The new Cybersecurity Maturity Model Certification (CMMC) regulation has the industry ramping up federal contractor security from the prime contractors down through the supply chain. The biggest issue with the new regulatory requirement is usually where to begin. This usually begins with which maturity level (ML) does the organization need. Once that is determined, the next issue is how much work is necessary to get you there.
Along the way, there are several challenges to overcome as you move through the process. My organization is working towards becoming a certified 3rd Party Assessment Organization (C3PAO) for CMMC. One of our requirements to meet this authorization is to achieve a maturity level of 3 (ML3). Here are several lessons that my team has uncovered as we moved through the process. Not everyone has the same issues but knowing them ahead of time can help reduce the number of challenges you might face.
This first challenge is to determine the maturity level your organization will require. There are 5 ML levels. ML1 is the simplest with only 17 security controls. The most common level will be ML3 which is the minimum for protecting controlled unclassified information (CUI) on non-federal systems.
The easiest and most effective answer to which level is to simply ask your prime or federal agency where you contract work. However, there are times when the primes and agencies may not know what your level needs to be, but they certainly know their ML requirement. The other methods are either to rely on “better safe than sorry” or determine what your chance of receiving CUI data. Think of CUI data as specification outside of normal off-the-shelf solutions which a federal agency could acquire out of a catalog or through a contract vehicle such as GSA.
Another issue is security policies and procedures. ML1 does not require documentation, so keep that in mind. However, if it is determined that you will receive or need to work with CUI data, you will have to create and manage several documents. If you have not conformed to security policies in the past, you will learn that every system decision likely has a tie to at least one security control and will require enforcement controls. The decisions you make in policies will require evaluation of your product and service solutions. This means, you will have to look for products that provide features you did not need in the past. It is no longer acceptable to use products just for the functionality. We now must consider the security components. For example, products and Cloud-based services will require multifactor authentication, least privilege for administration, and encryption. Some items such as wireless may have to be carved out of CUI data protection since it may be too costly to meet FIPS encryption requirements for the access points.
Most smaller organizations are left with two choices when meeting CMMC. Either they convert their current environment and all that is contains or they are attempting to create a CUI enclave where their existing system can function without interference with the new regulation. While this enclave choice is a common solution for small organization, it also come with some challenges with the existing infrastructure.
First example, if you are a manufacturing company and you need to migrate specification from the CUI enclave to your manufacturing equipment, what protections are in place to protect that data after it leave the protection of the enclave?
Another example, if you are providing a service, how do you disseminate CUI information to the employees that need it to conduct the service?
Just because we can create the environment to house and protect CUI data does not mean our ability to process it will be unaffected. We must plan for the protection of CUI data in three distinct roles. 1) How will we securely receive CUI data? 2) How will we process CUI data? And 3) How will we securely distribute CUI data? Data workflow will need to be developed and become part of the System Security Plan.
Finally, understand that this regulation is a shift in how federal contractors conduct business. Security controls are not just technical controls, so we must plan for changes to the system.
Moving forward our organizations will now need to budget and plan for periodic security awareness training. The requirement for periodic is at least annually. However, retention is better to conduct smaller training event monthly than a large all-encompassing once a year class. Security roles will need to be defined and will require specific training on how to perform those roles.
A security control is required for continuous monitoring of the environment will need to be implemented. Who will be responsible for reviewing the logs and reports?
Also, risk and vulnerability assessments will need to be periodically conducted. That is two assessments. Once for determining vulnerabilities to the system and the other to determine the impact of an event on different components of the network.
The list of security controls covers 130 controls and dozens of processes for CMMC ML3. Small organizations trying to accomplish these without help can be an overwhelming effort. Start by reading the original specifications in NIST SP800-171. Understand that those are the basics and then look for help with an organization that can fill in the gaps in your security requirements.