Cyber Risk Management Solutions
Cybersecurity Maturity Model Certification (CMMC) – What to Expect

Cybersecurity Maturity Model Certification (CMMC) – What to Expect

The upcoming Cybersecurity Maturity Model Certification (CMMC) may be a concern to you if you are a government contractor in an organization that contains Controlled Unclassified Information (CUI). Read on about how Cybriant can guide you through the CMMC process. 

CMMC

Don’t Panic.

Douglas Adams references notwithstanding consider this Cybriant’s attempt at creating a guide to CMMC.  As you may have recently become aware, the Department of Defense (DoD)’s push to begin auditing their supply chain for cybersecurity compliance has sent ripples through the sector. 

Now that the initial panic has worn off, you’re trying to come to grips with what exactly all this means.  Before we get started, understand that anything stated here, or anywhere else, is pure speculation until the CMMC is released into the wild.

NOTE: For this article we are going to stick with a contractor being defined as an organization containing Controlled Unclassified Information or CUI.  There are as many sub certifications as there are fish in the sea when it comes to the DoD so we’re going to stay fairly high level.  Please consult your contract office or prime to understand any further requirements you may be assessed for.

Timing

The good news is that the official start of hunting audit season is 2020-2021, you’re probably a few years off from actually being audited. 

How do I know this?  Mostly because if you’re reading this blog then you probably don’t work for Lockheed Martin, Boeing, Raytheon or any of the other 800 lb gorillas. 

They’re probably communicating directly with their contacts within the DoD for their news.  Odds are you are a sub of a larger contract or the primary of a small contract. 

What do you suppose would the DoD’s top concern be?  The security of a primary on their large contracts or the manufacturer of a widget that goes into the said project?  Word is on the street, and logic dictates, that the whales will be hunted first, then the smaller fish.

“Ok,” you say, “I probably have some time but, how do I prepare?”  I’m glad you asked. 

Side Note about NIST

The “go-to” for standards for DoD is, of course, National Institute of Standards and Technology (NIST). And when I say “go-to” I mean DOD Instruction memo (8510.01) says NIST is THE standard by which all ATOs are measured, so what NIST does is important.

In a “whatdayaknow” moment, NIST has recently released an Initial Public Draft (IPD) of the mighty 800-53 publication. If implemented this will advance the publication to version 5.  Also, a few years ago all departments were in a major push to move from the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) to the Risk Management Framework (RMF). 

Coincidence?  I think not.

Controls

Let’s discuss NIST Special Publication 800-53 v5 Initial Public Draft.  A smattering of new and revised controls around security make their way into the revised document, as one would expect.  At the end of the day though, it’s all about privacy.  There are two new families of controls that are explicitly related to privacy; Individual Participation (IP) and Privacy Authorization (PA).

Within IP we have these basic tenants:

  • Giving users more access and authority over their data
  • Allowing users more control over data accuracy and corrections
  • Ensuring proper privacy notices are in place

PA contains items such as:

  • Ensuring the organization has the legal right to use Personally Identifiable Information (PII)
  • Have documentation to support that fact
  • Privacy communications are fully developed and implemented
  • What, how, when, you can share PII

What is more interesting to us is the introduction of “joint controls” between security and privacy.  Also included in the IPD are three new Appendices dedicated to the ‘how’ of implementing the privacy controls.  See a pattern?

Privacy is going to be of major concern going forward.  Just as NIST 800-171 is a subset of 800-53.  CMMC, as discussed previously, will take from NIST 800-171 and 800-53 to produce a list of requirements around any data pertaining to a contract, including CUI.  NIST has upped their game/concern for privacy.  It stands to reason that this would make its way into the CMMC.  Table F-2 of NIST 800-53 is a great place to start to begin the understanding of how important privacy will be.

Because of the privacy emphasis in the industry at large and the latest draft of 800-53 we at Cybriant suggest the following actions to prepare:

  • Develop a privacy program
  • Begin identifying all types of PII captured by your organization
  • Develop or modify training to address privacy
  • Begin updating all policies to address privacy concerns
    • Privacy Policy (of course)
    • Record retention and destruction
    • Communications policy & procedures
    • Business continuity and disaster recovery
    • and more
  • Be thinking about
    • Does your company need the PII it does have?
    • How does your organization communicate privacy concerns to all parties?
    • Who will be ultimately responsible for privacy?
    • How will allowing redress of privacy concerns affect your processes?

