Does CMMC Help Mitigate Iranian Cyber Threats?

There are 2 things you, as a Defense Industrial Base (DIB) contractor, need to know about Iran right now:

1. They are a real cyber threat. 
2. Your data is a target. 

The short answer to the question of whether the Cybersecurity Maturity Model Certification (CMMC) Program helps mitigate Iranian threats is that it absolutely does. 

We analyzed 130 cyber techniques used by five Iranian cyber threat groups and found that the security requirements defense contractors have had since 2016 still punch way above their weight class. Here’s how.

High Level Overview:

1) CMMC doesn’t create security. It verifies it. 

National Institute of Standards and Technology (NIST) SP 800-171 does the heavy lifting in setting up rules for handling Controlled Unclassified Information (CUI). CMMC is only the system that verifies compliance. This doesn’t go to say that CMMC isn’t essential; it provides valuable assurance to the Department of War (DoW) that contractors are holding up their end of the agreement.  

2) 2016 requirements disrupt 2026 adversaries. 

The controls put in place by the launch of the CUI Program in 2016 still hold up to real Iranian tradecraft. That’s why the assurance provided by CMMC is so valuable. Using MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) data from five Iranian threat groups, we’ve found: 

• 130 techniques
• 100% of known techniques are detectable by targets
• 68% of detected techniques are mitigatable

Mapping real-world activity shows that just four core controls blunt nearly all of these techniques.

3) NIST 800-171 is strong but still only a baseline.

Only ~50% of the relevant NIST SP 800-53 controls that mitigate Iranian techniques make it into 800-171 and are therefore verified by CMMC. Since most organizations only do what’s required, we’ll see that minimum baseline increase with every revision to NIST SP 800-171. 

Clarification: CMMC vs. Security Requirements 

CMMC is a verification program, not a set of security requirements. The security requirements verified by CMMC are imposed via contract clauses. CMMC is valuable in proving that defense contractors handling sensitive data have implemented adequate security requirements. 

The real question is whether the underlying security requirements in NIST SP 800-171 are effective. To answer that question, we need to know three things: 

1. How cyber adversaries operate 
2. How we can detect and/or mitigate them via security controls 
3. Whether defense contractors are required to implement those controls 

As long as defense contractors keep up with known Iranian cyber activity, CMMC assurance is immensely valuable. 

What Do Iranian Cyber Actors Actually Do? 

The MITRE corporation maintains MITRE ATT&CK, a knowledge base organizing cyber “techniques” used by actual cyber actors into 14 high-level “tactics”. For instance:

• To gain “Initial Access” to a system the bad guys might use Phishing as a technique. 
• To “Escalate Privileges” the bad guys might Modify Domain Policy. 

You can see all 250 techniques (including sub-techniques for different operating systems/technologies) organized by tactic in the ATT&CK Matrix. All of this is based on real-world observations, cyber threat intelligence reports, security research, and malware samples. 

Important: Every technique and sub-technique has information about how to detect and/or prevent and mitigate the activity (if possible). That means we can get an exact picture of how even the advanced threat actors operate (China, Russia, North Korea, and Iran), and what to do about it. 

We selected five Iranian threat actors known to target the U.S. DIB. In total these groups have been seen using 130 different cyber techniques.

Can we identify Iranian cyber threats when they strike?

We absolutely can. 100% of the techniques used by our selected Iranian threat actors can be detected. 

For example, Tool Transfer can be detected by monitoring command execution, file creation, network connection creation, and network traffic content and flow. 

Can we mitigate Iranian cyber techniques through prevention? 

We sure can: 68% of the known techniques used by our set of Iranian cyber actors can be mitigated. 

89 of the 130 techniques can be mapped to specific mitigations. For example, Network Intrusion Prevention Systems can mitigate Tool Transfer techniques. 

Important: Some techniques can’t be mitigated with preventative security controls because they are based on abusing system features and native utilities such as Windows Command Line or Powershell commands like “sc query,” which displays information about system services. However, we can still detect and address threats we can’t prevent. That’s why detection is greater than prevention.  

How do we detect and mitigate threats? 

The best way to detect and mitigate threats is to simply implement security controls. NIST Special Publication 800-53 is “a catalog of security controls that can be effectively used to protect information systems from traditional and advanced persistent threats”. 

MITRE did incredible work with their “Mappings Explorer” between MITRE ATT&CK and NIST controls. 

Turns out, there are 94 NIST controls that map to the 89 mitigatable techniques used by our selected Iranian threat actors. 

50% of the mappings stem from just 10 controls: 

Every one of the 89 mitigatable techniques can be mitigated to some degree by just the first four controls. 

Are defense contractors following mitigation controls? 

Yes, if you’re complying with the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 and have implemented NIST SP 800-171 security requirements. Remember, NIST SP 800-171 is derived from NIST SP 800-53 but does not contain all controls. 

Every one of the top 10 controls from NIST SP 800-53 are represented in NIST SP 800-171 revisions 2 and 3. 

But only 47% of the 94 controls that mitigate our selected Iranian techniques are represented in 171 revision 2. 

• 25% of the controls aren’t in the NIST SP 800-53 “moderate baseline” so they were never eligible to be tailored into the 171 baseline. 
• 12% were tailored out based on the assumption that contractors would simply do them without being asked. 
• 6% of the controls were tailored out of the baseline as “not relevant to protecting CUI confidentiality”.

When we move to 171 revision 3, we’ll still sit at only 52% being represented. 

• 26% of the relevant NIST SP 800-53 controls aren’t in the moderate baseline so they can’t show up in the 171 r3 baseline. 
• 16% are considered “not relevant to protecting CUI confidentiality”. 

Ultimately, NIST SP 800-171 as a floor is excellent, but we’re barely covering half of the controls that directly mitigate Iranian cyber activity.

What’s my organization’s role?

This is actionable to every DoW contractor. Take your controls seriously at every turn.

Align your business with NIST SP 800-171 and pursue CMMC, if you haven’t. If you have, go the extra mile to secure client data by implementing NIST SP 800-53 controls not yet covered by 171. To learn more about CMMC compliance and mitigating threats from foreign adversaries, reach out to a Summit 7 expert.