest 5th generation fighter F-35 Lightning II was compromised with cyber attacks earlier this year, leading to what was described by state sources as an intensive and extreme compromise. Hackers utilized poor passwords used by a small, 50 strong Australian sub-contractor’s help desk and managed to download huge amounts of data on both the warplane and other defense assets.
This was only the most recent in a long string of attacks and suffice to say, defense establishments of almost every country is a perpetual prime target. Cybersecurity threats become even more dangerous when we factor in that defense departments are now leaning towards increased digitization and automation.
For instance, the Pentagon’s JEDI (Joint Enterprise Defense Infrastructure) contract that was recently awarded to Microsoft this year aims to move defense operations over to the cloud. The DoD also published a Digital Modernization Strategy that aims to include new technologies into the US armed forces. In times to come, we can expect to see more defense setups to move their operations to the cloud and harness emerging technologies.
But, such moves bring with them an increased risk of cybersecurity threats. The JEDI program has been routinely criticized for its structure that locks in the Pentagon to just one cloud provider for 10 years, giving hackers just one target to focus on.
CMMC in a Nutshell
In light of the increasing need for digitization and the accompanying cybersecurity threats, the DoD recently published the Cybersecurity Maturity Model Certification (CMMC) to gauge its internal and external environment against cybersecurity threats. While the model is intended for defense contractors, it is still an excellent tool for SMBs and large enterprises alike who can learn from the DoD’s insights.
Aimed at a 2020 release, the CMMC will require defense contractors to prove how secure their IT environment is. Until recently, contractors had to submit a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) as mandated by NIST Special Publication 800-171 to the DoD to be considered. This ruleset however, doesn’t have any protocols for auditing and protecting Controlled Unclassified Information (CUI) which was why the new CMMC program was initiated.
Starting 2020, contractors will have to demonstrate the actual control processes they have in place. They will then be categorized on a five-level scale, which ranges from Level 1 being the least and Level 5 being the most secure. The breakdown works the following way…
- CMMC Level 1: Requires only basic cybersecurity hygiene with 17 security controls (NIST SP 800-171 rev 1)
- CMMC Level 2: Requires intermediate cyber hygiene with 46 security controls (NIST SP 800-171 rev 1)
- CMMC Level 3: Requires good cybersecurity hygiene with 47 security controls (NIST SP 800-171 rev 1)
- CMMC Level 4: Requires robust, proactive, ongoing security protocols with 26 security controls (NIST SP 800-171B)
- CMMC Level 5: Requires advanced/progressive cybersecurity measures with 4 security controls (NIST SP 800-171B)
Contractors will be graded to each of these levels based on 14 control families and on how many of the individual controls were met. The CMMC takes into account the ever changing nature of cybersecurity threats and institutes constant monitoring and modification of policy.
Not all contractors will need to adhere to the highest requirements, though and the certification will allow for adequate security measures based on the sensitivity of the information a contractor in a particular level is privy to.
What Can SMBs Take From the CMMC?
The CMMC shines light on not only emerging cybersecurity threats, but new ways to combat them as well. You can create your own cybersecurity maturity model to assess your standing based on the recommendations of the CMMC. Here are a few takeaways…
Physical access matters: A basic requirement of Level 1 is that companies limit and control physical access to their devices and maintain a log of all those who access them. While seemingly inconsequential in a cloud powered world where information can be accessed from anywhere, physical data breaches account for 1 in 10 cybersecurity attacks. Baking physical cybersecurity best practices into your overall security policy can help you stop attacks right on the onset.
System access authentication is key: The identity of people, processes and devices should always be properly screened, documented and authorized before they are given access to organizational systems.
Identity Access Management (IAM) is already a hotly debated topic in cloud security and should be a top priority for any company that values its security. Typically, employees are beyond the purview of the most severe security measures as they are trusted.
This can be a costly mistake as such a philosophy assumes there can be no insider threat. Modern IAM best practices are beginning to use a zero-trust model where an organization’s network treats every person or device as a potential hazard and distributes information on a need to know basis.
Public facing systems are best kept away from internal systems: CMMC rule NIST SP 800-171 3.13.5 requires all contractors to segregate their public and internal networks either physically or logically. Network segmentation is a well tested strategy to stop both incursions and control the actions of individuals that have managed to infiltrate an organization’s IT systems. Organizations can use demilitarized zones between networks with layer 3 switches, virtual machines and firewalls, domain isolation with IPsec (Internet Protocol Security) and Cross Domain Solutions for greater security.
An organization’s assets should be tracked: The CMMC mandates that all contractors should identify and track all inventoried items including hardware, virtual, software, firmware and CUI information. Tracking can be a sticky point in a company’s security plan as employees will no doubt raise concerns about being monitored. Education and training can help companies stem doubt and generate stakeholder buy-in in such cases.
Endpoint security is a must: While internal network security is almost always gets the best security features, devices connecting to it are often treated as an afterthought. This is particularly the case since many companies are moving to highly decentralized methods of working such as BYOD and remote working.
By including antivirus software, threat detection, data filtration, encryption, silos and intrusion detection tools within the devices issued to and belonging to employees, a company can stop the vast majority of threats right at the door.
For more on CMMC rules and suggestions, check out Govchamber’s blog post on CMMC Level 1 Security.
Security is Always a Work in Progress
Just like in defense where the constant back and forth between measures and countermeasures keeps things rolling forward, cybersecurity in the business landscape too is a never-ending battle. No sooner has someone come up with a solution to a cybersecurity threat, those behind the latter start working on a countermove which in turn leads to a solution, ad-infinitum.
In such a highly competitive landscape, no one can afford to rest on their laurels. Constantly looking out for emerging threats, educating stakeholders and exercising realistic suspicion can help organizations keep their assets secured while driving up productivity.
Cloud based tools like Runrun.it understand that productivity and accessibility should never come at the cost of security. Not only are our time and work tracking solutions intuitive, easy to learn and can be accessed globally, but we have gone above and beyond to ensure your data is never compromised. Feel free to send over any questions or issues you might have. We will be happy to help!