Sectrio

CMMC Compliance Assessment: Adoption Challenges

where we talk about the adoption challenges now uh while most of thesepractices recommendations the standards are easy to be put on paper in reality we have seen that it is quite challenging when it actually comes toour own infrastructure some of them we have never touched inyears and how do we go back and runthosematurity scores against them how do we scan thosedeviceswe can we cannot even access the networksome of them are already isolated wedon’t have uh you know access to thoseair gap networks but most importantly evaluating those relevant environment iswhatwe will try touncover today where we’re looking at youknow unclassified information which doesnot have perimeterswhich means it does not have clearboundaries that is setit still falls under the cmmc requirementas detailed in their in their documentation that they have releasednow what is the desirable target forinsider attacks and adversaries wetalked aboutair gap networks so while it iscontrolled environment where nobodyexternally can access it’s always uhsomething that we see is that insiderattack has become more prevalent andit’s always accessible to somebody inthe teamwho may have access to the system andthat we are not aware ofand that still becomes a part of therequirement to be able to run thosetests and ensure that the systems areauthorizedonly to those who require accesses andif not what is the data flow that isflowing from left to right and where cani isolate it how can i implement mymicro segmentation strategies formy operational technology and how do ibuild it within uh you know within thesub networks of my overallinfrastructurehow do we determine their target levelof compliance so what at what isacceptable level of compliance that webuild so having an acceptable scorehaving a minimal set of risks and vulnerabilities is paramount and that’ssomething that uh you know we kind ofconsider it asone of the challenges when we areevaluating uh this compliancebut most importantly uh what are theresource requirements you know how muchwork that goes in preparing for thesecompliance and audit programs uh we arealways held up with some criticalprojects deadlines as we all see butthen is there a dedicated focuson building and preparing thiscompliance program now this is where wehave seen that uh you know engaging withcertain uh you know securityvendors and alsothe the thought leaders in the industryhas helped in increasing and optimizingthis processwith much less effort required for meinvolving my own security team in thisrather than having them work on theirday-to-day tasksthe other important thing is it’sevolving from basic hygiene the overallmaturity model uh what we seeing isevolving from its basic hygiene what wasthere which was part of theself-assessment that most of theorganizations were earlier doing uh tomore advanced level so here they’reseeing that with this advanced levelthat is nowcoming into effect and most of theorganizations were required as of lastyear to be able to have uh you know somesome amount of advanced controls in thenetwork before they participate in anyof the dod contractsis the skill set shortage so we see thatwhen it comes to critical infrastructurewhen it comes to legacy networksunless we have people working in thatecosystem for years and years and whohave the know-how on how to deal withthis uh it’s always challenging to findspecific skill sets who can come in andpick that whole ecosystem and try tobuild a maturity score or try to modelthe threatand perform those threat analysis uhalso this directly impacts on thebudgets and timelines so if i have tohire somebody who is capable of doing ithow long would it take for them to uhyou know be ready to perform theseauditsafter that how long does it take uh forthese personnel to execute that providethe reports and so it becomes a you knowit becomes an extensive projectwhat we’re seeing also isthe requirements becoming some of thekeyasks from government and federalcontracts sowhile today it is a good to haveand and most of the cmmc requirementsare very specific to certain criticalprojects uh it’s becoming more and moreuh you know standardized across theindustries some of these models we seeis present in nist and iec are alsodetailing out the same thing andrecommending as uh the security bestpractices uh which is adding up to uhyou know adding up to a lot of pleasureuh across organizations to make surethat they are uh you know starting thisprogram as early as possiblethe other thing is beyond you know thethe overall certification and complianceis spanning beyond your traditional i.tand including all the connected ecosystem your non-traditional likeecosystem that surrounded anything thatinvolves connecting to your networkconnecting to your infrastructure andexchanging the data whether it be yourcustomers data or your internal machineinformation is now being assessed andcompanies are finding it challenging toadopt this kind of an ecosystem and fitinto all the existing models that hasalready been builtexcept for that there has to be aseparate focus on it how do we unify allof these things within the organizationthe other aspect is also with the covetwhat we have seen uh most of the remoteworking conditions and access beyond theperimeter is exposingsome of the infrastructures are twoworkers who aretrying to connect uh remotely from theirhome officesfrom remote sites is also exposing thisinformation and how do we control uhthis and what kind of access level do weneed to bring inis is becoming a key uh you know a keytopic uh especially when we talk to ourcustomers on a daily basis it’s becomingthe key topic that they talk

ready in the path of implementing some controls but then they’re always constantly looking at what other technologies can include to enhance the current process models well

Scroll to Top