With Iran Cyberthreat Growing, CMMC Isn’t Looking So Crazy: Analysis

The rising Iranian threat shows why the DoD’s ultra-stringent security requirements for compliance with its CMMC program are probably worthwhile — despite all the messiness associated with the program.

Perhaps more than any other segment of IT, cybersecurity is ultimately not about working with human nature – but about thwarting it.

This would seem to be true whether we’re talking about individuals (getting you to stop clicking those phishing emails) or organizations.

In the latter case, a good cybersecurity program involves forcing an organization to make major investments in advance — maybe even far in advance — of those investments actually being needed.

This is rarely easy because, well, humans are involved. This sort of longer-term planning frequently conflicts with the human tendency for short-term thinking.

The arrival of tangible threats, however, tends to bring greater clarity around cybersecurity priorities to the human mind. And one such threat, from Iran, is in the spotlight right now, and could be for the foreseeable future.

Following the Iran-Israel war and U.S. intervention last month, the FBI and other federal agencies this week released a stark warning — saying they “strongly urge organizations to remain vigilant for potential targeted cyber activity against U.S. critical infrastructure and other U.S. entities by Iranian-affiliated cyber actors.”

“Despite a declared ceasefire and ongoing negotiations towards a permanent solution, Iranian-affiliated cyber actors and hacktivist groups may still conduct malicious cyber activity,” the agencies, which also included CISA and the NSA, said in the advisory Monday.

Specifically, the agencies pinpointed Defense Industrial Base contractors as among those at an “increased risk” from Iran going forward.

Reading that line made me think of the conversations I have had recently with MSPs and security experts about Department of Defense efforts to dramatically raise the security posture of its Defense Industrial Base contractors, through the DoD’s Cybersecurity Maturity Model Certification (CMMC) program.

CMMC is complex, stringent and expensive. There’s no denying that the program is very, very messy.

But the more subtle challenge for many defense contractors and MSPs is simply that, like with so many other aspects of cybersecurity, buy-in really requires taking a longer-term view than usual.

Why is it necessary to meet the 110 — yes, 110 — different security requirements for achieving compliance with CMMC? And furthermore, why are there hundreds of associated objectives that must also be met?

The answers may have been harder to grasp a year or two ago, than they are today. The possible threat of a coordinated cyber assault from Iran against vast swaths of the Defense Industrial Base would tend to cast CMMC and the array of requirements that comes with it in a more sympathetic light.

Now this is not to let the federal government off the hook for the countless ways it has made CMMC more difficult for contractors and MSPs to take seriously, through years of delays and lack of clarity. But crucially, all indications now suggest the program is not in fact going to fall victim to White House deregulation efforts.

And with the specter of expanding cyberthreats from Iran — not to mention from other hostile nation-states — one would expect that CMMC is not only here to stay, but may just be a key to winning the cyberwar.