CMMC is Good, But May Not Be Enough

by | Nov 19, 2020 | Insights

In the defense industrial base (DIB), organizations must adhere to DFARS compliance, which will soon include CMMC compliance requirements. For example, NIST 800-171 3.2.2 states that organizations “include training procedures for employees to understand their role and responsibilities in protecting CUI and how to use the system in a secure manner.”

To meet these requirements, security personnel can take two approaches:

Risk-based or compliance-based.

What’s the difference? Well, compliance-based thinking focuses on compiling a list of known gaps, so teams can determine the simplest path to regulatory adherence. With this mindset, organizations could choose to approach the NIST 800-171 requirement in a variety of ways.

For example, they could implement mandatory training, so all staff know how to minimize cyber risks and vulnerabilities, but they’re more likely to roll out cookie-cutter security measures since it will accelerate compliance.

The bottom line – compliance standards trail the broad spectrum cybersecurity risks and put companies behind the power curve.

That’s why I’m glad Conquest Cyber embeds a risk-based approach at the core of its cybersecurity philosophy. Based on my 20 years of experience in national security, I know it’s not enough to ask, “What requirement are we trying to meet?” Instead, we have to consider, “What risks need to be addressed?” 

This paradigm shift can help DIB organizations see their challenges in a new light. For example, many companies view the shortage of cybersecurity talent as a recruiting issue, but the risk-based perspective turns that on its head.

Instead of viewing this as a minor hiring problem, leaders with a risk-based mindset recognize that these personnel gaps are exposing the organization to vulnerabilities. If unqualified personnel are managing highly-confidential data, what sort of risks are they letting in, even while technically meeting industry requirements?

While the way that Conquest Cyber views solving cybersecurity problems may seem unconventional, we hold firmly to the belief that if you can predict the adversary, you can win. That’s why we’ve developed a single, comprehensive software, ARMED™, that helps identify risk and address it with full visibility. It does this in a couple ways:

  1. It eliminates the noise of poorly integrated solutions
  2. A single software simplifies the security stack, so the basics are more achievable
  3. Automation minimizes manual processes to address the impact of the resources gap by enabling smaller staff to effectively protect sensitive data.
Why Complacency Is Leaving the U.S. Electrical Grid at Risk

Why Complacency Is Leaving the U.S. Electrical Grid at Risk

On a list of the critical necessities for our country’s modern way of life, at the very top has to be electricity. Not only does it provide light, keep our food from spoiling and maintain a comfortable temperature in our living spaces, it powers the many screens with...

The Frontline is On Your Front Porch

The Frontline is On Your Front Porch

The battlefront of the digital world may be hidden, but it’s lurking right at our doorsteps. Cybersecurity affects each and every internet user – with more than 422 million individuals impacted by data compromises in the United States in 2022 alone. For the 16 sectors...

Share This