Why should defense contractors care about CMMC?
You probably have heard a lot about the Cybersecurity Maturity Model Certification (CMMC). CMMC is the U.S. Department of Defense’s (DoD’s) new unified cybersecurity standard for contractors who work with the DoD and its agencies. The final framework is set to be implemented by Q4 of 2020, so it’s a good idea to get familiar with it now.
Below is a rundown of what CMMC is and how you can start working towards compliance regarding your mobile endpoints.
What is CMMC and who needs to comply?
CMMC targets the Defense Industrial Base (DIB) sector, which is composed of organizations and contractors who hold or pursue contracts with the DoD, including over 300,000 companies in the supply chain. It is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.
The framework draws mainly from NIST 800-171, but consists of maturity processes and cybersecurity best practices from multiple security standards, frameworks and other references. It organizes processes and practices into a set of domains and maps them across five levels.
This is a significant departure from the previous procedure where contractors were tasked with implementation, monitoring and certification. With CMMC, contractors will have to be certified by a third party ahead of doing work with the DoD.
How do you meet the mobile requirements for CMMC?
For starters, you need to recognize the limitations of your mobile device management (MDM) solution. As a management tool, it can apply policies and procedures for the administration and governance of mobile devices and applications used within an organization. But MDM is not security and has limited detection or protection mechanisms against mobile cybersecurity threats.
To fully safeguard CUI and FCI against real-time mobile security attacks, you need a comprehensive mobile security solution, which monitors your mobile devices’ health in real-time and detects on-device threats. Mobile security will also be able to notify the mobile-device user and the MDM of the incident, and take steps to block access to FCI, CUI and other organizational resources.
You need integrated mobile security
To truly round out your mobile security strategy and to start working on CMMC compliance, you need to integrate your MDM with mobile security. By integrating the two, mobile security will provide continuous real-time threat detection to enable MDMs to apply appropriate policy and compliance controls to a DIB’s mobile fleet.
The Lookout mobile security solution can protect the DIB sector from mobile-related cybersecurity events across a variety of CMMC controls and maturity levels. These include but are not limited to: Access Control, Audit and Accountability, Configuration Management, Incident Response and Risk Management.
To learn more, check out this infographic that compares mobile security and mobile device management relative to a selection of CMMC controls.