Robert Metzger is considered by many to be the father of the Cybersecurity Maturity Model certification. This is a standard implemented by the Department of Defense to ensure that industrial infrastructure protects information systems and supply chains.
Metzger has such a distinction largely because he co-authored “Deliver Uncompromised,” a report for Miter, a non-profit research firm that explains many of the principles behind CMMC.
He is currently Co-Chair of the Cybersecurity Practice at Rogers Joseph O’Donnell Law Firm and continues to serve as a consultant to Miter.
As a keynote speaker at Washington Technology’s CMMC Summit on November 9, Metzger set the mood for the event with a sense of urgency regarding cyber threats facing CMMC and organizations. CMMC’s final rule is due in March, but action shouldn’t wait.
Below is an edited transcript of the conversation between Metzger and GovExec360 President Troy Schneider. Washington Technology is owned by GovExec Media.
SCHNEIDER: One of the key takeaways from “Deliver Uncomromised” is that self-attestation alone is not enough for contractor cybersecurity, and CMMC took a lot of inspiration from that. Is there anything you wish you had put in a different frame?
Metzger: The “Deliver Uncomromised” report started from a threat perspective and didn’t look good. We were looking at asymmetric campaigns or mixed operations by national adversaries that combined cyber IT and cyber (operational technology) attacks, as well as various supply chain attacks.
We thought we needed something to establish what we call a Security Integrity Score.
Nor did I think about ransomware. Ransomware is a pervasive threat and more urgent for businesses.
SCHNEIDER: Regardless of what the final CMMC rules are, are there building blocks that companies can put in place today?
Metzger: We start with NIST standards 801-171, but we need to take a risk-based approach to 171 controls. (There are 110 security controls described in 801-171.) Organizations should assess risk and identify their most important customers and those for whom continuity of service or protection of information is most impactful. I can. (Standard 801-171 is a framework of controls by the National Institute of Standards and Technology for protecting sensitive information in a federal contractor’s IT systems and networks.)
What are the most cost-effective and security-enhancing controls today?
You’ll need it eventually, but it’s not about completing everything instantly. It’s about doing the right thing quickly.
But 171 is just the baseline, so we need to look beyond 171. Introduced in 2015. We now see forms of attack that were unimaginable at the time.
Schneider: You mentioned ransomware, but NIST standard 801-171 doesn’t fully anticipate that threat. Are you saying you need an extension to the CMMC standard?
Metzger: 171 is not the only frame of reference, but it is the one we have to apply. I was interested in what the insurance companies were doing. This is because insurers have made it very difficult to obtain cyber insurance coverage and pay out claims.
There are murmurs among major insurers that they expect 10 to 12 major items to be implemented.
In the world of commerce, people are drawn to a certain set of requirements and understand that they are carried out in order to become a trusted partner to obtain financing, or to participate in (M&A) transactions, or to acquire. I hope. cyber insurance.
SCHNEIDER: Small businesses that are part of the defense industrial base complain that CMMC is too difficult, too expensive, and too complex. How do you balance creating no barriers to entry and providing the security you need?
Metzger: That’s a very difficult question. Adversaries know to launch attacks against poorly defended businesses for so-called low-hanging fruit.
The problem is that for small businesses, 171 can be difficult, intimidating, frustrating, confusing, and costly.
But you can’t decide that security isn’t important to your small business. We cannot give them a waiver. But we must promote means by which small businesses can achieve security economically. This moves away from on-premises countermeasures to an external service provider.
But when a small business looks at a managed service provider, managed security as a service provider, or any other external resource and says, “If I do my part and they do theirs, then one of the CMMC requirements? I’m going to finish the division.”
I need it.
Schneider: The final rule is expected in March. What date would you choose if you had a requirement in your contract?
Metzger: It doesn’t really matter. A wise move is to protect yourself. now. Not because we have to comply, but because we want to keep the company in business.
Don’t think it matters when you receive a (RFI) or (Request for Proposal) that needs your evaluation. Get ahead of the curve for your employees, lenders, clients, customers and investors.
And your regulator too.