CMMC compliance does not directly focus on IoT, but organizations must treat IoT as its own security challenge when admins try to meet the certification's requirements.
Chief information security officers who work with the U.S. Department of Defense must understand and comply with the Cybersecurity Maturity Model Certification requirements, but even organizations that do not work with the government can learn from the CMMC.
In early 2020, the U.S. Office of the Under Secretary of Defense for Acquisition and Sustainment released its CMMC documentation that organizations must comply with when they contract with the Department of Defense (DoD). Chief information security officers (CISOs) must consider and document their IoT security vulnerabilities, plus how IoT devices within their infrastructures collect, transmit and store data, to achieve adequate CMMC compliance. With cyberattacks on IoT devices surging 300% in 2019, compliance efforts are extremely imperative.
Recognize each cybersecurity maturity level
Even if an organization does not currently contract with the U.S. government, it's important to understand each level of cybersecurity maturity and how to apply the same principles to bolster an existing IoT security strategy.
CMMC is organized into five maturity levels and ranges from basic cybersecurity hygiene to advanced. All companies contracting with the DoD need to comply with Level 1 at a minimum -- even if they do not handle controlled unclassified information -- though the specific level compliance needed will be listed on the request for proposal.
CMMC Level 1. This level doesn't assess process maturity, but it identifies if the organization simply performs the specified practices of basic safeguarding requirements as established in government policy. Organizations may implement practices ad-hoc or not fully document them.
CMMC Level 2. The second level requires more stringent documentation of data safeguarding practices, as well as related organizational policies. Documentation makes processes repeatable across business functions within the organization.
CMMC Level 3. This is the first maturity level that focuses specifically on the protection of controlled unclassified information (CUI) through meeting security requirements outlined in a detailed plan that includes how an organization establishes, maintains, resources and implements security activities.
CMMC Level 4. The fourth level requires organizations to measure their security practices for effectiveness and monitor for corrective action when necessary. Level 4 builds on CUI protection requirements, as well as other advanced cybersecurity detection and response capabilities.
CMMC Level 5. This level prioritizes cybersecurity practice optimization and standardization across the organization. Through advanced measurement and monitoring, contractors can be proactive in CUI threat identification.
Understand CMMC criteria
Within each of the CMMC levels, DoD contractors must meet various criteria levels across 17 domains. IoT deployments across the organization touch most of these domains. CISOs must have complete visibility into data governance and data flow within their IoT architecture in order to accurately gauge compliance. CMMC also incorporates additional practices and processes from other standards, references and sources, such as NIST 800-171.
The first domain of CMMC is access control. According to government documentation, access control policies detail access levels between active subjects, such as users, and passive entities, such as IoT devices, in IT systems. IT admins can implement access enforcement at both the device and application levels for increased security.
Specific IoT recommendations for CMMC readiness include control over which employees can view the IoT network, limit the IoT devices that company computers can access, and IoT infrastructure setups that prevent unauthorized users, devices and applications from network connection.
Organizations need network device visibility to detect risks as they emerge and prioritize potential threats in operations.
Tips to bring IoT up to CMMC standards
CMMC compliance across all domains is only possible with fully secured IoT networks. Organizations need network device visibility to detect risks as they emerge and prioritize potential threats in operations. CISOs and other cybersecurity leaders can prepare for CMMC with the following:
Conduct an internal audit to uncover all devices in the network, including embedded devices. Visibility is the first step to create a cybersecurity defense plan and threat mitigation.
Understand IoT device communication architecture with other devices and the network. Ensure devices only collect and communicate data as intended and consider network segmentation to enhance security. Track the traffic baseline and chart patterns to compare against in the event of potential threat detection.
Treat IoT as its own security challenge, with separate analytics software and processes to track hardware and machine performance abnormalities. Typically, threats that target traditional IT systems aren't the same as those that target IoT devices and networks, so consider an analytics software that bridges this monitoring gap.
Know IoT network vulnerabilities as well as security protocols. According to the annually updated Open Web Application Security Project's Top 10 IoT Vulnerabilities, these may include weak passwords, insecure network services and ecosystem interfaces, lack of secure update mechanisms, insufficient privacy protection, and insecure data transfer and storage.
Government agencies expect third-party assessment organizations to start CMMC audits soon, with initial focus on prime contractors. However, subcontractors aren't off the hook. Subcontracting companies of all sizes must also comply with the same CMMC level as prime contractors when they handle similar information security levels. Auditors assess IoT accountability across the entire network, because it's critical to threat mitigation.
