Rolling out of CMMC can put an end to ISO 27001, SOC 2 & HITRUST certifications
By MYBRANDBOOK
In the not-too-distant future, I can clearly see how ISO 27001, SOC 2 and HITRUST certifications could become a diminished, legacy activity, viewed as a rarity left over from marketing efforts to distinguish an organization’s security posture from its competition. Absurd? Unrealistic? Actually, it is a very pragmatic understanding of what is coming with the Cybersecurity Maturity Model Certification (CMMC) that the US Department of Defense (DoD) is rolling out just a few short weeks away (January 2020).
Compliance with CMMC
The initial scope for compliance with CMMC is a conservatively-estimated 200,000 businesses that make up the U.S. Defense Industrial Base (DIB). This company-level certification requirement impacts every business from the titans of the defense industry (e.g. Boeing, Raytheon, etc.) all the way down the supply chain to small IT providers, janitorial service companies and bookkeepers, since even these small subcontractors have the potential to negatively influence the security of weapons systems and support services that the U.S. military relies upon based on possible access to sensitive data.
Essentially, CMMC is the method the DoD will use to perform independent, third-party audits of companies that fall within scope for NIST 800-171 compliance.
If you are not familiar with CMMC, you are not alone. However, it is something that you should take time to educate yourself on since it is on its way to becoming the “gold standard” of cybersecurity certifications for businesses regardless of the industry.
While NIST 800-171 exists to protect Controlled Unclassified Information (CUI) from a U.S. government perspective, it is ideally suited to protect any type of “sensitive” data from personal data to trade secrets. The DoD is taking a data-centric approach to security where the focus is on CUI as it is stored, transmitted and processed throughout the entire lifecycle of the system, application or service in question. This goes beyond process-oriented assessments from ISO 27001, SOC 2 or HITRUST that evaluate the existence of risk management controls where CMMC evaluates maturity-based criteria for the people, process and technology controls associated with the lifecycle of sensitive data across the organization’s assets, its supporting technology infrastructure (internal & external scope) and its supply chain.
CMMC Certification
While CMMC certification will immediately impact 200,000+ businesses supporting the DoD, it is reported that the federal government is closely-monitoring the DoD’s rollout of CMMC as a possible model for broader implementation across all federal contractors. Currently, outside of the DoD, the General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) currently require contractors that store, transmit or process CUI from those agencies to implement NIST 800-171 security measures and report non-compliance instances. Also worth noting, NIST 800-171 is already filtering down to state governments. Specifically, New York State Education Law §2-d is now requiring school districts to adopt NIST 800-171 as the standard to address the confidentiality and privacy of confidential information. From readily-available briefing materials, NY prefers NIST 800-171 for the following qualities it offers:
Unlike ISO 27001, SOC 2 or HITRUST certification, CMMC is a mandatory requirement for both prime and subcontractors to the DoD. Starting in 2020, companies that lack a current CMMC certification will be unable to bid on or participate in a DoD contract. This makes CMMC a “must have” business requirement versus a “nice to have” certification for marketing purposes. In addition to the loss of potential business, non-compliance with NIST 800-171 and CMMC can lead to serious legal consequences to both individuals and the company through False Claims Act (FCA) violations. The first FCA-based lawsuit for NIST 800-171 related violations involves a defense contractor that was turned in by its own former director of cybersecurity for allegedly implying, but falsely certifying to the government that the organization was compliant with NIST 800-171. This equates to a very different shift in the business need and potential ramifications associated with cybersecurity certification.
You might still be wondering how NIST 800-171 and CMMC would negatively impact other certifications since CMMC is focused on “government contractors.” Today, ISO 27001, SOC 2 and HITRUST certifications are an industry-accepted way to demonstrate to partners and clients that an organization has met a certain level of perceived security which is often used more for marketing purposes. Companies spend significant amounts of time and money on consultants and staff to earn these certifications, even when they are not mandated by a law or regulation.
As NIST 800-171 compliance trickles down through the supply chain, CMMC certification will become the new industry norm where companies get CMMC certified either to meet mandatory requirements in a contract or to market that industry-recognized standards are being adhered to. In summary, the most important factors that will change the perceived value associated with ISO 27001, SOC 2 and HITRUST certifications in the near-to-mid term are:
Final thoughts
In the end, the demise of these soon-to-be legacy certifications will really come down to a fiduciary decision – for most organizations, it will be considered a waste of resources to maintain an additional control structure and obtain costly certifications that serve no additional purpose other than marketing. It won’t take long for ISO 27001, SOC 2 and HITRUST certifications to be viewed as redundant and not worth the additional cost and effort. Smaller, leaner companies will focus on CMMC certifications since that will become the “gold standard” to demonstrate security practices to prospective clients and partners. This will leave ISO 27001, SOC 2 and HITRUST certifications for niche marketing reasons or to address legacy contract requirements.
(The article first appeared in Tripwire and is authored by Tom Cornelius, Senior Partner at ComplianceForge)
Nazara and ONDC set to transform in-game monetization with ‘
Nazara Technologies has teamed up with the Open Network for Digital Comme...
Jio Platforms and NICSI to offer cloud services to government
In a collaborative initiative, the National Informatics Centre Services In...
BSNL awards ₹5,000 Cr Project to RVNL-Led Consortium
A syndicate led by Rail Vikas Nigam Limited (abbreviated as RVNL), along wi...
Pinterest tracks users without consent, alleges complaint
A recent complaint alleges that Pinterest, the popular image-sharing platf...
QUICK HEAL TECHNOLOGIES PVT. LTD.
LUMINOUS POWER TECHNOLOGIES PVT. LTD.
CENTRE FOR DEVELOPMENT OF TELEMATICS (C-DOT)
WIPRO LTD.
ICONS OF INDIA : RITESH AGARWAL
Ritesh Agarwal is an Indian billionaire entrepreneur and the founder a...
Icons Of India : AMIT CHADHA
Amit Chadha serves as the CEO and Managing Director of L&T Technology ...
Icons Of India : MADHABI PURI BUCH
Madhabi Puri Buch is the first-female chairperson of India’s markets...
PFC - Power Finance Corporation Ltd
PFC is a leading financial institution in India specializing in power ...
UIDAI - Unique Identification Authority of India
UIDAI and the Aadhaar system represent a significant milestone in Indi...
GeM - Government e Marketplace
GeM is to facilitate the procurement of goods and services by various ...
Indian Tech Talent Excelling The Tech World - NIKESH ARORA, Chairman CEO - Palo Alto Networks
Nikesh Arora, the Chairman and CEO of Palo Alto Networks, is steering ...
Indian Tech Talent Excelling The Tech World - RAVI KUMAR S, CEO- Cognizant
Ravi Kumar S, appointed as CEO of Cognizant in January 2023, sets the ...
Indian Tech Talent Excelling The Tech World - JAY CHAUDHRY, CEO – Zscaler
Jay Chaudhry, an Indian-American technology entrepreneur, is the CEO a...