Today is May 4th, which if you’re Adam Evans, CISSP or Bobby Guerra means it’s Star Wars Day. So, we thought we’d have a little fun.
According to Adam, had the Galactic Empire in Star Wars implemented all of the CMMC controls, the ENTIRE plot of the original movies would never have occurred.
Here’s why:
1. CMMC requires training to recognize the indicators of insider threats. Had that been achieved, the numerous spies and double agents within the Empire would have been identified and dealt with.
2. AC.L2-3.1.4 requires a separation of duties to prevent the risk of malevolent activity without collusion. Star Wars has numerous double agents with privileged access to information that defected to the Rebellion. Had that control been successfully implemented, in addition to recognizing insider threats, the success of the Rebellion may have been limited.
3. While we can all debate the effectiveness of FIPS 140-2 Validated cryptography, had the empire properly encrypted their data at rest, the chances of the Death Star plans being stolen could have been contained.
4. Speaking of data theft – Why is it that R2D2 was able to successfully plug into any computer terminal it wished? Sounds like the Empire needs some work on hardening their systems under the Configuration Management domain.
5. Lastly, had the empire followed a proper risk management framework and assessed risks to organizational systems, the vulnerability in the Death Star that was famously exploited by Luke Skywalker should have been identified with an appropriate risk response.
But in any event, it definitely sounds like Darth Vader self-assessed and reported an inaccurate SPRS score.
We hope y’all found this fun! And for the folks working through their CMMC posture – May the force be with you.
