Cybersecurity Awareness Month is officially underway, with the theme "Secure Our World," emphasizing the crucial need for proactive, daily steps to safeguard data flowing through increasingly interconnected environments. With the threat landscape maturing and evolving every day, this theme highlights the shared responsibility required to maintain a secure digital ecosystem and resilient supply chains.
We are seeing, in real time, the development of a robust cybersecurity standard to better secure our world: Cybersecurity Maturity Model Certification (CMMC) 2.0, set to take effect in 2025, is reshaping how companies within the defense industrial base (DIB) approach cybersecurity. Here are some of the most significant ways CMMC 2.0 enables a safer physical and virtual world.
CMMC 2.0 aims to strengthen the security posture of companies in the defense industrial base (DIB) by ensuring they meet stringent cybersecurity requirements. These regulations mandate that organizations implement essential security measures, such as multi-factor authentication, encryption, and vulnerability management.
A recent survey conducted by Merrill Research reveals that the majority of these companies are far from fully prepared to meet CMMC 2.0 requirements. This gap is another reminder of the pressing need for organizations to elevate their cybersecurity posture to protect Controlled Unclassified Information (CUI) and reduce vulnerabilities within the supply chain.
It is no secret that many contractors — especially small businesses — have limited resources to support the extensive requirements of CMMC, leaving sensitive government data exposed to potential cyber threats. As the countdown to CMMC 2.0 continues, companies must prioritize compliance or risk not only their government contracts, but also the security of sensitive defense-related data.
One key element of reaching said compliance is adopting robust, data-centric security strategies to protect what matters most, first: the data.
The implementation of CMMC 2.0 is happening parallel to a fundamental industry shift in how we approach data security. This shift toward "microsecurity" moves us beyond traditional perimeter-focused "data defense," to a proactive, data-centric model focused on protecting the data itself, wherever it resides or travels in the world.
In this new paradigm, data is recognized as the primary asset to safeguard. This recognition demands a two-pronged approach, defense and offense (like in football).
Defense: Organizations must implement robust controls to protect data at rest, in transit, and in use. Defensive security aims to protect the data an organization possesses, and keep the bad guys from getting in: Strong perimeters, app and device security, and identity & access management secure internal operations, data, and workflows.
Offense: Equally important to defense is the ability to securely share and leverage data across the supply chain. No defense contractor operates in a vacuum: They need to securely collaborate both internally and externally to innovate, deliver successful outcomes, and drive value. This "offense"-driven strategy involves implementing controls that maintain security and ownership even when information is shared outside traditional boundaries. Granular access controls, client-side encryption, and open standards like the Trusted Data Format make this possible.
For CMMC 2.0 compliance, a balanced strategy ensures Controlled Unclassified Information (CUI) is protected at all times — especially when it leaves the organization's possession.
It's crucial that organizations view CMMC as foundational to their business success. In the DIB, it's essential to demonstrate that your organization can be trusted to safely handle sensitive data — and this is what CMMC aims to achieve. As we approach the 2025 implementation deadline, the question isn't just about checking the (many) boxes for compliance — it's about demonstrating good data security hygiene and layered protections.
Here are a few ways organizations can secure our world by turning their focus to the data:
Apply Data-Centric Security: Implement controls that protect data at the object level, aligning with multiple CMMC 2.0 domains (access control; audit and responsibility; and media protection, to name a few). This involves using end-to-end encryption (E2EE) for emails, files, and data within core services and applications, ensuring protection both at rest and in transit.
Leverage Encryption Across Applications: Go beyond basic encryption requirements to implement E2EE that protects data throughout its lifecycle, as it flows through various business apps: Gmail, Outlook, Google Drive, Confluence, and others. Encryption should be seamlessly integrated into daily workflows, automatically securing sensitive information without burdening users.
Implement Granular Access Controls: Use Attribute-Based Access Control (ABAC) to meet and exceed CMMC 2.0's access control mandates. This allows for fine-grained policies based on user attributes like security clearance level and releasability requirements, ensuring only authorized personnel can access sensitive data.
Establish Comprehensive Audit Trails: Deploy robust logging and monitoring solutions to demonstrate compliance and rapidly detect potential security incidents. This includes tracking who has accessed (or attempted to access) protected data, providing visibility into data access patterns.
Embrace Open Standards: Consider solutions that support open standards like the Zero Trust Data Format (ZTDF) to ensure long-term viability and interoperability within the defense ecosystem. ZTDF applies persistent, object-level encryption and policies to data, adhering to U.S. and NATO standards.
Enable Persistent Control: Implement solutions that allow for real-time adjustment of access permissions, even after data has been shared. This includes the ability to set expiry dates, revoke access, or modify permissions as needed, ensuring CUI is only accessible for as long as necessary.
Ensure Cross-Platform Protection: Adopt security measures that are platform-agnostic and protect data across apps and channels. This includes popular cloud services like Microsoft 365 and Google Workspace, as well as custom applications.
By implementing these strategies, defense contractors can not only meet CMMC 2.0 requirements but also position themselves at the forefront of data-centric security. This approach enables organizations to balance robust defensive measures with the offensive capabilities needed for secure data sharing and collaboration in an increasingly interconnected defense landscape.
As we commemorate Cybersecurity Awareness Month and approach the 2025 CMMC 2.0 deadline, organizations must view these initiatives not just as compliance checkpoints, but as meaningful advancements toward a data-centric security posture. By balancing robust defensive measures with proactive, secure data-sharing capabilities, companies can meet regulatory requirements and position themselves to thrive in an increasingly data-driven defense sector.
In this way, the convergence of Cybersecurity Awareness Month with CMMC 2.0 compliance illuminates the deeper "why" behind these regulatory hurdles: They impel us to close the gaps, protect data integrity across the defense supply chain, and truly "Secure Our World."