• SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Call us today! 844-OCD-TECH

Find our Location
OCD TechOCD Tech
  • SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us
CMMC Compliance Have Prevented Damage from Solar Wind Attack

Would CMMC Compliance Have Prevented Damage Caused by SolarWinds Attack?

January 20, 2021 Posted by Kate Upton CMMC

The Cybersecurity Maturity Model Certification (CMMC) has always been clear about its mission: to create more secure information systems within the Defense Industrial Base (DIB). Before the establishment of the CMMC, DIB companies only had to self-attest to meeting NIST 800-171 requirements.   The CMMC requires that organizations prove compliance through certifications of their information systems through third-party audits. This new approach is much like the “trust but verify” stance that President Reagan took during the nuclear standoff with the Soviets during the Cold War, minus the trust.  The added layer of accountability for organizations within the DIB will ensure that organizations are doing what they say they are doing. NIST 800-171 requires every organization, at a minimum, to have a system security plan (SSP), to define system boundaries, and to identify all gaps in a plan of action and milestones (POA&M). Based on the experience of OCD Tech, most Defense contractors currently fall far short of those minimum requirements.  The CMMC demands that not only do all Defense contractors have the bare minimum but will have no gaps in their cybersecurity program.

However, the question remains: would this added layer of accountability for compliance have insulated the DIB against the SolarWinds attack? The short answer is no. In the world of cybersecurity consulting and auditing, one thing has always been made clear: compliance does not equal security. Indeed, organizations should look at compliance frameworks like a minimum standard for security. In other words, CMMC establishes the minimum of what an organization ought to be doing in its environment to be deemed acceptable to be awarded contracts.

The CMMC requires organizations to perform maintenance on organizational systems (MA.2.111), which includes installing patches and updates from vendors. Many organizations affected by the SolarWinds attack were engaging in “good” cyber hygiene by updating their software sent by SolarWinds. Cybersecurity professionals at every level should regularly update software after reviewing the system impact and security implications of the changes. Unfortunately, it was a software update that contained the malicious code which installed a backdoor into all of the systems that installed the software update pushed by SolarWinds. Many of the affected organizations were doing their best to do the right thing, however, this attack proves that compliance with cybersecurity frameworks does not always insulate organizations from attacks.

One of the hallmarks of having “good” cyber hygiene is having policies and procedures in place.  In fact, the CMMC demands policies and procedures starting in maturity level two (XX.2.999 and XX.2.998 respectively).  The main reason that policies and documented procedures are essential to having good cyber hygiene is because they are the founding documents for a company’s cybersecurity program.  You simply cannot have a cybersecurity program without policies.  Without established policies, procedures are performed ad hoc, practices and responses to incidents are inconsistent, and disparate efforts across your company may not align to support the common goals of security.  Policies establish organizational expectations for planning and performing cybersecurity activities and communicate those expectations to the organization. Senior leaders within an organization should sign and support the policies to show their support and buy-in of cybersecurity activities.

Establishing cybersecurity policies is the first step to “good” cyber hygiene and ensuring those policies contain the right controls is the second step.  With regards to the SolarWinds attack, and recognizing that this type of exploit could not have been prevented in the downstream, one of the most impactful controls downstream companies can implement is a robust policy to create and review audit logs.  The term “audit log” shows up 169 times in the CMMC Assessment Guide, and not just in the Audit and Accountability domain.  Audit logs are simply a record of events and changes in a system.  Malicious cyber actors and authorized users alike create events and changes in a system and by creating a log of those events and changes, it is possible to detect variation in baseline activities by implementing a tool to detect such variations in activity.  For example, if your company is on the East Coast and generally works Monday through Friday from 0800 until 1700 (cushy job!) and observes Federal Holidays you would expect a lot of events and changes during those hours.  However, even a manual review of audit logs could uncover potential malicious activities if changes and events are logged over a long holiday weekend or observed nightly after 1700 EST/EDT.  Specialized tools can detect much more nuanced variances in baseline activities; however, detection is still based on observed events and changes.  Considering the SolarWinds attack, companies should establish, through policy, the types of events that necessitate logging, define the frequency at which those logs are audited, and establish the procedures that enable the established logging and auditing policies. 

While the SolarWinds attack itself could not have been prevented by downstream recipients of the SolarWinds software, it is good cyber hygiene combined with a proactive cybersecurity posture that can help companies detect future exploits of the implanted malicious code carried by the SUNBURST malware. No compliance framework can prevent an organization from falling victim to such a sophisticated attack, however, good cyber hygiene can mitigate and remediate damages from malicious cyber actors.

Have a CMMC Compliance Question? Contact Us. We Can Help!

Tags: CMMC CertificationCMMC Readinessnist 800-171
Share
3
Kate Upton

About Kate Upton

Kate Upton is the IT Government Compliance Team Lead at OCD-Tech. Kate has been with the firm since May 2019. Before joining the firm, Kate received her Bachelor’s degree in Political Science & Legal Studies from the University of Maine and went on to earn a Master’s degree from Northeastern University in Strategic Intelligence. She dedicates her time at the firm to meeting the unique compliance needs of clients in the Defense Industrial Base with projects including CMMC, NIST 800-171, NIST 800-53, and DFARS rules. Kate lives in Portland, Maine with her dog Lucy.

You also might be interested in

A CMMC Level 3 Road Map for DoD Contractors

Jun 10, 2020

The path towards Cybersecurity Maturity Model Certification (CMMC) for Department of Defense (DoD) contractors handling....

The CMMC DFARS Interim Rule Explained

The CMMC DFARS Interim Rule Explained

Jan 18, 2021

On September 30, 2020, the DoD revealed a new set of proposed clauses for the Defense Federal Acquisition Regulation Supplement-known as the DFARS-in an interim rule (DFARS Case 2019-D041).

cybersecurity requirements

Enhanced Cybersecurity Requirements for Federal Contractors

Feb 5, 2018

The Defense Federal Acquisition Regulation Supplement (DFARS) has been a[...]

Find us on

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Send Message
OCD Tech logo Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

  • OCD Tech
  • 25 BHOP, Suite 407, Braintree MA, 02184
  • 844-623-8324
  • https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
– SOC 2 ® Readiness Assessment
– SOC 2 ®
– SOC 3 ®
– SOC for Cybersecurity ®

IT Advisory Services
– IT Vulnerability Assessment
– Penetration Testing
– Privileged Access Management
– Social Engineering
– WISP
– General IT Controls Review

IT Government Compliance Services
– CMMC
– DFARS Compliance
– FTC Safeguards vCISO

Industries

  • Financial Services
  • Government
  • Enterprise
  • Auto Dealerships

© 2025 — OCD Tech: IT Audit - Cybersecurity - IT Assurance

  • OCD Tech
  • About Us
  • Contact Us
Prev Next