CMMC Is the Starting Line, Not the Finish

Cybersecurity Maturity Model Certification (CMMC) and a harden, detect, and respond mindset are key to protecting defense and critical infrastructure companies.

Chris Petersen, Co-Founder & CEO, RADICL

February 1, 2024

4 Min Read
Runner at starting line of race
Source: Cultura Creative RF via Alamy Stock Photo


Over the past few years, it has become painfully clear that companies in the defense industrial base (DIB) and those providing critical infrastructure are being actively targeted by nation-state threat actors. Various federal agencies have been sounding the alarm and doing their best to nudge companies to do better. The Department of Defense's Cybersecurity Maturity Model Certification (CMMC) is the hardest nudge to date and (hopefully) soon will become a strictly enforced mandate.

Companies that achieve adherence to CMMC (which has been aligned to NIST 800-171 at the "Advanced" certification level) will become a harder target. But will they be safe from the world's most advanced threat adversary? Unfortunately not. Compliance will certainly be a step forward, but entities like China's PLA Unit 61398 unit will find a way to infiltrate, persist, steal, and when called upon, disrupt.

Companies that want to realize true cyber threat protection and resilience must go beyond "check-the-box" CMMC / NIST 800-171 compliance. They must move to a proactive and continuous harden, detect, and respond mindset with modern security operations.

Harden-Detect-Respond (HDR) Operations

As a 30-year cybersecurity veteran, I have come upon many cybersecurity truths. One is that policy, controls, and secure configurations continuously rot due to other business priorities and IT entropy. Establishing a strong policy and control structure helps make cybersecurity a top-down operational mindset. However, the pace of IT change and the need for businesses to prioritize speed and efficiency over absolute security often erode the effectiveness of established protections and controls, leaving gaps for attackers to exploit.

An HDR mindset and operational capability help address this by:

  • Proactively identifying, fixing, and returning IT and operational weaknesses to a hardened state.

  • Immediately detecting and investigating possible intrusions into the IT environment, 24x7.

  • Hunting and rooting out embedded threats within the IT environment.

  • Quickly containing, mitigating, and fully responding to incidents.

CMMC / NIST 800-171 mandate most HDR capabilities. However, a company's rigor and depth in realizing them can make the difference between remaining vulnerable or being highly resilient and protected from the advances of a nation-state cyber threat or motivated cybercriminal.

Seven Critical HDR Practices

The following HDR practices can help companies achieve resiliency and protection from cyber threats.

Harden People

People remain the softest target. Security awareness training can reduce the risk of employees falling prey to phishing and other social engineering attacks.

Harden Your IT and Cloud Infrastructure

Software vulnerabilities and misconfigurations are constantly introduced. Conduct routine vulnerability scanning and cloud security posture assessments. Prioritize fixing vulnerabilities and weaknesses most likely to be exploited.

Harden Endpoints

For most organizations, endpoints (along with people) form the perimeter of their defenses. They are often attacked and the most common avenue into IT infrastructure. Properly configured modern endpoint protection and visibility are critical to defending against this risk.

Increase Visibility

The best way to detect threat tactics, techniques, and procedures (TTPs) is by increasing visibility into the IT and cloud environment. Data from a security information and event management (SIEM) system provides high visibility into endpoint activity, authentication activity, data access activity, and data movement.

Increase Detection

Ensure endpoint and network security solutions are properly configured to detect the types of TTPs they have visibility into. Leverage your visibility and security analytics (e.g., via SIEM) to expand your detection scope. Deploy advanced detection solutions such as user behavior analytics that can detect attackers impersonating employees. The ultimate objective is to achieve 100% TTP detection coverage, per the MITRE Framework.

Hunt for Threats

The unfortunate reality is that many companies are compromised and don't realize it. If your intellectual property is of interest to nation-state cyber spies, backdoors may already be in place. The surest way to find and kill embedded threats before data is stolen or operations are disrupted is to proactively hunt for them. Threat hunting requires endpoint detection and response along with broad visibility. It also requires expertise and human threat hunters, making this one of the most challenging operational capabilities to realize.

Investigate & Respond 24x7

Threats don't take weekends and holidays off. You must evaluate high-risk indicators of intrusion and compromise within minutes, whatever time or day they occur. A threat given time is a threat that can burrow deeply into your environment and become harder and more expensive to dislodge. Allowed to linger long enough, it will eventually cause you harm. You must have the operational capability to quickly investigate threat indicators and, if an incident occurs, contain and mitigate it within hours.

Prioritize HDR

Defense and critical infrastructure companies face a hard problem — building profitable businesses while protecting their inventions and operations from extremely advanced threats. Those seeking to get ahead of compliance and reduce the risk of cybercrime are wise to prioritize HDR. Not only is it required for compliance adherence, but it can protect and defend you as you layer in additional requirements and controls. Over time, maturing your HDR operations can help you reliably detect and deter nation-state cyber threats if they turn their attention to you.

About the Author(s)

Chris Petersen

Co-Founder & CEO, RADICL

Chris Petersen is a leader and innovator who cares deeply about protecting governments and companies from cybersecurity threats. Chris began his career as a consultant with Price Waterhouse (PwC) and later Ernst & Young (EY). He then joined the first Silicon Valley startup providing Managed Security Services. In 2002, Chris co-founded LogRhythm, a Gartner Magic Quadrant Leader in Security Information & Event Management (SIEM). Currently, Chris is the CEO of RADICL Defense, a stealth-startup protecting organizations from nation-state threats. Chris has spoken at conferences across the globe, holds multiple patents, and is an EY Entrepreneur of the Year.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights