Page 33 - Cyber Defense eMagazine February 2024
P. 33

require the implementation of additional security requirements intended to reduce the risk of compromise
            by advanced persistent threats.



            Transformative Change

            While  this  proposed  CMMC  rule  introduces  additional  requirements  for  defense  contractors,  it  also
            presents an opportunity for deliberate and transformative change. Organizations that must comply with
            CMMC should consider stepping back and evaluating not only if security requirements are being met, but
            also if their cybersecurity program is poised to consistently meet these requirements over time and deliver
            value to the business.

            Organizations should consider the following to use CMMC adoption for transformative change:


               1.  Understand how meeting CMMC will enable the organization to meet strategic goals and ensure
                   the cybersecurity program strategy is aligned with these goals.
               2.  Obtain senior leadership buy-in for the necessary resources—people, funding, and tools—to meet
                   and maintain compliance with CMMC.
               3.  Evaluate if CMMC security requirements also provide benefit to proprietary information that is not
                   used in the performance of defense contracts.
               4.  Ensure  that  improvements  to  security  controls  are  adequately  documented  in  policies  and
                   procedures. Dedicating proper time and attention to documenting cybersecurity processes will
                   improve  the  acculturation  of  the  processes  so  that  they  are  retained  even  in  times  of
                   organizational stress.
               5.  Schedule and plan continuous risk assessments to proactively manage cybersecurity and identify
                   gaps ahead of CMMC assessment or affirmation obligations.



            Another  important  factor  for  organizations  to  consider  when  building  or  improving  a  cybersecurity
            program  is  the  incorporation  of  performance  management  into  operational  processes.  A  CMMC
            assessment validates the implementation of security requirements at a point in time and does not provide
            organizational leadership continued assurance that cybersecurity measures are durable over time and
            aligned to strategic objectives. A more powerful approach includes the development of metrics to validate
            performance  of  these  requirements  over  time  to  ensure  they  continue  to  provide  a  security  posture
            commensurate with organizational needs as threat environments evolve. Organizations should regularly
            communicate the achievement of key metrics to ensure the effectiveness of security controls over time
            and to provide rationale for key decisions.



            System of Record

            Cybersecurity leaders, such as Chief Information security Officers (CISOs), have increased motivation to
            ensure that due care is used in the implementation and validation of cybersecurity controls. Recent rules
            adopted  by  the  Securities  and  Exchange  Commission  (SEC)  put  pressure  on  public  companies  to





            Cyber Defense eMagazine – February 2024 Edition                                                                                                                                                                                                          33
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   28   29   30   31   32   33   34   35   36   37   38