Common Sense and the CMMC: Expert Interview Series, Ryan Heidorn, Steel Root

In these fraught times, when companies as critical to the national interest as Colonial Pipeline, SolarWinds and JBS are being hacked on what seems like an everyday basis, it’s more important than ever to invest time and resources into hardening cyber defenses. This rings especially true for companies doing business with the U.S. Department of Defense (DoD), which is why they’re rolling out the Cybersecurity Maturity Model Certification (CMMC) to help standardize cybersecurity processes for defense contractors and other vendors working with the DoD.

While enacting a new set of government cybersecurity standards might seem like a burdensome process, many of these requirements have existed in DoD contracts for years to help safeguard sensitive data and are just good practice anyway, said Ryan Heidorn, co-founder and managing partner at Steel Root, a leader in helping U.S. government and defense contractors meet cybersecurity and compliance requirements.

“For the most part, the CMMC requirements are good-sense security practices that pretty much any company could benefit from implementing,” Heidorn said.

So why is the CMMC necessary? It was first introduced in early 2020 to help create a unified standard for protecting controlled unclassified information (CUI) — any government-owned or -created data that is not fit for general consumption — across the DoD supply chain. Attacks are coming faster than ever, and the defense industrial base includes more than 300,000 companies. That’s an overabundance of entry points for a bad actor. As the SolarWinds breach showed, one weak link in the chain can open up multiple companies to risk.

Of course, no one is CMMC certified yet. The process is being rolled out in phases; the goal is to have all DoD contracts include CMMC certification by 2025. But that doesn’t mean you shouldn’t start thinking about it now.

“Get started now regardless of when you think that this is truly going to affect you or when you’ll need to be assessed,” Heidorn said. “The reasoning behind that is it takes a lot of time and resources to get from wherever you are today to the finish line.”

One interesting facet of the CMMC is that it’s a complete pass/fail, so if you miss one objective during your assessment, that’s a failure. If you do fail your assessment, there’s likely going to be a period of remediation where a third-party assessor will provide your findings and give you some time to get things fixed. But organizations seeking certification down the road should do everything in their power to get it right the first time around. That means investing time and energy into understanding how CUI comes into your company, who needs to interact with it and what you need to do with it.

“The biggest tip that I can give anyone right now … is to really shrink your scope as small as possible,” Heidorn said. “Don’t go into this with the assumption that you have to apply all of these requirements to your entire operational environment, your information systems. That works in some cases, but in my experience, it can also turn out to be a never-ending project that just bleeds time and money. So if you want to shrink your scope, you need very tight control around understanding what CUI is and then keeping it within that scope.”

According to Heidorn, it often makes sense to start with a gap assessment, especially if you’ve already invested in implementing some of these requirements, such as those that have existed for years under the Defense Federal Acquisition Regulation Supplement (DFARS). If you haven’t taken cybersecurity as seriously as you should, he recommends starting with the end in mind.

“Look toward building maybe a new compliance system, as opposed to throwing away time and money paying down your technical debt,” Heidorn said.

One question that’s being asked a lot around the CMMC rollout — especially in the wake of attacks like SolarWinds and Oldsmar — is whether the CMMC could have helped prevent those breaches. But Heidorn said that’s not quite the right question to ask.

“Let me be clear: For the most part, all of these security requirements under CMMC, they’re common-sense best practices,” he said. “This is stuff that every company should be doing regardless of the industry or the compliance requirements on your industry. But, of course, it’s not foolproof either. So if you’ve got someone like Russia or China targeting your company specifically, they’re going to get into your networks even if you’re doing the right things.

“But implementing these requirements is absolutely going to drive down the prevalence of ransomware attacks and other automated, indiscriminate forms of cybercrime. We definitely see this across industries where a lot of companies are keeping that front door unlocked when it comes to cyber, and it’s definitely smart to throw a lock or two on there.”

In Part 1 of our interview with Ryan Heidorn, he went into more detail about the CMMC, how it’s being rolled out and what DoD contractors need to know to get started. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.




Keep your finger on the pulse of top industry news