Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

CMMC: An ounce of prevention is worth a pound of cure

By Christian C. Contardo, Jeffrey B. Jones
protect-cyber-security-freepik783.jpg
October 5, 2021

The world is awash in data, and the amount of data continues to grow at an astounding rate. According to some estimates, global data storage will amount to more than 200 zettabytes by 2025. When you consider that one zettabyte is the equivalent of about one trillion gigabytes, you realize the sheer volume of digital information vulnerable to cyber exploitation. By 2025, cybercrime could annually cost companies $10.5 trillion.


No industry is safe, all sectors of the economy are at risk, and all government agencies are targets of cyber theft - including the Department of Defense (DOD) and members of the nation's military-industrial-technological base, also known as the Defense Industrial Base (DIB). To address the threat cybercriminals and foreign adversaries pose to DOD data, the department recently introduced the Cybersecurity Maturity Model Certification (CMMC).


The CMMC program is designed to protect against unauthorized access to sensitive DOD information residing on the networks of the tens of thousands of companies and research institutions that comprise the DIB. Portions of the CMMC are being implemented now, but full implementation is required by September 30, 2025. Although 2025 is a few years away, companies would be wise to consider building in compliant processes now, both to prepare for the eventual requirements, but also to gain an advantage over those who wait until the last minute to develop the necessary controls.


What is the CMMC?

The CMMC program consists of 5 levels of certification. 


Each level corresponds to an incrementally enhanced cybersecurity posture. In addition to assessing a company's implementation of cybersecurity practices, CMMC also evaluates the company's maturity processes. A company is recognized as possessing a certain CMMC level only after undergoing an extensive cybersecurity audit performed by a specially trained and qualified auditor. CMMC is, at its core, a "go / no-go" assessment model. In other words, a DIB company either achieves certification by meeting every cybersecurity requirement at a specified level, or it fails certification. Beginning in Fiscal Year 2026, companies that fail certification will be prevented from bidding on DOD contracts or continue supporting current contracts. 


CMMC Maturity Levels (MLs) 1 and 2 certify that a company possesses a basic capability to secure its computer network. 


At ML 3, CMMC begins assessing a company's capability of handling and protecting Controlled Unclassified Information (CUI). CUI is "information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls." In addition to demonstrating adequate proficiency in performing the tasks associated with CMMC MLs 1-3, CMMC ML 4 requires the company to establish a capability of taking corrective actions in the face of a cyber intrusion event and maintaining procedures that allow it to consistently and accurately inform authorities on the operating and security statuses of the company's network. CMMC ML 5 requires all of the controls required at ML 4 proficiency, as well as a capability to protect against nation-state cyber actors and Advanced Persistent Threats.


CMMC is an excellent example of the federal government exercising its regulatory might in an area where it determines private industry is unable or unwilling to protect itself. The DOD was forced into implementing the CMMC due to the private sector's reluctance to address the problem itself. One of the pitfalls of the government working with the private sector is that the private sector has a fiduciary responsibility to the company and its shareholders, and the national security interests of the United States are sometimes subordinated in the name of protecting company interests and resources. CMMC addresses this reality by instituting across-the-board cybersecurity requirements on all DIB members, thus imposing at least a minimum level of responsibility to be good stewards of their networks and the government information entrusted to them.  


Cyber Threats are only Increasing


CMMC also represents an excellent opportunity for DIB companies to take ownership over the protection of their networks and improve the chances that the company can survive a cyberattack. 


Although the upfront costs of establishing a cybersecurity infrastructure may be expensive and the recurring costs for a company to maintain the cybersecurity infrastructure of its networks may feel like a resource-intensive burden at times, this program is a pragmatic approach to a serious and intractable problem - cybercrime and cyberespionage.  As costly as CMMC may appear, the costs to a company failing to adequately protect its network can be potentially catastrophic to the company's long-term viability.


"Defense contractors must change how we think about cybersecurity, and specifically take a more proactive approach to cyber hygiene," said Tony Good, a cybersecurity subject matter expert with Darkblade Systems (Darkblade), a leading National Security Solutions provider and one of the first organizations accredited by the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) as a Candidate Certified Third-Party Accreditation Organization (C3PAO). According to Good, "none of this is easy; we must make strides to fortify our collective cybersecurity posture while simultaneously driving technical innovation and protecting national security. CMMC is the best way we can achieve these critical goals." 


Recent data concerning cybercriminals' impact on the private industry is alarming and only worsening by the day. No economic sector is immune, and all types and sizes of companies are vulnerable to online hackers. Experts estimate the global costs associated with cybercrime are increasing at a rate of 15% each year and will top $10.5 trillion by 2025. In the first 3 quarters of 2020, cyber intruders took approximately 36 billion online records, resulting in 2020 being the worst year on record in terms of data breaches. Meanwhile, in 2020, IBM estimated the average time to identify a network intrusion to be 207 days, resulting in an average repair and response cost to the victimized company of $3.86 million per incident.  


