The Cybersecurity Maturity Model Certification is the Department of Defense cybersecurity compliance and certification program focused on independent assessment of defense contractors against the NIST 800-171 security controls for protecting Controlled Unclassified Information. It builds upon the existing DFARS 252.204-7012 regulations. Access controls and data protection are at the forefront of the model to reduce the risk of cyber threats.

The majority of CMMC’s current security controls are based on NIST 800-171 Revision 2, which was released in 2020. After a lengthy public comment process that closed in January 2024 about the much anticipated NIST 800-171 Revision 3, it is expected that the CMMC proposed rule will be final by the end of 2024 and start to appear in contracts in 2025.

Although the rule is complex, the basic purpose of the CMMC program is to ensure that every organization doing business with the DoD is certified with a third-party audit that demonstrates their basic cyber hygiene. This is not just another security checklist. Hundreds of Defense Industrial Base organizations need to protect their passwords, secrets and privileged credentials from dynamic threats facing our nation’s military today.

New Controls for Credential Management

One main area of cyber hygiene that NIST SP 800-171r3 addresses is credential management. NIST 800-171 Control 03.05.07 has specific mandates for passwords, including specifying that contractors must verify passwords are not found on the commonly-used passwords list, can only send and store passwords with encryption, and must enforce complexity rules for passwords, among other requirements. DoD contractors will need to account for these new requirements.

These seemingly simple steps are of vital importance to our nation’s security. The DoD is entrusted with highly sensitive, classified information, while contractors often have access to CUI such as personally identifiable information, health documents, proprietary material and information related to legal proceedings.

And yet, a 2019 security audit of ten prime contractors by the Defense Contract Management Agency found that one of the most common security shortfalls was weak passwords. Weak passwords continue to be a cybersecurity gap that fuels an ever-growing threat of compromise and critical data loss. Rev3 takes a critical step in the right direction, yet it still lacks requirements for password strength, complexity and reuse. Bottom line: organizations doing business with the federal government should not stop at CMMC but go a step further to secure passwords before they ever make it to the dark web.

Adopting a Zero-Trust Mindset

Every member of the DoD, including contractors, must adopt a zero-trust mindset. This “never trust, always verify” mindset requires companies and individuals to take responsibility for the security of their data, devices, applications and assets. It also means users are granted access to only the data they need and only when needed. With zero trust, password management is one of the simplest ways to protect sensitive systems and data.

According to Verizon’s Data Breach Investigations Report, 74% of all breaches involve the human element, with the majority due to weak or stolen passwords. Yet too many IT administrators have no visibility, security or control over their employees’ passwords and credentials.

During assessments, administrators will need alerts when passwords have been compromised or if users are not complying with organizational password policies, such as prohibitions on password reuse.

During an assessment, organizations need to show:

— An advanced cloud authentication and network communications model built for the highest levels of privacy, security and trust

— A vault to store passwords, protected with multiple layers of safeguards and encryption, for each end-user

Adhering to the security controls in CMMC 2.0 requires a combination of people, processes and technology. With a FedRAMP-authorized password manager and Privileged Access Management (PAM) solution that are FIPS 140-2 validated, and further strengthened with zero-knowledge security, DoD contractors can satisfy several key CMMC controls for credential management.

Federal and state government agencies are making their long-term commitments to zero trust. It’s up to all organizations and contractors to make the same commitment and do their part to secure every user, on every device, in every location.

Mike Eppes is Director of Public Sector at Keeper Security, a provider of password management, secrets management, privileged access, secure remote access and encrypted messaging products and services.

Share:
More In Opinion