Cybersecurity Self-Assessment Resource
Download this resource to measure your appetite for cyber risk and to gauge your current cybersecurity status.
.jpg?ext=.jpg)
Compliance or Cybersecurity
At the recent CS2 Reston conference held by Summit 7, one of the main themes was the debate over whether compliance equates to security. There have been CMMC critics who say that NIST SP 800-171 is a big investment that will not ensure security. CMMC supporters argue that compliance to the 110 controls of NIST SP 800-171r2 will significantly increase a company’s ability to protect data.
Compliance and Cybersecurity, Defined
The word “compliance” is defined as “the act or fact of complying with a wish or command.” The Department of Defense is on the cusp of demanding/commanding that its contractors comply with CMMC. Some clients may ask you to comply with the ISO 27001 standard. Complying with their ask also means complying to a set of controls.
The definition of cybersecurity is quite different. It is defined as “the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.”
In the case of CMMC, do these terms equate to the same meaning?
The Purpose of CMMC
Just as the main purpose of HIPAA is to ensure the protection of patient data, the main purpose of CMMC is to protect Department of Defense data. Most standards do not claim to serve cybersecurity in general because that is not what their purpose is. Technically, from a cybersecurity perspective, a CMMC certification exclusively certifies you can adequately protect Controlled Unclassified Information.
When thinking about this, it makes sense that compliance and cybersecurity cannot be equivalent. Frameworks and standards would have to update frequently in order to ensure continual cybersecurity improvement, and that simply is not possible. NIST SP 800-171r2 provides a checklist that will enable the minimum tactics for protecting CUI.
It's Not Cybersecurity OR Compliance, it’s AND
If you are a defense contractor, you will need to achieve CMMC certification sometime in the next 3-4 years. However, you also will need to make sure you are keeping up on vulnerabilities, patches, training, and everything else cybersecurity monitoring and improvement demands. The question as to whether compliance or cybersecurity are more important is really a question that does not have a lot of use. You need cybersecurity AND compliance, not one or the other.
Questions?
Do you have questions about CMMC or ISO 27001? Do you wonder how you can strengthen your overall cybersecurity while progressing toward protection of CUI? Contact us today!