Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity NewsGovernment: Federal, State and Local

5 minutes with Bryce Webster-Jacobsen - What the new CMMC Framework means for defense contractors

By Maria Henriquez
5 minutes with Webster-Jacobsen
March 8, 2021

Threat actors have successfully targeted defense contractors over the years because they haven’t fully secured their networks, thus creating serious vulnerabilities in U.S. national security. To combat this challenge, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) framework was born.

So, what exactly is this framework? According to the DoD’s website, the CMMC is a “unifying standard for the implementation of cybersecurity, which includes a certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.” The framework, which will be tiered into five levels of maturity (from basic to advanced), is designed to provide increased cybersecurity protection of sensitive information, including subcontractors, across multi-tiered supply chains.

The framework will be rolled out over the next five years, and starting in 2025, all defense contractors will be required to have at least level 1 CMMC certification to submit contracts. Once fully implemented, the framework will significantly help reduce the risk of cyber threats.

We spoke with Bryce Webster-Jacobsen, the Director of Intelligence Operations at GroupSense – a digital risk protection services company – to learn more about his perspective on the topic.

SECURITY: The U.S. Department of Defense’s new CMMC has sent shocks throughout the defense-contractor supply chain. What must defense contractors demonstrate as part of the new rules of the CMMC?

Webster-Jacobsen: As part of the CMMC, defense contractors must be able to demonstrate the effectiveness of cybersecurity practices across their entire value chain. That means that all subcontractors and suppliers, which are usually multi-tiered, must also be compliant. The CMMC has outlined 5 levels of maturity that need to be demonstrated through the certification framework, and they are as follows:

  • Level 1: Basic Cyber Hygiene – Includes basic cybersecurity with universally accepted common practices, and limited resistance against data exfiltration and malicious actions.
  • Level 2: Intermediate Cyber Hygiene – Inclusive of universally accepted cybersecurity best practices, resilient against unskilled threat actors, and minor resistance against data exfiltration and malicious attacks.
  • Level 3: Good Cyber Hygiene – Resilience against moderately skilled threat actors, moderate resistance against data exfiltration and malicious attacks, and comprehensive knowledge of cyber assets.
  • Level 4: Proactive – Advanced and sophisticated cybersecurity practices, resilient against advanced threat actors, defense responses approach machine speed, increased resistance against and detection of data exfiltration, and complete and continuous knowledge of cyber assets.
  • Level 5: Advanced / Progressive – Highly advanced cybersecurity practices, resilient against the most advanced threat actors, defensive responses performed at machine speed, machine performed analytics and defensive actions, resistant against and detection of, data exfiltration and autonomous knowledge of cyber assets.

SECURITY: Historically, contractors have used either paper-based questionnaires or automated software to document their subcontractors’ cyber processes. How will this impact new rules with CMMC?

Webster-Jacobsen: These two types of approaches are obsolete with CMMC because they only capture point-in-time assessments, and CMMC calls for primary contractors to be able to demonstrate an ability to effectively respond to adapting threats on an ongoing basis across the entire supply chain. Also, in either case, these methods request approval (if the software is doing the active scanning) and require using human capital.

Now, as part of the CMMC framework, The CMMC Accreditation Body, which is an independent organization, will authorize and accredit CMMC third party organizations and its assessors. The assessors will be tasked with conducting assessments of the unclassified networks and then issue the appropriate certificates (indicating which level has been achieved), based on the results of the assessment. This approach should provide a much more objective and accurate picture of a company’s cyber competency than ever before.

SECURITY: How can companies use cyber reconnaissance to get a more effective view of the efficacy of a partner/supplier’s security program with no interaction with the supplier to comply with the CMMC?

Webster-Jacobsen: Cyber reconnaissance should encompass both human and automated      intelligence. After all, threat actors are human, and who better to understand human motivations and logic than other humans? The combination of human researchers and analysts with well-tailored technology is both powerful and effective. Effective cyber reconnaissance maps specific risks that could directly affect a particular company based on its profile – not unnecessary or irrelevant threats.

Ironically, in many cases, ensuring simple security best practices can often prevent threat actors from gaining access to networks. That includes, at a minimum, things like using strong password policies, a password management tool to easily track and change those passwords often, two-factor or multi-factor authentication, which helps confirm proper identities, and educating employees about the various types of phishing attacks to prevent unwanted network access.

By implementing effective cyber reconnaissance, companies will be able to actively monitor for threats, mitigate them as well as build resistance to all types of cyberattacks, helping them to better comply with CMMC requirements.

SECURITY: What is the best way to prove cyber effectiveness?

Webster-Jacobsen: The most effective way to prove cyber effectiveness is to go to where the criminals are. By continuously monitoring hacker activity and conversations in the internet underground and dark web for stolen intellectual property and other data, contractors can prove the cyber-effectiveness of their supply chains on an ongoing basis and identify and remediate cyber threats as they arise. A supplier’s digital risk footprint is a litmus test to the efficacy of their internal controls.

In today’s status quo, most companies discover data breaches from customers, partners or other third parties. This situation is not tolerable, because by the time the breach is discovered in this manner, the threat actor will have been on the network for an extended period of time, causing untold amounts of damage. Having a robust cyber reconnaissance capability in place is an effective way to dramatically reduce dwell times and prove CMMC compliance.

KEYWORDS: compliance tools cyber security Department of Defense risk management third-party risk

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • 5 minutes with Waskelis

    5 minutes with Todd Waskelis - Cybersecurity consulting during the pandemic

    See More
  • 5 minutes with Passwaters

    5 minutes with Jason Passwaters - What cyberthreat intelligence can learn from the military

    See More
  • Rick McElroy

    5 minutes with Rick McElroy - What CISOs should know about returning to the office

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing