navigating the cyber maturity
TRANSCRIPT
Navigating the Cyber MaturityModel Certification
(CMMC)
By Ron Comeau, Christopher Butler, and Rodolfo Ornelas
A P U B L I C A T I O N O F
Contents
1. Overview
2. “We Want CMMC – Whatever that is...”
3. Plenty of Work Ahead
4. Applying the CMMC Requirements Framework
5. You Are Not Alone
6. Summary
1. Overview
The Government has frightened contractors, especially small businesses, by announcing that without Cyber Maturity Model Certification (CMMC), a company cannot be considered for a Government contract. The trouble is, very few people can accurately answer what being CMMC certified (yes, a technically redun-dant term) means, let alone translate it into return on investment (ROI) terms. If CMMC compliance costs a company $100,000 to keep a Government contract that yields a profit of $10,000, why should the company pursue CMMC? The only way to know is to do the difficult work of determining solid estimates for cost-ben-efit analyses. SandTech had to figure this out for itself. We then applied the (hard) lessons learned to other companies to present them with cost-benefit analyses. As soon as we lay out the figures, the business case (pro or con, depending on the company) is clear.
2. “We Want CMMC – Whatever that is…”
What is CMMC? CMMC is a Federal program to ensure its Controlled Unclassified Information (CUI) is protected. CUI is “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls,” but does not include certain classified information. Federal Contract Information (FCI) is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” It does not include public information or certain transactional information. CUI is a subset of FCI since you cannot share FCI information, but you must proactively safeguard CUI.
First, let us make sure we understand the Government’s perspective.
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), states:
The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
Authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs) will conduct assessments and issue CMMC certificates to Defense Industrial Base (DIB) companies at the appropriate level.
Plain-talk Translation:
Government data is getting hacked and sometimes hackers are getting Government data because it resides in contractor IT systems that are not protected very well.
The Government provided some pretty good guidelines (e.g., the National Institute of Standards and Technology [NIST] Special Publication 800-171 Revision 2 [NIST 800-171 r2]) for years on how contractors can keep data secure, but contractors are inconsistent in applying those controls.
Now, CMMC is making those guidelines mandatory, but softening the blow by implementing levels and giving companies a bit of time to adjust. A company does not have to apply all the controls, but the Government needs to know how secure each company is.
The Government tried letting companies assess themselves, but found almost all those assessments to be inaccurate, so there must be a third-party certifier.
The GOAL is for CMMC to be affordable for small businesses, but realistically, it will cost a company a substantial amount of money to apply the controls and pay for a third-party certifier.
Why CMMC? NIST 800-171 r2 puts it best: “The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions.” Therefore, the NIST 800-171 (and CMMC) “…requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components.”
Chicken-Egg ProblemNIST 800-171 r2, p. vii, states its requirements to protect CUI are “only applicable” to nonfederal systems when “mandated” in a contract, grant, or other agreement. So, a company does not need to implement CMMC until it is awarded a contract that grants access to CUI and the contract mandates its protection. However, if a company must prove in a proposal that it can process, store, and/or transmit CUI, it must show the company has those NIST controls in place. If the company already has the controls in place, it is ready to be certified for CMMC. If the company is ready for CMMC certification, would it not be best to prove that by actually having achieved the CMMC certification? So, while a company does not need to be CMMC certified to win a contract with CUI, it certainly seems to be a competitive advantage to be certified. Further, if one or two companies in a competition have a CMMC certification, it quickly becomes competitive criteria – which is probably what the smart people in Government intended all along.
The Devil is in the DetailsWhen one dives into NIST 800-171 r2 to apply the controls, he will see that there are far more than just the 110 controls identified in Appendix D. Appendix E lists an additional 62 Nonfederal Organization (NFO) controls for any NFO (i.e., company) that stores, transmits, or processes CUI. The requirement for NFO controls is stipulated in section 2.1 of NIST 800-171 r2, where it states there are three fundamental assumptions to account for:
1). The laws and agency rules that require protecting CUI are consistent;
2). The safeguards implemented to protect CUI are consistent in both federal and NFOs; and
3). CUI has a “moderate” confidentiality impact value (using the FIPS 199 definitions).
