5 minutes with Bryce Webster-Jacobsen - What the new CMMC Framework means for defense contractors | 2021-03-08

Threat actors have successfully targeted defense contractors over the years because they haven’t fully secured their networks, thus creating serious vulnerabilities in U.S. national security. To combat this challenge, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) framework was born.

So, what exactly is this framework? According to the DoD’s website, the CMMC is a “unifying standard for the implementation of cybersecurity, which includes a certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.” The framework, which will be tiered into five levels of maturity (from basic to advanced), is designed to provide increased cybersecurity protection of sensitive information, including subcontractors, across multi-tiered supply chains.

The framework will be rolled out over the next five years, and starting in 2025, all defense contractors will be required to have at least level 1 CMMC certification to submit contracts. Once fully implemented, the framework will significantly help reduce the risk of cyber threats.

We spoke with Bryce Webster-Jacobsen, the Director of Intelligence Operations at GroupSense – a digital risk protection services company – to learn more about his perspective on the topic.

SECURITY: The U.S. Department of Defense’s new CMMC has sent shocks throughout the defense-contractor supply chain. What must defense contractors demonstrate as part of the new rules of the CMMC?

Webster-Jacobsen: As part of the CMMC, defense contractors must be able to demonstrate the effectiveness of cybersecurity practices across their entire value chain. That means that all subcontractors and suppliers, which are usually multi-tiered, must also be compliant. The CMMC has outlined 5 levels of maturity that need to be demonstrated through the certification framework, and they are as follows:

Level 1: Basic Cyber Hygiene – Includes basic cybersecurity with universally accepted common practices, and limited resistance against data exfiltration and malicious actions.
Level 2: Intermediate Cyber Hygiene – Inclusive of universally accepted cybersecurity best practices, resilient against unskilled threat actors, and minor resistance against data exfiltration and malicious attacks.
Level 3: Good Cyber Hygiene – Resilience against moderately skilled threat actors, moderate resistance against data exfiltration and malicious attacks, and comprehensive knowledge of cyber assets.
Level 4: Proactive – Advanced and sophisticated cybersecurity practices, resilient against advanced threat actors, defense responses approach machine speed, increased resistance against and detection of data exfiltration, and complete and continuous knowledge of cyber assets.
Level 5: Advanced / Progressive – Highly advanced cybersecurity practices, resilient against the most advanced threat actors, defensive responses performed at machine speed, machine performed analytics and defensive actions, resistant against and detection of, data exfiltration and autonomous knowledge of cyber assets.

SECURITY: Historically, contractors have used either paper-based questionnaires or automated software to document their subcontractors’ cyber processes. How will this impact new rules with CMMC?

Webster-Jacobsen: These two types of approaches are obsolete with CMMC because they only capture point-in-time assessments, and CMMC calls for primary contractors to be able to demonstrate an ability to effectively respond to adapting threats on an ongoing basis across the entire supply chain. Also, in either case, these methods request approval (if the software is doing the active scanning) and require using human capital.

Now, as part of the CMMC framework, The CMMC Accreditation Body, which is an independent organization, will authorize and accredit CMMC third party organizations and its assessors. The assessors will be tasked with conducting assessments of the unclassified networks and then issue the appropriate certificates (indicating which level has been achieved), based on the results of the assessment. This approach should provide a much more objective and accurate picture of a company’s cyber competency than ever before.

SECURITY: How can companies use cyber reconnaissance to get a more effective view of the efficacy of a partner/supplier’s security program with no interaction with the supplier to comply with the CMMC?

Webster-Jacobsen: Cyber reconnaissance should encompass both human and automated intelligence. After all, threat actors are human, and who better to understand human motivations and logic than other humans? The combination of human researchers and analysts with well-tailored technology is both powerful and effective. Effective cyber reconnaissance maps specific risks that could directly affect a particular company based on its profile – not unnecessary or irrelevant threats.

Ironically, in many cases, ensuring simple security best practices can often prevent threat actors from gaining access to networks. That includes, at a minimum, things like using strong password policies, a password management tool to easily track and change those passwords often, two-factor or multi-factor authentication, which helps confirm proper identities, and educating employees about the various types of phishing attacks to prevent unwanted network access.

By implementing effective cyber reconnaissance, companies will be able to actively monitor for threats, mitigate them as well as build resistance to all types of cyberattacks, helping them to better comply with CMMC requirements.

SECURITY: What is the best way to prove cyber effectiveness?

Webster-Jacobsen: The most effective way to prove cyber effectiveness is to go to where the criminals are. By continuously monitoring hacker activity and conversations in the internet underground and dark web for stolen intellectual property and other data, contractors can prove the cyber-effectiveness of their supply chains on an ongoing basis and identify and remediate cyber threats as they arise. A supplier’s digital risk footprint is a litmus test to the efficacy of their internal controls.

In today’s status quo, most companies discover data breaches from customers, partners or other third parties. This situation is not tolerable, because by the time the breach is discovered in this manner, the threat actor will have been on the network for an extended period of time, causing untold amounts of damage. Having a robust cyber reconnaissance capability in place is an effective way to dramatically reduce dwell times and prove CMMC compliance.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.