The DoD’s Cybersecurity Maturity Model Certification—As Explained by the Classic Movie Independence Day
Trivia Question: What movie is this quote from, and who said it?
“Get on the wire to every squadron around the world. Tell 'em how to bring those sons-a-BLEEPS down!”
Trivia Rules: Use your brains, memory and reasoning to figure these out vs. google, IMDB, etc.
In a highly technical world where we are all are more connected everyday, the opportunity for cybersecurity risks, threats and vulnerabilities facing organizations are growing daily and at an almost exponential rate. Add to that mix the fact that most organizations around the world are currently facing a long-term cybersecurity exposure by having most of their workforce working remotely instead of from the office, contract or customer location, where the systems, networks and data are presumably more secure.
During the COVID-19 pandemic, a new cybersecurity model, program and ecosystem has been emerging – the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC). Aimed at protecting controlled unclassified information (CUI), CMMC is rapidly becoming one of the biggest new challenges facing government contractors and integrators. The program is ambitious and aggressive in both scope and timing. Ultimately, CMMC is targeted at the 350,000 organizations currently known/estimated to be in the Defense Industrial Base (DIB) by the end of fiscal year 2026.
Based on previous similar models and standards, such as the CMMI Cybermaturity Platform, NIST Standard 800 171, applicable Defense Federal Acquisition Regulation Supplements (DFARS), and others, the CMMC provides cyber controls and a process maturity path for organizations to achieve and maintain basic and advanced cyber hygiene. At the core of the NIST and CMMC standards are some common activities:
- Identify – Use organizational understanding to minimize risk to systems, assets, data and capabilities.
- Protect – Design safeguards to limit the impact of potential events on critical services and infrastructure.
- Detect – Implement activities to identify the occurrence of a cybersecurity event.
- Respond – Take appropriate action after learning of a cybersecurity event.
- Recover – Plan for resilience and the timely repair of compromised capabilities and services.
How about a practical example of each of these using a popular movie? I give you some relevant cybersecurity analogy snippets from the 1996 classic Independence Day.
Identify: Main character David Levinson (played by Jeff Goldblum) is the first in the movie to understand that the underlying coordinated signal being seen by both commercial and military satellite systems is a coordinated threat to the planet. Recognizing the magnitude of the threat, he goes “organizational” by contacting his ex-wife, Constance Spano (played by Margaret Colin) to reach the President of the United States to explain his understanding of the threat.
Protect: Aside from directly engaging with the military, and specifically General William Grey (played by Robert Loggia), Levinson and others, including the now-convinced President of the United State and rest of the cast start efforts to protect the US and the world, through a coordinated assault on the alien spacecraft around the world.
Detect: Once Levinson identified the hidden satellite signal, steps needed to be taken to communicate with military operations around the world since the aliens were blocking telecommunications and satellite links – an alien hack of global proportions! Note that this detect activity was also actively continued in the sequel to the original movie, Independence Day: Resurgence, where the new cast actively use the aliens’ technology as both defensive and detection tech to warn if the aliens (hackers) were to return.
Respond: The movie had a great double-twist of cybersecurity fun on this one! The aliens had tech that protected them, their ships, their communications and systems. And how did the cast bring it down? By introducing a virus that made the protective barrier ineffective in stopping missiles, etc. Essentially Levinson hacked the alien’s system code using a virus –in other words, something that would normally be seen as a threat became the penetration test needed to get past the alien defensive system – cybersecurity at its best and perhaps most ironic!
Recover: Aside from the aforementioned sequel to the original movie, multiple scenes throughout the movie showed how characters like First Lady Marilyn Whitmore (played by Mary McDonnell), and Jasmine Dubrow (played by Vivica A. Fox) worked on recovery as they made their way to the US Air Force Base in search of her boyfriend Captain Steve Hiller (played by Will Smith).
So the CMMC introduces two sides of a solid cybersecurity approach. On what is referred to as the “left side” of the CMMC model are the domains and practices of the CMMC. These groupings of practices (controls) are what the CMMC sets out, by Maturity Level, as needed for basic cyber hygiene. So how do you reach the various maturity levels? That’s where the “right side” of the CMMC model comes into play, starting with ML2 and continuing through to ML5, policies, plans, processes, training, etc. are needed to ensure that the practices/controls are being maintained – and using a CMMI V1.3 term – are institutionalized – what we call “habitual and persistent” now in CMMI V2.0.
So what’s an example of a process maturity analogy from Independence Day? Easy! When General Gray makes the statement above in this blog’s trivia question, did you notice – he didn’t explain WHAT to tell those squadrons around the world, but they were sending that notification over the wire within seconds of his order. A more effective approach that the movie skipped over would have been to get agreement on the specifics of how the first alien ship was brought down, and remember, it couldn’t be a hit on the protective doors around the primary weapon – it took character Russell Casse (played by Randy Quaid) flying his ship, with his loaded and active (“I’m packin’, Mr. President!”) to make direct contact with the weapon and then exploding. Could it have been done without the plane and just sending the missile? We’ll never know unless edited-out scenes exist, but that’s what a resilient “cyber-savvy” organization would have done – a second plane could have been used to test (verify and validate) whether a missile alone was effective.
The U.S. military uses templates and communications protocols to ensure that communications across the battlefield are consistent and that defensive protocols, actions and steps needed to communicate and coordinate an effective counterstrike and ensure that it would work consistently. That’s the right side of the CMMC at work!
Stay tuned to this same Bat-Channel for more on CMMC as we continue to work with and support the CMMC ecosystem!
View more information about CMMC and sign up to stay informed of the latest news here.