In the not-too-distant future, I can clearly see how ISO 27001, SOC 2 and other [redacted] certifications could become a diminished, legacy activity, viewed as a rarity left over from marketing efforts to distinguish an organization’s security posture from its competition. Absurd? Unrealistic? Actually, it is a very pragmatic understanding of what is coming with the Cybersecurity Maturity Model Certification (CMMC) that the US Department of Defense (DoD) is rolling out just a few short weeks away (January 2020).
Compliance with CMMC
The initial scope for compliance with CMMC is a conservatively-estimated 200,000 businesses that make up the U.S. Defense Industrial Base (DIB). This company-level certification requirement impacts every business from the titans of the defense industry (e.g. Boeing, Raytheon, etc.) all the way down the supply chain to small IT providers, janitorial service companies and bookkeepers, since even these small subcontractors have the potential to negatively influence the security of weapons systems and support services that the U.S. military relies upon based on possible access to sensitive data. Essentially, CMMC is the method the DoD will use to perform independent, third-party audits of companies that fall within scope for NIST 800-171 compliance. If you are not familiar with CMMC, you are not alone. However, it is something that you should take time to educate yourself on since it is on its way to becoming the “gold standard” of cybersecurity certifications for businesses regardless of the industry. While NIST 800-171 exists to protect Controlled Unclassified Information (CUI) from a U.S. government perspective, it is ideally suited to protect any type of “sensitive” data from personal data to trade secrets. The DoD is taking a data-centric approach to security where the focus is on CUI as it is stored, transmitted and processed throughout the entire lifecycle of the system, application or service in question. This goes beyond process-oriented assessments from ISO 27001 or SOC 2 that evaluate the existence of risk management controls where CMMC evaluates maturity-based criteria for the people, process and technology controls associated with the lifecycle of sensitive data across the organization’s assets, its supporting technology infrastructure (internal & external scope) and its supply chain.
While CMMC certification will immediately impact 200,000+ businesses supporting the DoD, it is reported that the federal government is closely-monitoring the DoD’s rollout of CMMC as a possible model for broader implementation across all federal contractors. Currently, outside of the DoD, the General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) currently require contractors that store, transmit or process CUI from those agencies to implement NIST 800-171 security measures and report non-compliance instances. Also worth noting, NIST 800-171 is already filtering down to state governments. Specifically, New York State Education Law §2-d is now requiring school districts to adopt NIST 800-171 as the standard to address the confidentiality and privacy of confidential information. From readily-available briefing materials, NY prefers NIST 800-171 for the following qualities it offers:
- Credibility - Many security practices are derived from NIST standards;
- Durability - U.S. Department of Commerce (e.g., NIST) keeps the standard current;
- Enforceability - Audit resources are commonly-available for NIST standards;
- Understandability - NIST frameworks are widely-adopted and are commonly referenced; and
- Supportability - Knowledge transfer are supported by federal and private sector resources.
Unlike ISO 27001 or SOC 2 certification, CMMC is a mandatory requirement for both prime and subcontractors to the DoD. Starting in 2020, companies that lack a current CMMC certification will be unable to bid on or participate in a DoD contract. This makes CMMC a “must have” business requirement versus a “nice to have” certification for marketing purposes. In addition to the loss of potential business, non-compliance with NIST 800-171 and CMMC can lead to serious legal consequences to both individuals and the company through False Claims Act (FCA) violations. The first FCA-based lawsuit for NIST 800-171 related violations involves a defense contractor that was turned in by its own former director of cybersecurity for allegedly implying, but falsely certifying to the government that the organization was compliant with NIST 800-171. This equates to a very different shift in the business need and potential ramifications associated with cybersecurity certification. You might still be wondering how NIST 800-171 and CMMC would negatively impact other certifications since CMMC is focused on “government contractors.” Today, ISO 27001 and SOC 2 certifications are an industry-accepted way to demonstrate to partners and clients that an organization has met a certain level of perceived security which is often used more for marketing purposes. Companies spend significant amounts of time and money on consultants and staff to earn these certifications, even when they are not mandated by a law or regulation. As NIST 800-171 compliance trickles down through the supply chain, CMMC certification will become the new industry norm where companies get CMMC certified either to meet mandatory requirements in a contract or to market that industry-recognized standards are being adhered to. In summary, the most important factors that will change the perceived value associated with ISO 27001 and SOC 2 certifications in the near-to-mid term are:
- CMMC will have a “trickledown effect” and directly or indirectly impact businesses that never previously considered themselves to be DoD or government contractors;
- The acceptance of CMMC certification will span across industries and geographies, evolving to be viewed as a government-recognized badge of cybersecurity competence;
- Budgets are finite, and resources used to prepare for and certify against CMMC will be taken from the same budgets associated with ISO 27001 and SOC 2; and
- CMMC is a mandatory requirement where a company either has to comply or not compete.
In the end, the demise of these soon-to-be legacy certifications will really come down to a fiduciary decision – for most organizations, it will be considered a waste of resources to maintain an additional control structure and obtain costly certifications that serve no additional purpose other than marketing. It won’t take long for ISO 27001 and SOC 2 certifications to be viewed as redundant and not worth the additional cost and effort. Smaller, leaner companies will focus on CMMC certifications since that will become the “gold standard” to demonstrate security practices to prospective clients and partners. This will leave ISO 27001, SOC 2 and other [redacted] certifications for niche marketing reasons or to address legacy contract requirements.
About the Author: Tom Cornelius is the Senior Partner at ComplianceForge, an industry leader in cybersecurity and privacy documentation. He is also the founder of the Secure Controls Framework (SCF), a not-for-profit initiative to help companies identify and manage their cybersecurity and privacy requirements. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.