Processes, People, and Technology

Yes, that old trope is back.  We’ve heard it a thousand times but, it is our belief contractors will need to start getting their ducks in a row now if they want the road to CMMC compliance to be as painless as possible.  Long gone are the days of throwing together a System Security Plan (SSP) a couple of Plan of Action and Milestone (PoAM)s and calling it a day.  It is our strong belief that CMMC will require more than just adherence to particular security controls, an SSP and enough PoAMs to make the auditors happy.  After seeing the concerted effort to implement RMF throughout the entire organization, pushing that process down the chain is almost certain. 

What do I mean by that?

The Risk Management Framework places heavy importance on ensuring that not only controls implemented but your daily operations, the very fabric of how you run your organization, lives and breathes security.  Marry that with the industry-accepted thought that NIST is aligning itself closer to industry norms of ISO 27001, GDPR, etc, and there are a few items that organizations wishing to win contracts must be made aware.

Risk Assessments take center stage

Within most all frameworks one of the main starting points is a risk assessment.  This helps define the major deficiencies of the organization as compared to the standard.  Not only that but, a Cybriant risk assessment allows an organization to understand their security in a more holistic manner.   Being compliant does not make you secure just as being secure does not make you compliant.  As such, a Cybriant risk assessment addresses both issues.

Process Alignment

That sounds painful.  And it will be.  What we believe will also be a major component of the forthcoming CMMC is the importance the organization places on security and privacy as everyday business.  Based on our experience, a few questions come to mind.

  • Does your change management process include privacy and security concerns as a prerequisite for a request for change?
  • Is management made aware of the state of security within the organization regularly?
  • Do you test and update your business continuity and disaster recovery plans after every change that would affect it effectiveness?
  • Do you routinely test audit controls?

Technology Advancement

While we believe process and people are the most important areas to focus on in most organizations, we cannot eliminate technology.  Anti-Virus is a dinosaur and signature-based Intrusion Detection Systems are going the way of the dodo. 

Only worrying about whether technology is compliant is asking for trouble.  Signature-based technologies are compliant with most frameworks out there but, do they make you secure?  No, not really.  Being compliant and breached is not preferable to being compliant and relatively secure.  As we all know, if someone wants your data bad enough, they’re going to get it.  Why not use the latest technology to ensure they need very deep pockets before being able to get there? 

Conclusion

No one knows what’s coming in the final CMMC but, we do have some indicators from insiders and what has been happening in the industry.  Cybriant highly recommends each organization spend a bit of time ensuring you are truly compliant with existing regulations first.  Then move on to what is expected.  After all, if you prepare for what we believe to be a privacy-first mentality moving forward and it fails to come to fruition, are you worse off?

About Cybriant

Cybriant is an award-winning cybersecurity service provider. We provide 24/7 continuous threat detection with remediation, risk assessments, and more. We make enterprise-grade cybersecurity services accessible to the mid-market and beyond.

References

NIST 800-53 v5 IPD – https://csrc.nist.gov/csrc/media/publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf

Start with a Risk Assessment

6 Considerations for Your Next Security Assessment Vendor

6 Considerations for Your Next Security Assessment Vendor

Information security assessments are a necessity in today’s cyber insecure world. Be sure to consider these 6 things when you select a security assessment vendor. 


security assessment vendorRisk assessments (often referred to as security assessments) are a critical part of any compliance program.  More often than not, these risk assessments are required to be performed by an external party.

Hiring a firm to perform a risk/security assessment can be a daunting task.  With little to go on we often we fall back on the old standbys of contracting a vendor: reputation, size, certifications, etc, etc.  And often that results in poor performance or obvious cookie-cutter results.  How then should we approach the task of ensuring we get value from our security assessment vendor?

After years of performing risk/security assessments and gap analyses for various companies in different vendors I’ve noticed some themes and want to share six items to look for when selecting a vendor.

Fortunately, these are items that can be teased out in negotiation long before signing the contract.

6 Factors to Look for in a Security Assessment Vendor:

1. They consider People, Processes, and Technology

This one seems like it should be obvious.  Isn’t that what a security assessment vendor should be doing?  In theory, yes. However, as you have probably experienced that is not the case most of the time.

Why?

Human nature. Believe it or not, auditors are human too and with that comes comfort zones, preferences, dislikes, and biases.  If you have an auditor who came up through the ranks as an accountant or another non-technical analytical personnel, you’ll have someone who is very comfortable with the processes of security but may not understand the nuances of people or the technology supporting the business.

