CMMC Accreditation Body Looking for Monitoring Solution to Continuously Assess Security Compliance

The Cybersecurity Maturity Model Certification accreditation body is looking for ways to ensure that defense contractors’ cybersecurity safeguards remain competent during the three-year gap in between CMMC audits.

Speaking at a SecurityScorecard-hosted webinar, CMMC accreditation body board member Chris Golden described the renewal of CMMC certifications as “a snapshot in time,” noting that companies may undergo many changes within the three-year period, including having a changeover in leadership or adopting a different operating system.

To address such concerns, Golden said the CMMC is considering adopting a monitoring tool capable of accessing data from the public domain to gain insight into developments across companies without being intrusive, Nextgov reported Thursday.

According to Golden, it is essential that the approach gives the accreditation body a glimpse inside companies’ firewalls without the need for an agent on their networks. 

Robert Knake, a senior fellow for cyber policy at the Council on Foreign Relations, told participants at the webinar that an ideal monitoring solution for the CMMC should be able to collect data inside company networks and send it back to stakeholders. 

For now, Knake said the service provided by security ratings company SecurityScorecard fits the bill. The company rates cybersecurity postures by using publicly available data, including information regarding a company’s efficiency in patching reported vulnerabilities. Knake touted SecurityScorecard’s services as an important immediate step in providing a new means of assessing security compliance.

Looking ahead, Knake anticipates an increased need for internal network scrutiny since many components within the CMMC and programs like the Federal Risk and Authorization Management Program can be measured on a continuous, automated basis.