Critical Infrastructure (CI) Cybersecurity:
Is CMMC the Answer?

I was recently asked about critical infrastructure (CI) cybersecurity challenges and if Cybersecurity Maturity Model Certification (CMMC) could be the answer. Within the defense community, the CMMC framework is sending a clear message to Defense Industrial Base (DIB) companies: If you want to do business with the U.S. Department of Defense (DoD), you must prove that you can meet a series of cybersecurity standards that are deemed essential. Assessed against five maturity levels, the more best practices you meet, the more opportunities you can potentially bid on. However, if you can’t satisfy the most fundamental of these requirements, you’re out of the game.

Suffice it to say, there is much at stake. The DIB’s 100,000-plus systems integrators, tech service providers, and other suppliers represent $394 billion in annual awards.¹ The sector, however, appears ripe for major compromises, as the number of newly reported common IT vulnerabilities for the DIB rose to 17,305 in 2020 from 14,645 in 2017.¹ At least 37 DIB businesses, in addition to federal government agencies, were impacted by the 2020 SolarWinds breach.²

In response to increasing cyber threat issues, the DoD has unveiled CMMC with the goal of safeguarding controlled unclassified information (CUI) — protected information or data created or possessed by the government or another entity on the government’s behalf — throughout its supply chain. Examples of CUI include technical data, personally identifiable information, and information marked For Official Use Only. 

Defense leaders are implementing the framework through a phased rollout approach from fiscal years 2021 through 2025. Under CMMC, contractors must undergo assessments to prove that they can sufficiently perform cybersecurity capabilities. These practices and processes fall within 17 domain categories, adapted from the National Institute of Standards and Technology (NIST) Special Publication 800-171 and other sources. These domains include situational awareness, access control, risk management, incident response, recovery, and system and information integrity. DIB businesses are seeking to earn certifications across different maturity levels, starting at basic cyber hygiene and taking on more comprehensive and challenging requirements from there. As part of CMMC’s flow-down requirements, subcontractors are also subject to the assessment and certification process.

It remains to be seen how significantly CMMC, and its set of requirements, improve the critical infrastructure industry’s cybersecurity posture. But if it proves successful during its initial rollout, then why wouldn’t the government, through its various agencies, leverage CMMC as a model for CI sectors as a whole, not just DoD suppliers?

After all, there were nearly 400 reported CI ransomware attacks in 2020, up from 207 in 2019.³ Among CI security professionals, 55% indicate that cybercriminals have increasingly targeted their organizations since the pandemic began.⁴ Within the global utilities sector, two-thirds of organizations say that sophisticated attacks are a top challenge, but just 31%, perhaps optimistically, rate their readiness to respond and contain a breach as high.

Today, there is no standard security certification framework for assessing CI. As a result, there is an uneven patchwork of compliance guidelines that a given organization may be measured against. For example, within the energy sector, NERC CIP, is applicable to all bulk power system owners and operators, while other CI sectors are not held to any defined standards. Establishing a common set of tiered requirements for all critical infrastructure would greatly reduce complexity and ensure that larger swaths of infrastructure have appropriate security controls in place. Could CMMC be that standard?

Facing the impending CMMC rollout, many small businesses have complained that the associated security requirements are too onerous based on budget and size. Certainly, federal acquisition offices must develop a model to help smaller businesses that would otherwise struggle to comply (e.g., setting aside funding to help qualifying companies meet the standards).

But once these challenges are addressed, an across-the-board designation of CMMC as a requirement for all CI sectors could lead to two immediate and substantial benefits:

• A ready-made set of standards. CMMC isn’t an idea that’s still in the drawing board stages. It’s rolling out — now. There is no reason to start from scratch in developing new requirements for a CI-wide standard. Its requirements are readily transferable to CI sectors outside of the DIB, so regulators and procurement agencies should take full advantage of the work that has already been accomplished.

• A single source of compliance. Instead of forcing companies to jump through multiple cybersecurity compliance hoops to do business, they’d only have to focus on CMMC. If there are flaws within the framework, government and private industry leaders can fix a single standard as opposed to bringing on a new set of requirements to manage.

Ultimately, demonstrably elevating the critical infrastructure cybersecurity posture as a whole would emerge as the third — and most meaningful — benefit. If regulation is deemed too heavy-handed, it could begin by requiring it for all federal contractors, whether they handle CUI or potentially impact the availability of key services that the federal government relies on. While this would not immediately cover all CI members, it certainly would put a dent in the problem. CI members and their suppliers would have to improve the way they protect systems, respond to incidents, and manage risk. If not, they would lose business or a competitive advantage. By successfully complying with a refined CMMC, and handling the necessary blocking and tackling, they would be able to stay in the game while keeping critical infrastructure safely protected.

Have questions about CMMC? Learn more from our CMMC Resources. 

Sources:

1. NDIA Vital Signs 2021, NDIA, 2021. 
2. SolarWinds hack was ‘largest and most sophisticated attack’ ever: Microsoft president, Reuters, Feb 2021. 
3. Critical Infrastructure Ransomware Attacks, Temple, Jun 2021.
4. White Paper: The Critical Convergence of IT & OT Security in a Global Crisis, Claroty, 2021.