The Defense Department recently pumped the brakes on the rollout of its much-discussed CMMC cybersecurity standard—and made significant changes that should greatly simplify compliance for private companies. But that raises plenty of questions about exactly where contractors go from here. We talked with Pratum’s Jeff Hudgens, a CMMC Registered Practitioner, for guidelines on what manufacturers, software developers and other contractors need to know about CMMC 2.0.
You should be constantly honing your cybersecurity policies as a matter of smart risk management. Doing that will help you be ready for CMMC when it comes into play.Jeff Hudgens Pratum CMMC Registered Practitioner
In 2019, the DoD began a lengthy process for beefing up security for every company in its supply chain via the Cybersecurity Maturity Model Certification (CMMC) standard. In all, about 300,000 companies face new cybersecurity compliance rules if they want to keep winning contracts from the Pentagon and its prime contractors. But, as you might expect from a massive new government program, confusion and controversy have dogged CMMC’s rollout.
In the latest move, CMMC 2.0 arrived in November with numerous adjustments handed down by the CMMC Accreditation Body (CMMC-AB).
No one really knows at this point, but no deadlines are looming. The DoD originally said some level of CMMC requirement would appear in all of its contracts by 2025. But with the release of CMMC 2.0, all of that is up in the air again. The DoD is diving into an open-ended “rulemaking process” and has dropped plans to include CMMC requirements in upcoming contracts. One thing we’re hearing is that the DoD may offer incentives to companies that voluntarily adopt CMMC guidelines, which sounds like an effort to motivate some early adopters.
The private sector pushed back heavily on the regulatory burden imposed by CMMC’s complexity. The new release makes the whole program simpler and, frankly, leaves a lot of lingering questions about how much will ever be required for DoD contractors. The DoD is making flexible implementation a key factor in the CMMC revisions.
Yes, they’ve been simplified. CMMC 1.0 included five levels that a vendor could be required to meet under any given DoD contract. CMMC 2.0 cuts the original five levels down to just three. This chart from the official federal CMMC site shows how the new levels compare to the old ones:
That’s one of the biggest changes in the new release. Under CMMC 1.0, every level required assessment by an approved third-party. But CMMC 2.0 dramatically reduces the requirements for third-party assessments. Companies pursuing contracts with a Level 1 requirement can now submit a self-assessment. At Level 2, some contracts will require third-party assessment. These moves are clearly designed to address industry complaints about increasing compliance regulations. At Level 3, the DoD intends for government assessors to review the security standards of contractors handling the most sensitive information.
You can still plan on some oversight, even when self-assessment is allowed. Companies that knowingly falsify their reporting may, for example, face false claims lawsuits from the Department of Justice.
Yes. In another concession meant to ease the compliance burden on companies, CMMC 2.0 lets companies achieve certification while still pursuing a Plan of Action and Milestones (POA&Ms) to fix any shortcomings. This eliminates the pass/fail nature of CMMC 1.0. In some circumstances, the DoD says it will even let companies apply for CMMC waivers.
CMMC 1.0 included a significant number of CMMC-specific requirements. Those are gone in version 2.0. Level 2 now mirrors the widely used NIST SP 800-171, and Level 3 will be based on a subset of NIST SP 800-172. The bottom line is that companies following industry standards should be able to achieve CMMC compliance without adopting other proprietary controls.
These changes take most of the urgency out of CMMC compliance since we have no idea when it will appear in DoD contracts. But CMMC’s requirements generally follow what the industry considers basic cybersecurity best practices. So you should be constantly honing your cybersecurity policies as a matter of smart risk management. Doing that will help you be ready for CMMC when it comes into play. And if you’re unwilling to take the supply chain security steps required to meet even CMMC Level 1, you’ll probably find that many large, private companies won’t feel safe doing business with you anyway.
Pratum’s compliance experts can help you understand the compliance requirements for your specific situation.
You also can get advice from governmental bodies tasked with helping manufacturers and other companies navigate the government procurement process. Each state has a Manufacturing Extension Partnership Center that can help you with CMMC. You can look up yours at nist.gov/mep/centers. You can also work with one of about 300 Procurement Technical Assistance Centers nationwide. You can find a nearby PTAC at aptac-us.org.
Ransomware has dominated the year’s headlines, but Americans suffer far more damage from business email compromise than any other attack, according to the FBI. The feds reported earlier this year that business email compromise cost more than $1.8 billion in 2020. Throw in business email compromise’s cousin of phishing, and you can tally another $54 million in damages. The boom in business email compromise (BEC) attacks means you should make it a top priority to train your team to spot this scam.
BEC attacks use sophisticated techniques that can trick all but the most attentive email users. Attackers typically impersonate a legitimate contact asking for a transfer of funds. But when victims send the money, it lands in a bank account controlled by the bad guys. The hackers quickly convert the money to crypto currency or shift it into other untraceable channels. It may be days before you even know you sent the money to an imposter.
Hackers typically send an email that seems to be coming from either a co-worker or a legitimate vendor. And, in fact, the bogus message may be coming from a legitimate account that hackers have overtaken. The hacker may even be talking about a legitimate payment you’re expecting to make. The only difference is the account they have you send it to.
The examples below show how BEC attacks work and red flags you can watch for to ensure you don’t fall prey to this ruse.
1. Spoofed address – Look carefully at the actual domain name, not just the sender’s display name. This spoofed domain has an extra character in the company name.
