CMMC requirements demand innovative approaches to securing CUI

Reducing the complexity and cost of CUI security is essential to supporting small businesses crucial to defense innovation.

In early September, the Billington Cybersecurity Summit convened government officials, executives and experts to explore the latest cybersecurity trends, policies, best practices and threats facing government agencies and contractors. While the summit’s “Cybersecurity in the Age of AI” theme hit the nail on the head, how we secure and manage sensitive data will remain a critically important topic.

We are at an inflection point in efforts to secure controlled unclassified information (CUI). The Defense Department is full steam ahead on rulemaking to implement its important Cybersecurity Maturity Model Certification requirements, recently publishing a proposed rule to implement contract clauses related to the proposed CMMC Program. Meanwhile, portions of the defense industrial base (DIB), particularly small businesses, are navigating how to comply and shoulder the expense of doing so.

DoD, to their credit, has made efforts to address the small business concerns related to cost and added flexibility on third-party certification, but critical challenges remain. Specifically,  DoD estimates that approximately 76,000 companies will need an audit from a CMMC third-party assessment organization (C3PAO). In reality, that is over 70,000 companies that deliver the technologies our warfighters need that cannot afford to comply or do not see enough profit incentive to secure their CUI.

The question becomes, how do we effectively uplevel security across the DIB through effective CMMC enforcement and enable these small businesses to comply cost-effectively?

First, we need to take an honest inventory of legacy data loss prevention (DLP) technologies and approaches that cost too much and deliver far too little. Second, we should enable organizations to freely use CUI when they need it and how they need it, within the boundaries of their mission sets and security protocols.

Modernizing the overall approach to reduce complexity

Even for very large defense industrial base (DIB) companies and prime contractors, the science of CUI data protection is becoming a mathematically losing proposition. The traditional approach in place today is to utilize data loss prevention (DLP) systems, personnel and techniques. One challenge with this legacy approach is that DLP simply cannot scale to meet the massive increases in data being generated.

For context, by 2025, the world is expected to create 180 zettabytes annually, nearly triple the 64.2 zettabytes created in 2020. If we apply this staggering increase to the likely flat budget and number of DLP practitioners, how are traditional methods expected to keep up? Costly DLP solutions typically require noteworthy manpower and budget, both of which are increasingly difficult to come by as the size of the DIB company gets smaller.

Enabling CUI usage while reducing audit complexity and cost

By changing the approach and leveraging the latest technologies across enterprise browsers, identity and access management (IAM) and cloud storage, even the smallest members of the DIB can improve the usability and protection of the CUI they require to fulfill their contracts.

By establishing an application boundary, CUI-marked data can be freely used and shared within the applications and storage where it’s approved to exist.  Those applications and storage locations are specifically selected based on project need and ease of auditing.  The use of CUI becomes about enablement and speed to result rather than a complex data protection exercise.

By coupling an enterprise browser application boundary with government-approved cloud storage repositories like Amazon Web Services, Google Drive or Microsoft 365, small businesses can safely bid, compete and fulfill contracts with lower costs and complexity. These tools are built to handle and secure data at scale, a perfect fit for small businesses that need to secure their CUI in the most cost-effective way possible.

Enforcing CMMC requirements to secure DoD’s sensitive information simply cannot come at the cost of small businesses in the DIB that deliver innovative technologies to our warfighters. Delivering innovative, cost-effective solutions so these companies can secure their data and achieve CMMC certification is imperative. Nothing less than our national security is at stake.

Scott Montgomery is vice president of U.S. federal for Island.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories