Recently Ordr spent time talking to our clients about the Cybersecurity Maturity Model Certification (CMMC): what it is, why it’s important, and how they can prepare for it as it relates to the world of connected devices (including IoT, IoMT, OT). Ordr is the leader in connected device security, with customers ranging from mid-market businesses to large enterprises; many of whom offer services to the Department of Defense (DoD). Because of this, it is incumbent on us to know how the CMMC will apply to our customers’ infrastructure and to be able to help them achieve certification.
To help our forward-looking clients meet future CMMC requirements, Ordr is already working to map the security controls that connected device components require against the CMMC checklist. In order to plan for the CMMC, it is crucial that organizations working with the DoD understand how IoT and device configurations are being considered as part of this new maturity model.
First let’s break down what CMMC is.
In the Fall of 2020, the US Government will begin requiring organizations to become compliant with CMMC. This is being done primarily to help more organizations address low rates of compliance associated with NIST 800-171. CMMC will become a requirement designed to permit only businesses with a valid CMMC certification to bid on and win contracts with the US Government. The US Department of Defense (DoD) obviously recognizes that all contractors are not alike, and is using the modifications of the CMMC and its “levels” to make this compliance endeavor more palatable for a broader swath of potential contracting organizations. The CMMC is a tiered model that has the potential to impact every business in the Defense Industrial Base (DIB).
Soon, contractors in the DoD supply chain will need to be evaluated against this maturity model by a third-party auditor. CMMC contains seventeen capability domains, each of which encompasses a different area of security. Each of these domains will be evaluated on a level from one to five — five being the most mature — and the organization will be assigned an overall CMMC level based on their evaluation results.
CMMC is a big deal for DIB companies because the level that an organization achieves will determine which DoD contracts they’re eligible to bid on and win. Get a 5, the world is your oyster; get a 1 and it limits your available opportunities.
For sure CMMC is daunting. The capability domains outlined in CMMC are very broad, and entail everything from physical security to personnel security to asset management and essentially any other applicable security control that the government can think of. That sounds nearly impossible, and it certainly could be, but in reality CMMC happened to help organizations understand the complexity and breadth of achieving a true security posture. Hopefully CMMC will help mitigate some of the pencil whipping and box checking security failures that have plagued contractors in the past.
Because CMMC is broad, it is critical that any organization wanting to compete and win lucrative contracts heed the call to ensure they consider their IoT/OT security vulnerabilities, as well as their other security controls and programs. Modern exploits and attacks usually cross IT/OT infrastructures at some point. After all, everything is “connected” today. This means that without IoT visibility and accountability the entire network is potentially threatened, and the CMMC auditors know that.
There are very few CMMC domains that don’t apply to IoT network devices. Asset discovery, threat detection, incident response are part of any intelligent or complete response package. One can easily see why they are integral to the CMMC requirements.
While CMMC has many other requirements, much of what it mandates can be summed up pretty simply. Here are a few basic considerations that can help set your organization on the right track to achieving CMMC compliance specifically related to your IoT/OT network devices.
1) Do you have visibility, access, analytics or even the capability to understand IoT devices?
You can’t defend what you don’t cannot see. And you cannot defend any enterprise if you don’t know about the totality of devices or “assets” in a network. Ordr works with organizations to gain that visibility into their IT and IoT networks. In doing this our systems help your team understand how those assets communicate and are connected to each other.
Without that insight and knowledge, it’s impossible to prioritize risks, detect active threats already operating in your environment, or prove that your security posture is strong enough and doing its job. All of those things are key to CMMC compliance across a variety of domains. Being candid, it is impossible to fully secure your networks without having IoT/OT network device visibility.
2) How resilient is your overall IoT/IT network architecture?
CMMC focuses on building a stronger cybersecurity posture in DoD supply chain contractors, and as part of that, CMMC requires an organization to detail how they have built a strong overall approach for securing all network connected devices.
Part of having a sound security posture is to make sure that all devices only communicate with the internet as intended. Stronger network segmentation improves security. Ordr makes network segmentation easy by using ML/AI-assisted automation..
3) Can you identify and remediate IoT/OT device vulnerabilities in your network?
Key CMMC requirements focus on identifying and addressing vulnerabilities across all devices and infrastructure components. For networks with IoT/OT devcies, that could mean CVEs, malfunctioning devices, or the presence of unauthorized ports or rogue applications. CMMC requires that you’re able to detect and prioritize vulnerabilities like this. If your organization cannot do this, you will have a hard time achieving higher levels of compliance. Ordr shines in this area and can rapidly enable this action.
4) Can you detect exploits with all your IoT/OT devices?
IoT and device threats are a very different animal than detecting threats that target legacy IT systems and endpoints. Typically, embedded IoT/ICS devices do not support agents and may not be visible to your IT teams or tools. Because of this gap in security, your organization may be required to incorporate IoT and device aware analytics to detect abnormal machine behavior that could help identify an attack.
This is not an area where current IT approaches can be used in the IoT/OT device environment. The requirements for these unmanaged devices are very different.
Lastly, Ordr can be deployed to help avoid the pain and cost of an extended audit. Like every other federal certification requirement, a 3rd party is going to audit your company for compliance, and that will include your IoT devices, device security controls and asset inventory. Think about this from a financial perspective. With auditors, time is money. If an organization pays an auditor an hourly rate of $300 per hour – the longer it takes the auditor to review and understand your environment, including all the IoT devices, the more billable hours and costs you will accumulate. To minimize the time and costs, it makes sense to have an accurate inventory and full visibility of every asset, including IoT devices, before the auditors arrive. With auditors, nothing exists unless it is documented. Ask Ordr to assist with preparing for your CMMC and FISMA audits.
To see how Ordr maps to CMMC in our White Paper.