In other words, all the federal agencies are requiring the same level of protection for all CUI; CUI has the value whether it resides on Government system or a contractor’s system; and compromise would have a serious impact on the Government. Thus, this is serious business.
First, Find the TargetAs with most things, more is better. Again, as with most things, more takes much more time and much more money. So, the first step is to assess the initial target goal for the company.
CMMC Level 1: A company must perform “basic cyber hygiene” practices, such as using antivirus software or ensuring employees change passwords regularly to protect Federal Contract Information (FCI).
CMMC Level 2: A company must document certain “intermediate cyber hygiene” practices to begin to protect any CUI through implementation of some of NIST 800-171 r2 security requirements.
CMMC Level 3: A company must have an institutionalized management plan to implement “good cyber hygiene” practices to safeguard CUI, including all the NIST 800-171 r2 security requirements as well as additional standards.
Having a corporate management program to implement ALL the NIST requirements is significantly more difficult than the basic hygiene of implementing passwords and antivirus software. However, in a competitive source selection, which CMMC Level will be viewed as a stronger discriminator? Again, more is better, but this may be an evolutionary transition process rather than all-at-once culture change. Even Federal contracts that do not require contractors to handle CUI are still being required to be certified to CMMC Level 1. Thus, CMMC is becoming a prerequisite for Federal contracts.
Go Forward 10 StepsNow that we have looked at our options (for now, we will forego considering Levels 4 and 5), let us look at how we hit the target. CMMC is suggesting this is a 10-step program. We talked about steps 1-3 above. Step 4 is having a knowledgeable person (internal or external to your organization) take a quick look at your organization’s current security tools and practices and providing a report of how good/bad things are. Regardless of any management decision to pursue a CMMC Level, one should at least address any findings from the pre-assessment. Keeping CUI safe is one thing, but if you cannot even protect your own company’s assets, it is simply a matter of time before your company is hacked.
CMMC’s Suggested Steps
1. Learn and Understand about CMMC Requirements
2. Identify scope (Enterprise, Unit, or Program)
3. Identify desired Maturity Level
4. Pre-assessment
5. Remediate
6. Hire C3PAO from Marketplace
7. C3PAO conducts assessment
8. Up to 90 days to remediate findings
9. CMMC-AB reviews C3PAO’s assessment
10. If approved, 3-year cert awarded
Once your findings have been remediated (Step 5), we can consider the next steps. Here is where the CMMC program is showing its immaturity. We cannot proceed any further (Steps 6-10) at this time because we cannot hire a C3PAO. In fact, there are no C3PAO’s currently out there. This issue can only be resolved by the CMMC Accreditation Body (CMMC-AB). Simply put, CMMC-AB requires assessors to take their MANDATORY AND EXCLUSIVE training, but they have not developed it yet. Applications have been submitted and they are hoping to resolve it soon. But Steps 6-10 remain out of reach. Hence, federal contract vehicles can only ask for companies to Self-Assess and Self-Attest maturity level. It is a start…
Fortunately (well, kinda’), most companies have enough to do to get through Step 5, so let us focus on what we can do. The Step 4 Pre-assessment is essentially the gap analysis of where your organization scores against the desired Maturity Level.
3. Plenty of Work Ahead
Most companies will have their hands full with Steps 3-5. Additionally, based on the pre-assessment results and how difficult/expensive some remediation actions may be, those steps may need to be iterative. One may find that a goal of Level 3 is just not attainable in the next year or two. We suspect most companies will face that realization. Still, remediating security gaps is never a bad thing. Thus, a company may need some time to accomplish Step 5.
Where people tend to get confused with the CMMC program is trying to nail down which NIST 800-171 CUI controls and CMMC practices will apply to one’s own company. The good news is CMMC Level 1 is relatively easy for a company to achieve. The requirements are represented by the gold boxes in Figure 1. Each box represents a control in NIST 800-171 r2. Implement the control (e.g., 3.1.20 is “Verify and control/limit connections to and use of external systems.”) and you can check off that box. Take care of the other 16 controls as well and you are ready to be assessed as CMMC Level 1 compliant. Congrats!
