Chances are your company finds it challenging to navigate the path to better cybersecurity, including implementing the controls of NIST 800-171 and achieving compliance with CMMC 2.0. What can you do and how do you move forward?
We recently sat down with Dr. Ron Ross, a computer scientist and fellow at NIST for more than 25 years, at CMMC CON 2023. He leads the Joint Task Force Transformation Initiative, an inter-agency working group that develops the unified information security framework for the federal government and its contractors. Ron shared his insight to help you advance your cybersecurity initiatives.
Why cybersecurity compliance is critical
Whether you’re one of the top five aerospace and defense contractors in the world, or you’re a 15 person machine shop in Iowa, all companies with DFARS Clause 252.204-7012, at a minimum, need to adhere to the same 110 requirements of NIST 800-171 to do business with the DOD.
“The first thing we have to do is acknowledge that this is without a doubt one of the most difficult and challenging problems that the country faces today—not just because of CMMC and NIST 800-171,” Ron states. “With companies today who are doing business using modern technology, the most expensive investment they make is in research and development for the innovative products that they’re producing. It is heartbreaking to see the intensity and the level of attacks that are occurring and the direct connection to our national and economic security.”
There’s a tremendous investment by the defense industrial base in producing technology. When adversaries steal that technology that means they don’t have to invest in all the R&D—and it’s not just the military aspect, it’s any kind of innovation where companies are competing worldwide. “Our military strength is directly tied to our economic strength,” Ron continues. “If you don’t have a robust economy, you can’t protect your intellectual property, and your companies are not thriving, then the military is going to suffer. It is all connected.”
“We are all one team, whether we’re on the federal government side, which I am a part of, in the private sector, including the defense industrial base, or in academia where we’re building the next generation of scientists and engineers and entrepreneurs,” he says. “This is where we need to find solutions that work.”
How to get started
Get into the right frame of reference.
“No matter what your business model is or what kind of business you’re involved in, you are a hundred percent dependent on technology being reliable,” Ron shares. “Even if we didn’t have the CMMC program or NIST standards and guidelines, there would be a need to protect your critical information from these ongoing cyber attacks. Understanding what can be done to you and preparing your company to survive in the 21st century is job number one from the board of directors all the way down.”
Take stock of where you are.
“You may be starting from ground zero literally with nothing in place. On the other hand, you may be one of the big defense contractors that have very mature programs,” he says. “You have to figure out where you are on that continuum because that’s going to determine your next step or even your first step. No matter what your problem is, and this is a challenging one, it’s going to cost money, resources, time, people skills, and expertise to figure out how to attack what you have to do.”
Figure out your protection needs for the company.
Sometimes these needs are going to be tied to compliance with certain laws, regulations, policies, or industry standards. Know the starting touch points of standards and guidelines that you have to implement in order to be compliant with whatever your industry sector might demand.
Divide and conquer.
Don’t try to attack the whole problem at one time. Figure out your most critical safeguards or countermeasures that you can put into the company immediately, whether it’s two factor authentication, encrypting data, or developing a good incident response plan.
Even if you have all 110 controls of NIST 800-171 to address, there are certain ones that you know are going to provide high value and a great level of protection. You can break up all those requirements into the three categories—critical, not so critical, and then everything in the middle. Then make a plan with milestone points to build that program and start moving. Every organization, whether you have plentiful or few resources, can develop that kind of a plan.
Take an honest look back.
Once you go through your milestone point, assess where you are. Ask yourself if your plan still works and if it is still relevant. This is not easy, but it needs to be thorough and with eyes wide open with all the stakeholders from the C-suite all the way down to the folks who actually do all the work.
“The people who are the CISOs and cybersecurity professionals, whether they’re writing policies, doing firewalls, or zero trust architectures, these folks work really hard,” Ron concludes. “They don’t often get pats on the back and they’re the first ones to get blamed, but they do the heavy lifting. I am extremely appreciative of what they do, and I’m never going to forget their contribution.”
Addressing the big challenges of cybersecurity improvements and NIST 800-171 compliance can be tackled one bite at a time. Begin with an assessment, have a plan, measure yourself against the plan, and use the outcome of the plan to get more resources. It may take you several budget cycles and several years, but this process can get a lot of companies across the finish line.
No matter where you are on your cybersecurity journey, the experts at CyberSheath can help. Contact us to start the conversation.