As the Defense Department’s
Cybersecurity Maturity Model Certification 2.0 program moves into its enforcement phase, its impact is being felt even outside the defense ecosystem, serving up a reminder to any regulated industry about the importance of cybersecurity compliance. But software vendors in sectors such as finance, healthcare and telecommunications don’t really need a reminder from sharp-toothed government regulators. They already get plenty of that at home.
Even companies that aren’t competing for federal contracts are increasingly adopting security frameworks like
CMMC and the
National Institute of Standards and Technology’s
SP 800-171 because of increased scrutiny from customers and cyber insurers, who are insisting on provable security protections as a requirement for doing business. Federal frameworks still set the standard, but market forces are driving compliance.
In conversations with CISOs at companies outside the defense arena, I’ve seen this shift firsthand as they discover that their biggest compliance pressure isn’t coming from regulators. CISOs have admitted they were more worried about their insurance renewal questionnaire than their next audit. Why? Because insurers now ask deeper, more technical questions about real security practices. Like a company’s customers, the providers of cyber insurance want guarantees that security controls are in place and best practices are being followed before they sign on the dotted line. It’s been a real wake-up call for companies when they realize that CMMC-style rigor has become a market expectation.
Security compliance is no longer a formal, by-the-old-book exercise, with practices aligned to meet the mandates of periodic point-in-time security audits. It’s a continual process. Organizations that treat compliance as an operational discipline, with automated verification and reporting aligned with customer and insurance standards, will gain customer trust and a competitive advantage.
Insurers and customers are the new security watchdogs
Regardless of whether government contracts are at stake, frameworks like CMMC and NIST 800-171 often set the standard for the rest of the industry. The Federal Risk and Authorization Management Program, for example, has had a significant influence on cloud security. Likewise, the Federal Information Security Management Act, though required only for government contractors, is widely used as a guide for security and privacy controls. The federal government, after all, is a big player in procurement and IT practices, so it often sets the standard for industry. A major provider that must meet government standards for contracting purposes will likely implement those controls throughout its products for its full range of customers.
Customers, in fact, have come to expect it. The threat landscape and supply chain attacks ranging from
SolarWinds to the
Bybit hack earlier this year have underscored the point that cybersecurity doesn’t begin and end at home. It extends to partners and third parties throughout the highly connected and distributed computing environment. Customers want assurances that providers and business partners have proper security protections in place.
Perhaps nobody is taking a closer look at security than insurers, which have felt the impact of the ongoing
scourge of ransomware attacks and other threats, including supply chain attacks. Obtaining cyber insurance, at one time not much harder than filling out a form, has become a proving ground for organizations’ cybersecurity postures. Insurers want clear answers to questions about, for instance, backup and recovery, including whether backups are encrypted and separated from production networks, and whether recovery plans have been tested. They want to know about disaster recovery and business continuity plans.
And security compliance is essential to determining the viability — and costs — of granting insurance. How quickly are patches and updates applied? What anti-phishing protections are in place? How quickly are vulnerabilities being remediated? What is the level of compliance with encryption standards?
The cost of payouts from ransomware and liability claims associated with other attacks have driven up the price of insurance premiums and, for some organizations, raised the specter of insurance policies being denied altogether.
The keys to operationalizing security compliance
With pressure from customers and insurers — who have become the de facto gatekeepers of compliance — software vendors can’t afford to treat compliance as a once-a-year exercise. They need to make it an operational, always-on practice that is supported by automation, continuous verification and aligned reporting.
Automation is critical to ensuring security in distributed environments that extend from data centers to cloud implementation and Kubernetes containers. Organizations need to make sure that controls such as FIPS 140-3 encryption are validated and that Security Technical Implementation Guides (STIGs) and Center for Internet Security (CIS) benchmarks are being followed. Automated remediation also can reduce CVE vulnerabilities at a much higher clip than traditional static hardening techniques. Establishing a comprehensive inventory of assets and taking other steps, such as generating a Runtime Bill of Materials (RBOM), can help dramatically reduce an organization’s attack surface. A platform that can centralize these steps and others, such as reporting, can help organizations maintain a solid, transparent security posture. Likewise, organizations must pay close attention to backup and recovery plans, ensuring that workable plans are in place and have been thoroughly tested.
The key word in all of this planning is operational. Organizations can no longer just prepare for scheduled audits; they must be ready at all times for scrutiny from customers and insurers, because they determine whether they win contracts or even maintain insurance coverage. Organizations need to invest in tools, processes and platforms that continuously scan, patch, harden and prove the security of your software so that you can demonstrate compliance at any moment. Adopting continuous, automated verification will reduce risk, accelerate sales cycles and give organizations a leg up on competitors. As such, in the near future, continuous, automated security verification is what will separate resilient organizations from those overwhelmed by today’s growing threat landscape.
