CMMC is Good, But May Not Be Enough

by | Nov 19, 2020 | Insights

In the defense industrial base (DIB), organizations must adhere to DFARS compliance, which will soon include CMMC compliance requirements. For example, NIST 800-171 3.2.2 states that organizations “include training procedures for employees to understand their role and responsibilities in protecting CUI and how to use the system in a secure manner.”

To meet these requirements, security personnel can take two approaches:

Risk-based or compliance-based.

What’s the difference? Well, compliance-based thinking focuses on compiling a list of known gaps, so teams can determine the simplest path to regulatory adherence. With this mindset, organizations could choose to approach the NIST 800-171 requirement in a variety of ways.

For example, they could implement mandatory training, so all staff know how to minimize cyber risks and vulnerabilities, but they’re more likely to roll out cookie-cutter security measures since it will accelerate compliance.

The bottom line – compliance standards trail the broad spectrum cybersecurity risks and put companies behind the power curve.

That’s why I’m glad Conquest Cyber embeds a risk-based approach at the core of its cybersecurity philosophy. Based on my 20 years of experience in national security, I know it’s not enough to ask, “What requirement are we trying to meet?” Instead, we have to consider, “What risks need to be addressed?” 

This paradigm shift can help DIB organizations see their challenges in a new light. For example, many companies view the shortage of cybersecurity talent as a recruiting issue, but the risk-based perspective turns that on its head.

Instead of viewing this as a minor hiring problem, leaders with a risk-based mindset recognize that these personnel gaps are exposing the organization to vulnerabilities. If unqualified personnel are managing highly-confidential data, what sort of risks are they letting in, even while technically meeting industry requirements?

While the way that Conquest Cyber views solving cybersecurity problems may seem unconventional, we hold firmly to the belief that if you can predict the adversary, you can win. That’s why we’ve developed a single, comprehensive software, ARMED™, that helps identify risk and address it with full visibility. It does this in a couple ways:

  1. It eliminates the noise of poorly integrated solutions
  2. A single software simplifies the security stack, so the basics are more achievable
  3. Automation minimizes manual processes to address the impact of the resources gap by enabling smaller staff to effectively protect sensitive data.
Cybersecurity 9/11 already happened. When will we act?

Cybersecurity 9/11 already happened. When will we act?

If you’re still waiting for a cybersecurity 9/11 or a ransomware Pearl Harbor to punch us in the gut, wake up. The equivalent has already happened. More than one, in fact. Maybe SolarWinds and Colonial Pipeline1 didn’t have the same devastating visuals of...

Your New Cyber SOC Isn’t Enough. You Need A Mindset

Your New Cyber SOC Isn’t Enough. You Need A Mindset

There were no cyber SOCs when Sun Tzu wrote “The Art of War” more than 2,500 years ago. But the ancient Chinese warrior’s old principles can empower new cybersecurity attitudes and approaches to fighting our newest wars in the digital realm. And make...

Why DIB Companies Need a Managed Security Services Provider

Why DIB Companies Need a Managed Security Services Provider

As DIB companies navigate increased regulations and cybersecurity threats, they should turn to managed security service providers (MSSPs) as trusted advisors.  What is an MSSP? Similar to a managed service provider (MSP), an MSSP acts as a trusted advisor to your...

Share This