Figure 1 depicts the Level 2 controls in the middle. To be certified Level 2, an organization must also meet all the Level 1 controls too, of course. Still, Level 2 is intermediate cyber hygiene, so it is a laudable goal to achieve Level 2 (and will make your own systems and data safer). Level 2 (and will make your own systems and data safer).
Figure 1. CMMC Level 3 requirements exceed NIST 800-171 requirements.
The Other ShoeMany companies are hoping to achieve at least Level 3. Level 3 looks average and it may soon be. However, as Figure 1 shows, Level 3 requires a company to meet ALL the controls in NIST 800-171 r2 AND implement 21 additional controls too (shown in orange on the right). Thus, all NIST 800-171 r2 controls can be mapped to a CMMC practice (control), but not all CMMC practices (controls) have a corresponding NIST 800-171 r2 control equivalent.
Implementing all the controls to achieve CMMC Level 3 is going to be a significant challenge for most companies and impossible without expert cybersecurity help. It will help identify those in the process of maturing their cybersecurity program from those that are secure. CMMC Level 3 will be quite an accomplishment for those companies that can get there and should be worn as a “badge of honor”.
4. Applying the CMMC Requirements Framework
Why are we applying the controls? Because for secure systems and data, we need to address security in many different areas. For example, ensuring everyone has passwords is useless if we ignore physical security. Likewise, having a well-thought-out incident response plan is great, but the risk of activating it could be minimized if the system administrators applied security patches in a timely manner. CMMC identifies these different areas as domains as shown in Figure 2.
The CMMC model framework organizes processes and cybersecurity best practices into a set of domains. Those domains are further broken down into two groups, Processes and Capabilities. Further, Capabilities are employed through Practices.
CMMC Domains
Access Control Media Protection
Asset Management Personnel Security
Audit & Accountability Physical Protection
Awareness Training Recovery
Configuration Management Risk Management
Incident Response Security Assessment
Maintenance System & Communications Protection
System & Information Integrity
Figure 2. Domains ensure all threat vectors are addressed.
Crosswalk SampleTo anything higher than Level 2, one must develop a crosswalk of the additional applicable documents. There is, admittedly, quite a bit of work to do to gather all the documents and sift through them to see which controls are mandated. Then, a company must assess how those controls apply in its specific situation. It helps to develop a “crosswalk” to show which controls from which document need to be assessed, then later how the control applies to the organization. A sample crosswalk document, showing domains, source documents, and CMMC levels is shown in Figure 4.
Process maturity characterizes the extent to which an activity is embedded or ingrained in the operations of an organization. The goal of CMMC is to ensure all NFOs that handle CUI have mature processes. Practices are activities performed at each level for the domain. Practices are essentially like “controls” are for NIST 800-171 r2. The theory is to be effective, an organization must have efficient practices in place AND manage them effectively with proven processes. As depicted in Figure 3, once an organization has both the technical practices and process maturity in place, they should qualify for the corresponding CMMC Maturity Level.
Figure 3. Practice and Process are required to advance CMMC Level.
Figure 4. Sample Crosswalk for Assessing an Organization for CMMC. Chart used by permission from ©2021 CMMC-COA ( https://www.cmmc-coa.com/cmmc-awesomness ), unchanged, under CC BY-ND 4.0 license ( https://creativecommons.org/licenses/by-nd/4.0/ ).
This sample is just a very small piece of what becomes a very large spreadsheet. However, one must capture all the information in a single place to have an effective assessment. Just from this sample, one can appreciate that the finished product will address:
17 Domains (such as “Awareness and Training”)
43 different capabilities (such as “CO12 Conduct training”)
171 Controls practices that are like NIST 800-171 r2 controls (such as “AT.4.060”)
Multiple processes that are applicable for various CMMC Levels (such as those shown for MC01-AT)
To say that sorting through all of it is daunting may be an understatement. Achieving any CMMC level beyond Level 1 will require time, expertise, and attention to detail.
