CMMC is Good, But May Not Be Enough

In the defense industrial base (DIB), organizations must adhere to DFARS compliance, which will soon include CMMC compliance requirements. For example, NIST 800-171 3.2.2 states that organizations “include training procedures for employees to understand their role and responsibilities in protecting CUI and how to use the system in a secure manner.”

To meet these requirements, security personnel can take two approaches:

Risk-based or compliance-based.

What’s the difference? Well, compliance-based thinking focuses on compiling a list of known gaps, so teams can determine the simplest path to regulatory adherence. With this mindset, organizations could choose to approach the NIST 800-171 requirement in a variety of ways.

For example, they could implement mandatory training, so all staff know how to minimize cyber risks and vulnerabilities, but they’re more likely to roll out cookie-cutter security measures since it will accelerate compliance.

The bottom line – compliance standards trail the broad spectrum cybersecurity risks and put companies behind the power curve.

That’s why I’m glad Conquest Cyber embeds a risk-based approach at the core of its cybersecurity philosophy. Based on my 20 years of experience in national security, I know it’s not enough to ask, “What requirement are we trying to meet?” Instead, we have to consider, “What risks need to be addressed?” 

This paradigm shift can help DIB organizations see their challenges in a new light. For example, many companies view the shortage of cybersecurity talent as a recruiting issue, but the risk-based perspective turns that on its head.

Instead of viewing this as a minor hiring problem, leaders with a risk-based mindset recognize that these personnel gaps are exposing the organization to vulnerabilities. If unqualified personnel are managing highly-confidential data, what sort of risks are they letting in, even while technically meeting industry requirements?

While the way that Conquest Cyber views solving cybersecurity problems may seem unconventional, we hold firmly to the belief that if you can predict the adversary, you can win. That’s why we’ve developed a single, comprehensive software, ARMED™, that helps identify risk and address it with full visibility. It does this in a couple ways:

1. It eliminates the noise of poorly integrated solutions
2. A single software simplifies the security stack, so the basics are more achievable
3. Automation minimizes manual processes to address the impact of the resources gap by enabling smaller staff to effectively protect sensitive data.