The day is coming when the CISO will look at their team and announce, “We have made it, CMMC is complete! Our cyber journey is done.” A release of tension will course through the team. They will gather for celebratory drinks and swap stories. The CEO and Board will tell them how grateful they are, as they wish them well on their next journey, wherever that might be. The team will share one more round before riding off into the sunset.

At least that’s how the scene would play out in a movie. Reality, however, is different.

Meeting Cybersecurity Maturity Model Certification (CMMC) will mean that you have only three years before you need to recertify, and 12 months until your organization will need to re-affirm that they still meet the requirements. NIST 800-171 v3 will likely have become final, and you will need to implement it.

Outside of your organization, the threats and threat actors will have improved and adopted AI into their threats, tactics, and procedures (TTP). Beyond the U.S., there will be new regulations, and within, several states will have new requirements. Insurance brokers will be conducting independent verification of your cyber defenses, with your rates fluctuating based on results. Your Cyber team will still be over-worked and under-resourced. And all this will be while you’re trying to meet the SEC rules around cyber disclosure and materiality.

It is a far cry from the movie opening, and given all these challenges, it is easy to understand why those CISOs who can, are leaving their roles.

But it isn’t all “doom and gloom.” CMMC (via NIST 800-171) has given us a good cyber framework to build from. Implementing it will have helped change your culture into a more security-conscious one, and pushed the board, executive team, and cyber team to better understand one other.

It also opens the door to continue the cyber journey.

Next steps for your cyber road ahead

Looking at the next steps to take after meeting CMMC, several common themes are apparent if you want a healthy and robust cyber program, although they all need some tailoring to fit your organizational mission:

• Zero Trust: Build out an organization that finds a way to verify every micro transaction for 100% of your business.
• NIST 800-171 v3: Execute it, within your zero trust plan, and know that v4 will come sooner than later.
• AI: Generative AI is in its infancy, and it has already had tremendous impact. True AI will come and be even more disruptive.
  • Operational AI: How are you going to use it in your day-to-day? How will it help you deliver your core mission? How will it help your infrastructure to operate?
  • Situational AI: How will AI help you detect a potential cyber incident sooner? Detect TTPs? Filter more logs? Find hidden threats?
  • Deep fakes: How do you prove that recording of your CEO is fake, or real? How do you deal with sophisticated misinformation on social networks? How do you find it before the damage is done?
• Quantum computing: Remember all the angst you went through to encrypt everything in transit or at rest? Well, quantum computing just broke it. Now we need to deploy quantum-proof encryption.
• People: We are still the weakest link in the process. Everything we do above needs to account for people: How to empower them, make them more productive, protect them, and make everything easy for them to use, while protecting them from the human traits that make them prime targets for threat actors.

The five bullets above are more than enough to help us realize why CMMC isn’t the end of the cyber journey, it’s barely the start. There will always be a lot more to do. In a perfect world – one full of resources, subject matter experts, unlimited budgets – this would be a challenge, but we do not live in that perfect world.

Cyber is a journey that evolves every day. Even if your organization didn’t need to meet CMMC, you are on the same journey. It is a journey that every organization, of any size, needs to recognize and undertake.

How CohnReznick can help

To succeed on this journey, organizations need a strong CISO as part of their executive leadership team. Even then, they will require a trusted advisor to help them along.

Let CohnReznick be that advisor. We provide thought leadership, technical guidance, targeted help, and CMMC guidance, and – for defense contractors – we are a CMMC Registered Provider Organization (RPO) and a Certified Third-Party Assessor Organization (C3PAO). If you want to talk about your cyber needs today or how to strategize for the future, CohnReznick is the advisor you can count on.