2. Malicious link – This link actually leads to a credential harvesting site. Hover your mouse pointer over the link before clicking it to confirm that it's going to the expected address.
3. Real data used to fool you – Because hackers may be monitoring your email, they may jump into a legitimate thread. In this case, the first message in the sequence came from a real vendor talking about a real invoice. The hackers have inserted themselves and took over the discussion, cutting the real vendor out of the thread.
4. Timing – This is a fake email from the scammer, who sent the request late in the week, hoping to catch an employee rushing to complete tasks before leaving.
5. Suspicious attachments – If you’re not expecting an attachment, don’t open it. Call the sender to confirm it’s a legitimate file.
6. Sudden change in normal procedure and/or urgency – Be extremely wary of changes in deadlines, bank accounts, etc. Call your contact to confirm what’s happening.
7. Unusual name usage – Hackers posing as legitimate contacts often fumble the details of names, so pay attention to any discrepancies, such as someone who normally goes by “Michael” signing a message as “Mike.”
For help with training your team to spot BEC or creating a simulated phishing test for your organization, contact Pratum today.
If you could put a CISO on your team for one week, where would they set your cybersecurity priorities? Pratum’s Jeff Hudgens gave his answer on a recent cybersecurity panel hosted by Iowa’s Secretary of State. Jeff, an experienced cybersecurity pro now serving clients as a Pratum vCISO, framed the advice he gives clients into two categories:
If Jeff were starting his own company today, he’d start setting cybersecurity priorities with these four fundamental steps:
Too often, Jeff sees organizations fumble the follow-through on their public statements about cybersecurity. Social engineering training provides a common example. “Leadership sets the tone,” Jeff says. “The C-suite can’t be exempt from testing or skip the training.”
Leaders also must commit to taking security frameworks seriously, which means choosing the framework that actually fits your business. “Controls are there because they’re right for your business, not just because they’re something you do to simply check a box. Make sure the controls you select are reasonable for what you do.”
“Most people focus conversations around data, which is a key piece. But think about the systems the data is on.” Jeff frequently hears clients talking about protecting their data, but they balk at spending money to update the 8-year-old servers the data sits on. “You’re kind of stuck on what you can do with that,” Jeff says, “and you’ll introduce vulnerabilities around that.”
Staff time represents another asset to manage carefully. Jeff points to the example of a CIO who is personally making changes in Active Directory, which means the CIO ISN’T thinking about strategic direction. It makes business sense to invest in some entry-level help to free up leaders to lead the organization.
“You have a limited budget for IT and security,” Jeff says. “If you’re not doing risk assessments and keeping a risk register, then you’re not using facts to drive your program and where you put your effort.” Make sure your program for identifying and ranking risks is driving your decisions.
Set manageable goals. “I see a lot of organizations try to pack five years worth of work into a year and a half, and that just stresses the team,” Jeff says. He recommends turning a large portfolio of risks into ranked priorities that you can tackle and cross off the list. “Let’s just move the ball down the field rather than trying to score a touchdown.”
With the right first steps, you can turn to five areas that Jeff recommends as a focus for your limited resources.
Start with a comprehensive information security risk assessment, which forms the cornerstone for your entire security program. During a risk assessment, an experienced consultant takes a deep dive into every corner of your information security approach, including written policies, software updates, employee habits and more.
Along with that risk assessment (which many companies conduct annually in order to keep up with changes in the organization), be sure to include ongoing vulnerability scanning and recurring pen tests in your plan. “Many people don’t put vuln scans and pen tests in the budget,” Jeff says. “But they provide some of the best returns on investment.” Vuln scanning provides automated recon that spots known vulnerabilities in your system. In a pen test, an ethical hacker acts like a threat actor and tests your defenses. Whether the test goes after your internal or external infrastructure, Jeff says you’ll get the most actionable information possible about your security posture.
He also recommends creating key metrics for measuring performance and potential risks over time, providing important benchmarks of your progress. (That kind of data is critical to securing ongoing budget for these tests.)
Many organizations lack written information security policies. And many policies are written in ways that are unenforceable. Jeff advises dedicating real thought to these key documents. “Think carefully about your policies. Make sure you cover what you want to cover. Make sure they’re actionable, but keep them reasonable and don’t let them get draconian.”
Jeff puts an especially heavy emphasis on developing a thorough incident response plan. “If I were focusing on one key piece, it would be an incident response plan.” A recent IBM study showed that companies that keep a written incident response plan and test it regularly reduced the cost of a data breach by an average of 55%.
Improving every employee’s security awareness clearly pays off, considering that about 80% of all data breaches involve some kind of social engineering. Training and simulated phishing campaigns work—if they’re well-planned, well-executed and given time to work. Jeff emphasizes that organizational leaders should stop thinking of end users as the weak link in security programs and start enlisting them as frontline defenders.
“If you can’t see it happening in your system, you can’t fix it,” Jeff says. That’s why he considers a monitoring solution such as SIEM essential—and a next-gen protection platform such as managed XDR even better. IBM’s study showed that organizations that had security AI and automation in place spend 80% less handling a breach.
Supply chain attacks have been growing exponentially for months. In attacks like the famous Kaseya breach of 2021, hackers slip malware into a supplier’s system, then let it quickly cascade out to all of their partners. And Jeff notes that small businesses shouldn’t count on their obscurity to protect them. Hackers often use small companies as their entry point into the larger companies that they serve through the supply chain.
To learn how Jeff or another Pratum vCISO can help set up your specific cybersecurity strategy, visit our vCISO service page.