The problem has not gone unnoticed and is particularly concerning to the DOD. DOD functions through the DIB, a research and industrial complex comprised of more than 100,000 public-sector facilities, academic institutions, and private-sector companies that are responsible for conducting DOD's research and development, as well as the design, manufacture, delivery and maintenance of its weapons systems, subsystems, and components or parts. Like every other element of the U.S. economy, though, DOD recognizes the DIB has a vexing cybersecurity problem.


Recently, SpyCloud, a security company specializing in account takeover prevention, conducted a cybersecurity survey of the 27 largest US companies comprising the DIB. These companies accounted for more than $200 billion in US defense spending and represented companies belonging to the aerospace, manufacturing and technology service industries. In short, these are some of the most important components of the nation's military-industrial-technological complex. Given their size and standing, the average American would assume they would employ robust cyber capabilities and have the wherewithal to prevent most cyber intrusions from occurring in their networks. The research, however, leads to a strikingly different conclusion.


In 2020, SpyCloud reports these 27 companies suffered from 2,227 breaches resulting in nearly 5 million stolen records which amounted to the theft of 23,720,437 individual pieces of information or "assets." An "asset" was represented in the SpyCloud study as an individual email address, password, or data point equivalent to personally identifiable information, such as social security numbers, home addresses and account numbers. 


SpyCloud's findings are particularly troubling because stealing personal data and credentials, like passwords, is typically the easiest method for hackers to use to gain unauthorized entry into a network and maintain a presence in that network - oftentimes for several months before being discovered.  


Unfortunately, the SpyCloud study focused on a very small percentage of the DIB. Nation-state cyber actors thrive by finding the weakest point of the adversary's network and exploiting the vulnerability. What is missing from SpyCloud's analysis is the number of attempts the adversary may have made to gain entry into these 27 companies via the soft underbelly of the DIB - the small to medium-sized DIB members that lack cybersecurity budgets, but are working with larger companies on special projects and causes. Often, the preferred attack vector runs through small, lightly defended DIB member networks to gain a foothold into the networks of other DIB members.  


Is CMMC Certification Worth the Expense?

Depending on the level of CMMC certification, the cost of compliance will likely have an initial cost to companies of many tens of thousands of dollars to purchase equipment and prepare for the audit. Further, there will be recurring costs of maintaining the network and periodically repairing or replacing malfunctioning or obsolete equipment and software.  


These costs are real but nowhere near as costly as being victimized by a cybercriminal or a nation-state hacker. For instance, the average cost to recover from a ransomware attack grew from an average of $761,106 in 2020 to $1.85 million in 2021. 


Ransomware is becoming an increasingly prevalent form of cyberattack, but other exploits, including Distributed Denial of Service Attacks, SQL injections, phishing and spear-phishing emails, and malware, all represent significant dangers to the security of DIB computer networks and come with high costs to address.   

The costs associated with recovering from a cyberattack not only include the tangible cost of replacing damaged equipment and accounting for lost business as a result of an inability to utilize the network, but they also include intangible costs. For many companies, attacks that also result in a damaged reputation, a decreased viability to operate in the defense contracting space, and the loss of its intellectual property present an existential threat to the business. These intangible assets for a company can be the veritable lifeblood of an enterprise, and damage or destruction to these characteristics and attributes can bankrupt the business, and CMMC is one of the best proactive, defensive cybersecurity weapons available.


When viewed in these terms, the costs to obtain the CMMC certification can mean the difference between the company thriving or dying. Private industry should welcome the DOD's CMMC regulatory scheme and accept it as an invitation to shed the old 20th Century model of operating on the Internet and adopt a cyber posture that recognizes and appreciates the dangers of conducting business in the 21st-century version of the Internet. Not only will CMMC help ensure the ongoing viability of each DIB member, but it will also significantly contribute to safeguarding the nation's most sensitive information and help maintain the safety and security of our nation.   

KEYWORDS: cyber security defense security Government Security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Christian C. Contardo is an attorney who advises clients in the technology, finance, and industrial sectors on a variety of national security, global trade, and privacy issues at Lowenstein Sandler LLP. 

Jeffrey B. Jones is a senior consultant and attorney with nearly 20 years of experience providing legal advice and assistance in national security matters, government investigations and cybersecurity issues.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Rolled bills

    To pay or not to pay? Negotiating in the age of ransomware

    See More
  • data-center-freepik1170x658.jpg

    Storage: An essential part of a corporate cybersecurity strategy

    See More
  • Encryption Future - Security Magazine

    A cluster without RBAC is an insecure cluster

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing