One must accept some level of cyber risk to reap the rewards of technology. The goal should be to manage risk, not eliminate it. The Defense Department comptroller estimates that it could be another seven to 20 months before CMMC 2.0 is signed into law. So finally, after more than 18 months of contractor outrage, the Defense Department put a hold on CMMC and gave out a few clues on what’s to come. It was complex, contained control requirements from too many authoritative sources, and lacked governance over third-party assessment pricing.
The first version, CMMC 1.0, never had a chance. But then, numerous breaches occurred at lower levels of the supply chain, attacking the same information that the big companies were spending millions to protect.Īnother example of government intervention is the Cybersecurity Maturity Model Certification (CMMC), which regulates government contractors who secure controlled unclassified information (CUI). So it used its heavy hand to impose sweeping cybersecurity regulations and control standards on big banks, broker/dealers, health insurance carriers, and critical infrastructure.
The government had to do something to rein in the beast it had created. But these efforts weren’t enough to stem the tide of assaults on our privacy, finances and reputation.
The tech industry responded with vain attempts to repurpose an already mature and efficient architecture by retrofitting it with hardware like firewalls, and software such as encryption, antivirus and real-time monitoring tools. Unfortunately, hackers began exploiting America’s first “killer app” for financial gain, disgruntled employees used it for revenge, and end-user neophytes made mistakes. We realized this after its value as a social and business enabler became apparent, resulting in the exponential growth and increased diversity of its user base. With the military and colleges as its sole users, we did not build the internet with security in mind. Like all things that evolve, it has taken on a level of complexity that businesses - large and small - are ill-equipped to address. The ARPANET, now called the internet, has become a business enabler extraordinaire, a behemoth transactional system that holds together a global economy. Scientists at major universities joined in, using it as a collaboration tool. During the Cold War, the Defense Department wanted a network that could reroute itself around areas where nuclear weapons had been destroyed or attacked by enemy spies, so they built one and called it ARPANET, or the Advanced Research Projects Agency Network.