You Company’s Culture Must Adapt to CMMC

Roughly 300,000 companies with U.S. Department of Defense contracts will soon have new cybersecurity requirements under the cybersecurity maturity model certification (CMMC) program. The cybersecurity maturity model certification is something that almost every company doing business with the DoD must earn. This requirement will begin appearing in contracts towards the end of 2020. Companies without certification will not be able to work on DoD contracts. The requirement will be rolled out in phases over the next several years until all ~300,000 contractors are certified.

Under the cybersecurity maturity model certification (CMMC) the effectiveness of your cybersecurity controls will be influenced by their maturity. Maturity means that your security controls need to be institutionalized. Depending on the CMMC level that applies to your company the degree to which they are institutionalized is subject to change. If you have a level one CMMC requirement then you only need to implement the controls/practices. No documentation or established processes to support the controls are required. However, if you have a level three CMMC requirement then you have to implement the controls/practices, document them, and create a plan for implementing/maintaining them. This is because the CMMC program acknowledges that security controls/practices are only as effective as they are consistently implemented and the processes supporting them are repeatable. This is where company culture comes into play.

Here is a great excerpt from Navy Seal Brent Gleeson's article titled “Why Creating a Culture of Discipline is the Path to Greatness”: “With disciplined people acting in a disciplined manner, chances of mission success skyrocket. Less oversight is required freeing leaders and managers to focus on activities that push the change train forward. Given the proper resources and training, people can innovate within a given framework.”

The take away from the quote is discipline. CMMC isn’t only the job of consultants and your internal IT staff. Every employee from the top down will be involved. Executive management will need to support security initiatives to give IT staff legitimacy in the eyes of end-users. IT staff will need to consistently implement security controls throughout the organization and adhere to their own policies and procedures. End users will need to follow instructions from IT and management and refrain from attempting to bypass security controls. Employees need to understand that adhering to security policies and procedures is mission-critical. It is no longer an option. Your company’s DoD contract may depend on it. This all requires discipline.

An informal company culture where anything goes and the needs of end-users are put before your security requirements will spell trouble. Try explaining to a CMMC assessor why you had Spotify on your application whitelist with a cited business need of boosting employee morale. Try explaining why employees are bypassing your security controls by using personal email and cloud storage for work tasks. Companies with DoD contracts need to demand discipline from both IT staff and end-users. This doesn't mean that employees can't come to work in their sweat pants. I am talking about discipline with regards to adhering to company policy.

Inform:

The first step is to inform all employees that adhering to cybersecurity policies and procedures is mission-critical. Be blunt and let them know that your company’s future depends on it.

Train:

Train IT staff and employees on your new policies and procedures. This will help reduce security incidents.

Compromise:

Finally, do not overdo your security controls. For example, CMMC doesn’t specify your password requirements. Instead of opting for a 15 character password requirement opt for something less difficult such as 8 characters. Instead of requiring employees to reset their passwords every 60 days, instead, require a change every 120 days. This way you still meet your requirements but don’t overburden end-users. Make sure employees have an avenue for requesting exemptions to security controls. For example, you may have banned the use of removable storage devices (e.g, USB thumb drives) but an employee may have a legitimate business need to use one. Make sure you have a mechanism to document the need and make the exception. I like to have users complete online forms where I can validate their business needs and have a paper trail.

Sanction:

It is inevitable that someone in your company will violate security policies and procedures. Employees need to know that these violations will be sanctioned. The actions you reserve to take should be clearly stated in your acceptable use policy and employee handbook. You should also enforce these sanctions.

Conclusion:

Cybersecurity has always been mission-critical, with CMMC this is being enforced. Companies with CMMC requirements will need to establish a culture of discipline where cybersecurity is prioritized over small comforts. If that isn’t achieved then the probability of having a more mature cybersecurity program is diminished.