The Other Other ShoeAs mentioned before, there are an additional 21 controls required to achieve more than Level 2 that are not listed in NIST 800-171 r2. They are:
AM-C005-P1035. Identify, categorize, and label all CUI data.
AM-C005-P1036. Define procedures for the handling of CUI data. AA-C008-P1048. Collect audit logs into a central repository.
AA-C010-P1044. Review audit logs.
IR-C017-P1093. Detect and report events.
IR-C017-P1094. Analyze and triage events to support event resolution and incident declaration.
IR-C018-P1096. Develop and implement responses to declared incidents according to pre- defined procedures. IR-C019-P1097. Perform root cause analysis on incidents to determine underlying causes.
RE-C029-P1137. Regularly perform and test data back-ups.
RE-C029-P1139. Regularly perform complete and comprehensive data back-ups and store them off-site and offline.
RM-C031-P1144. Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria. RM-C032-P1146. Develop and implement risk mitigation plans.
RM-C032-P1147. Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.
SAS-C036-P1162. Employ code reviews of enterprise software developed for internal use to identify areas of concern that require additional improvements. SA-C037-P1169. Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders.
SCP-C039-P1179. Use encrypted sessions for the management of network devices. SCP-C040-P1192. Implement Domain Name System (DNS) filtering services.
SCP-C040-P1193. Implement a policy restricting the publication of CUI on publicly accessible websites (e.g., Forums, LinkedIn, Facebook, Twitter, etc.). SII-C043-P1218. Employ spam protection mechanisms at information system access entry and exit points.
SII-C044-P1219. Implement DNS or asymmetric cryptography email protections.
SII-C044-P1220. Utilize email sandboxing to detect or block potentially malicious email attachments.
5. You Are Not Alone
You Have a Friend With Experience! At SandTech Solutions, we were able to apply our decades of experience in cybersecurity with the Department of Defense to get ahead of CMMC. People at SandTech helped create and refine how assessments were done in the Air Force and we continue that work today. Therefore, CMMC controls are simply the same practices and procedures that we recommended to countless DoD organizations. We know how to do this.
SandTech did a self-assessment and found that we had a couple of processes we had to mature but could achieve Level 1 and Level 2 fairly easily. To achieve Level 3, we found we needed to make some hardware and software purchases and our management team is planning to implement those, along with the associated controls, over the next year. We were even able to integrate these processes into our ISO 9001, ISO 20000, and ISO 27001 quality programs to make them even stronger.
The Next StepsIf the information in the previous pages look like a little more than your company can handle at this time, we can help. SandTech recommends that we address the CMMC steps in phases. That makes it manageable and your company will have a smoother, gradual transition because a company must embrace CMMC as part of its culture. That takes time. A phased approach will be more successful.
Phase 1 Milestones consist of the steps 1-4:
1. Learn and Understand about CMMC Requirements.
2. Identify scope (Enterprise, Unit, or Program)
3. Identify Desired Maturity Level
4. Conduct the Pre-assessment.
Phase 2This is your organization’s option for addressing Remediation (Suggested CMMC Step 5). The Remediation step is addressing the gaps discovered with the pre-assessment.
Phase 3After all documentation and initial remediation is complete (Phase 1 and 2), we collectively perform continuous monitoring of those control implementations thus Managing Compliance for your organization.
Phase 1 DetailsWe have found some companies appreciate our counsel throughout while others just call us in to do the Pre-assessment. We are happy to support you in any manner you wish. We can provide briefings, documentation, and references for understanding about the CMMC requirements. We can help you walk through your scope considerations. We can discuss the pros and cons of trying to achieve a desired CMMC maturity level. Then, we can conduct the Pre-assessment or help your staff do it.
During the Pre-assessment (Gap Analysis), we will assess the current state of your systems and procedures. Our approach crosswalks cybersecurity and privacy laws, regulations, and frameworks to find commonality. We add that into your customized spreadsheet (like Figure 4). The idea is that when we aggregate all the applicable Statutory, Contractual, and Regulatory obligations for your organization they can be mapped and answered by your Corporate-specific, security literature. If none exist, then we can help you get there too as that documentation will be needed for anything beyond Level 1.
