Last Updated on January 19, 2024
Today, information is worth more than riches. The new currency is data. With this being true, the state of cybersecurity within the upper branches of the U.S. government has been shockingly under-prepared.
The cybersecurity and the cyber regulation world are relatively new and still in their infancy. However, despite numerous shortcomings, much development has occurred within the last several years.
Mark Montgomery, the former Executive Director of the Cyber Solarium Commission, shares information about the report the commission published in March 2020 and how that document has influenced the US Government’s roadmap to improve cybersecurity, prevent cyber attacks, and protect the nation’s data.
Emphasis on continuity economy planning and the role of cybersecurity
When an emergency happens, FEMA storms in to respond with water, resources, and support for local people. While this is essential to threat response and disasters, it leaves out a crucial part of the recovery puzzle.
FEMA is a vital response organization. But, the current U.S. response systems do little to restore the cyberinfrastructure damaged or lost during an attack or event.
According to Mark Montgomery, this restoration is paramount to economic recovery. He says ignoring the need for cyberinfrastructure restoration condemns an area to an elongated recovery or depression.
For example, New York City has an intricate system of integrated commodity and stock exchanges. While basic needs, such as water provision, are instrumental in helping citizens respond to natural disasters or attacks, other necessary systems should receive focus. It is also essential to restore the power grid, distribution systems, telecom, and communications systems to restore GDP opportunity and protect against losing economic power to international competitors.
Because the U.S. economy relies heavily on these critical infrastructure organizations, they should receive significant attention in threat response and restoration planning.
“We need the federal government to run and prioritize restoration of our infrastructure to ensure that we can rapidly restore our economic vitality.” — Mark Montgomery.
Cyber plays a large part in establishing, maintaining, and restoring these key businesses. That’s why there is a significant emphasis on plan development within the cybersecurity organizations of the federal government.
While not yet thoroughly developed, plans are underway to create systems to ensure that economic response and restoration arrive as quickly as volunteers, water, and tents.
The six foundational pillars of the Cyberspace Solarium Commission
All of the recommendations developed by the CSC are organized within a 6-pillar system.
These pillars include:
- Reform the U.S. Government’s Structure and Organization for Cyberspace
- Strengthen Norms and Non-Military Tools
- Promote National Resilience
- Reshape the Cyber Ecosystem
- Operationalize Cybersecurity Collaboration with the Private Sector
- Preserve and Employ the Military Instrument of National Power
Each regulation or law developed from the CSC recommendations is created to support and protect the cybersecurity and infrastructure that serves as the foundation of American life and business. The six pillars help organize the different initiatives.
“There’s work to do, but the systemically important critical infrastructure is the most important thing remaining.” — Mark Montgomery.
Behind each cybersecurity law is a critical infrastructure business that the U.S. economy and the lives of Americans rely upon. While cybersecurity is still in its infancy and there is work to be done, significant advancements are being made.
Breaking down the elephant of CMMC
The current CMMC 2.0 program is a promising step in the right direction for protecting Controlled Unclassified Information (CUI) in non-government systems. However, there are a lot of moving pieces to the program.
“CMMC is a pretty big elephant; you have to eat this a couple of bites at a time.” — Mark Montgomery.
While CMMC paints a robust cyber compliance target, Mark argues that certain risks and challenges may be associated with the compliance program implementation.
First, no current system allows for regular, unannounced assessments and security checks. The concern is that CMMC, being a compliance program, could lead to a “checklist mentality” where security is an afterthought.
To ensure that organizations maintain ideal security requires creating and maintaining a security mindset rather than a compliance mindset. In that, it’s important to build security around compliance rather than simply adhering to standards.
Another potential challenge in CMMC and implementing cybersecurity across DoD and non-DoD organizations is the sheer amount of organizations involved.
With growing needs for cybersecurity implementation, particularly in the age of hybrid and remote work, cybersecurity legislative efforts must remain nonpartisan.
Getting a broad spectrum of legislative decision-makers on board with cybersecurity advances will be critical in creating a safe and responsive cyber environment in government and country-wide.
What’s next?
To get every word of this provocative conversation with Mark Montgomery and John Verry, click here.