When it comes to supply chain security, fixating on Cybersecurity Maturity Model Certification (CMMC) compliance is kind of like going on a fad diet. Just as achieving overall nutritional health requires more than subsisting on, say, cabbage soup or grapefruit juice for a week, CMMC compliance is only one step toward good cybersecurity hygiene. Achieving CMMC compliance may help you mitigate software supply chain security risks in the short term, but you’ll need to do more than pass a CMMC audit to ensure ongoing, reliable supply chain security.
CMMC compliance is important, to be sure, which is why we’ve prepared a comprehensive guide to CMMC compliance controls and requirements. But as this blog explains, your cybersecurity strategy should extend beyond CMMC compliance alone, even in the age of CMMC 2.0.
CMMC 2.0 compliance: The basics
There has been a lot of buzz about CMMC compliance over the past year. The hype reflects, first, the recent release of the updated CMMC 2.0 compliance guidelines, with which businesses need to comply if they want to sell to the U.S. Department of Defense. CMMC 2.0 has been called a “leaner and more flexible version” version of CMMC, making it easier to achieve compliance – provided vendors take the time to master the many new changes that CMMC 2.0 brings.
At the same time, software supply chain attacks like the SolarWinds hack, which impacted a number of government agencies, has helped shine a spotlight on CMMC as a way for organizations to mitigate risks that lie within their supply chains.
The fact that it could take up to two years for CMMC 2.0 requirements to come into effect means that businesses have some time before they actually need to implement changes. Still, given how complex CMMC is, now’s a great time to start preparing for compliance, if you operate in an industry that CMMC affects.
What’s in the CMMC protocol?
For that purpose, our CMMC 2.0 compliance checklist, which spells out the steps to take to prepare for CMMC 2.0 compliance, is a great place to start.
As the CMMC checklist explains, adapting to CMMC 2.0 rules requires:
- Determine whether CMMC applies: The first step in meeting CMMC 2.0 requirements is figuring out whether you even need to meet them. As our checklist explains, CMMC’s scope is evolving; in some cases, businesses are requiring their partners to be CMMC-compliant as a way of enforcing good cybersecurity hygiene, regardless of whether there is a government mandate for CMMC compliance. Thus, if you didn’t need to meet CMMC mandates before, you may now, even if you don’t do business with the DoD.
- Determining your CMMC compliance level: There are now three CMMC compliance levels – Foundational, Advanced and Expert. The level you need to meet depends on what type of business you do and how many risks exist within your own supply chain.
- Identify CMMC 2.0 compliance gaps: Once you know which compliance level you need to meet, you can determine what you’re currently not doing, but need to start doing, to meet its compliance requirements. You can use a tool like Findings to perform a compliance assessment in order to identify gaps.
- Remediate CMMC compliance gaps: After identifying your gaps, remediate them by addressing the security risks within your supply chain. Here again, Findings can help automate the process by providing remediation guidance.
- Conduct a CMMC audit: For CMMC level three compliance, you’ll need to conduct an audit and certification using DoD-qualified auditor. For other compliance levels, you can use Findings to perform continuous self-assessments to ensure that you remain CMMC-compliant for the purposes of securing your supply chain, even if you aren’t required to demonstrate compliance to an external auditor.
A holistic supply chain security strategy
As noted above, CMMC compliance is one pillar of a modern cybersecurity strategy. But it’s only that: One pillar.
Indeed, even a former CIA officer says that even the updated version of CMMC is likely not enough to address all cybersecurity risks.
Let us elaborate on that point: Because the CMMC rules were designed with supply chain security specifically in mind, achieving CMMC compliance is a great way to mitigate security risks within your supply chain. This is why, again, more and more businesses are requiring CMMC compliance even if they don’t do business with the U.S. military, and therefore don’t have an official mandate to be CMMC-compliant.
But as you’ll see if you check out our CMMC compliance checklist in detail, the CMMC rules don’t cover every facet of supply chain security management. To do that, you need a holistic set of people, process and controls to secure your supply chain. More specifically, you’ll require:
- Processes: Security processes are what the CMMC does cover. It spells out processes for implementing protections like access controls and physical security.
- People: Processes in frameworks like the CMMC are complex. To follow them, you need people with the requisite expertise. Keep in mind, however, that you can reduce the level of expertise necessary by leveraging tools – such as Findings – that help to automate complex compliance processes.
- Technology: You need technology in the form of tools that allow your people to implement processes like those detailed in the CMMC. The CMMC doesn’t tell you which tools to use; it just tells you what the tools should be able to achieve.
They don’t, for example, extend to creating a Vulnerability Disclosure Program.
Nor do they enforce the rapid security incident response that is necessary in today’s fast-moving world, where identifying supply chain risks is only half the battle. The other half is remediating the vulnerabilities quickly enough that your supply chain doesn’t kink up and place your business at risk.
To meet challenges like these, you need an automated, efficient means of identifying and managing supply chain risks across the entire risk lifecycle. CMMC compliance addresses only part of this challenge.
Findings can help businesses of all types build a supply chain security strategy that includes, but is not limited to, meeting CMMC 2.0 requirements. Use Findings to identify your compliance gaps and remediate them to meet CMMC 2.0 rules. At the same time, lean on Findings to ensure you can react rapidly and systematically when supply chain risks emerge.