Any finding from the pre-assessment should be addressed with a Plan of Action and Milestones (POAM). We create reference numbers for those POAMs and add that into your crosswalk. We will also add internal corporate documentation (e.g., operational procedures) as references to prove that you are addressing the “How” of how a security control is applied in your specific environment.
Your organization can take two options for addressing the findings of Phase 1.
1. The first is that your inhouse IT and/or Cyber security team can systematically research, engineer, plan deployment, implement, and monitor deployment statuses of accepted solutions.
- OR -
2. Leverage SandTech as your organization consultant. That way we work with your team(s) to plan, subscribe, and deploy already approved technology solutions that address these gaps. Because we have gone down this same road ourselves and with other companies, we know exactly what solutions are cost effective and satisfy the CMMC level you want to get to.
If you decide to work with SandTech, we bring tools and experience to help not only address the complex cybersecurity issues, but to help communicate to various stakeholders as needed. We can sit down with the system administrators and show them what needs to be done. We can work with your managers and help them develop documentation and procedures. We can address the C-Suite to ensure executives understand what we are talking about and what sort of systems, procedures, staff, and funding are required to become compliant. SandTech has multiple deliverables, such as the dashboard shown in Figure 5, that it makes available to companies we help assess. Artifacts like these help executives understand the situation without needing to dive into technical compliance details.
Figure 5. System Assessments are Complicated - Discussing them Should Not Be
Phase 2 DetailsPhase 2 focuses on Remediation. Your company needs to address each of the shortfalls found during the pre-assessment. Even if you choose to forego CMMC at this point, addressing any problems found during the assessment is still a great idea. Every company has vulnerabilities. You cannot manage those risks until you know what they are.
At a high level, we take the following actions during Phase 2 to conduct Remediation Control Implementation.
Generate POAM for resolving non-compliant controls• Define roles and responsibilities to achieve and maintain compliance• Take results from the Pre-assessment and develop a plan to achieve compliance
and mitigate existing gaps• Obtain stakeholder approval/feedback on POAMs and adjust as necessary
Implement Actions • Create or re-write policies • Modify and test any applicable security feature already existing inside client infrastructure • Plan, build, deploy, and test any applicable security solution that does not already exist
inside the client infrastructure• Perform Before & After Assessment
Perform Before & After Assessment
Phase 3 DetailsPhase 3 is the somewhat mundane (but no less important) Compliance Management phase. At this point, we are “Managing the Calm”.
This is the ideal mode you want for your company. This should be your “steady state”. After all documentation and initial remediation is complete (Phase 1 and 2), we collectively perform continuous monitoring of those control implementations. We confirm the controls are effective, adjust to new factors/technology, and continue to advance practices and procedures. Thus, we are managing a compliance state.
Figure 6. Phase 3 - "Calm" Does Not Mean "Simple"
We are here for you and will work alongside you whether that is providing support for an audit or to ensure the daily, weekly, monthly, and annual compliance activities are completed and documented. This way your organization can streamline that reassessment and/or certification process. Thus, is like having a virtual Government Risk Compliance (GRC) Team at the ready instead of having your own employees on stand-by.
6. Summary
The Government is continuing to develop and evolve CMMC requirements and guidance, but the goals are clear and the initial steps are available to most federal contractors. All federal contractors will need eventually to at least achieve CMMC Level 1. Going beyond Level 1 will require people to digest CMMC control requirements, assess their own convoluted systems, produce plans to apply controls to their systems, implement the plans, then confirm that the plans were effective. Since CMMC will require a corporate culture shift, there needs to be a common understanding amongst system administrators, database managers, IT Directors, executives, and perhaps even lawyers. Companies will need CMMC experts, senior system administrator, project managers, and executive commitment. SandTech possesses those skill sets in people who are also gifted communicators, ready to explain a custom plan for each of our customers. If the skills to achieve CMMC are not available within a company, SandTech is ready to help.