The same can be said for a highly technical individual with no people skills or the adamant extrovert who crammed well enough on the technical side to pass the PCI QSA test by whiskers.

A good security assessment vendor will have the processes and procedures in place to ensure that; one, only well balanced individuals are selected to be auditors and two, even treatment is given to all aspects of security.  Just because an auditor is more comfortable in one area than another doesn’t give them leeway to abandon other areas.

2. Spreadsheet mania

This one is a bit counter-intuitive. Spreadsheets and auditors are like mac and cheese, they just go together.

However, let me ask you one thing.  Have you ever had an auditor that you felt truly understood what you did and how you did it?  I haven’t. Most of the time they sit across a table with a laptop open entering in your responses into a spreadsheet like an automaton.

Sure they’ll ask some questions to get a better understanding, but only enough to answer what the spreadsheet wants to know.  Spreadsheets are great for identifying risks in technology or gaps in processes, but what about people?

Whatever happened to the art of conversation, I ask? 

Here at Cybriant, and any other good security assessment vendor, all the technicalities of the spreadsheets can be asked beforehand, or after.  What we’re there to do is understand your risks and that includes what and how your people perform their daily duties.  I have story after story of finding major risks to an organization through conversation that a spreadsheet approach would have never caught.

Let me give you a great ‘for instance’. 

I was performing a security assessment for a college and knew of the locked, secured, shred bins as well as the policies dictating its use.

However, after conversing with a funding representative I had to ask,

“So do you actually use the shred bin upstairs?”

“Of course I do!” was the response.

Based on other answers I probed some more; “well, I put the credit card information in this cardboard box beside my desk when I’m done with them and once a week I dump the paper in the shred bin”.

Need I say more?  When considering a vendor try to have a conversation with the auditor who will be assigned to your account.  Do they ask good questions?  Are they personable?

3. They talk to more than just the nerds.

I wonder if you caught something odd about the story above, other than the blaring PCI violation.  As part of a security assessment, we were speaking to a funding representative, not a technical resource.

While technical resources are an absolute must when interviews are concerned, so are the rank and file.  Processes, policies, guidelines, standards, security controls, technology, those are all good and well, but users have an uncanny ability to destroy all our good work without even trying sometimes.

As such it is imperative your assessor speaks with others in your organization. Often external assessors are brought in to verify what the technical staff, or leadership already suspects.  However, because of our insistence on interviewing non-technical personnel, we have found countless security risks that were unknown.

When assessing your potential vendor be sure to ask who all is considered for interview candidates.  If it’s just technical staff and minimal leadership, back away slowly.

4. They see the big picture

Very similar to the spreadsheet item, there is one item that seems to elude a vast majority of assessment firms, big-picture thinking.

After performing dozens of security assessments I have come to the realization that most findings can be distilled into what we call Cybriant: Risk Themes. These are overarching risks that are not part of any framework but contribute to the overall security profile.

Examples of Cybriant: Risk Themes are a company culture that ignores security or lack of proper network design which exposes several risks.  While our assessments do include specific risks we also include any Cybriant: Risk Themes to help guide the organization towards the most efficient method of addressing the outlined risks.

Ask to see a sanitized assessment, do they address risk themes?

5. They give a roadmap to success

A good security assessor understands technology to the point that they can provide a roadmap that addresses the most critical findings first and how to fix them. This is absolutely critical to a successful implementation of remediating security risks.

Tell me if this sounds familiar.  A security assessment vendor performs a security assessment and you receive a PDF containing page after page of faults with your environment, and that’s it.  No recommendations on how to remediate, no path towards completion, no way of knowing which ones really do pose the highest risk to your organization.

When choosing a security assessment vendor it is critical that they consider what technology you have in place and the most efficient path towards remediating the identified risks.

However, they can only do that if . . . . .

6. They understand technology

In previous points, it may have seemed as if I were discounting technical knowledge.  Let me squash that rumor now.

A disturbing trend in the security assessment world is the tacking on of technology auditing to other fields such as accounting.

I like my CPA and trust them with my taxes, but I wouldn’t want them to pass judgement on my BGP network.  Just because you can sit in a CISSP boot camp and memorize enough to pass the test doesn’t mean you understand the nuances of a system or network design.

This trend is resulting in strict adherence to spreadsheets above any extenuating circumstances and discounting of any client explanation.  That in turn results in frustrated and dissatisfied clients.

Above all, an assessor needs to understand technology well enough to understand how your organization uses said technology and any potential downfalls therein.  When determining which security assessment vendor to select be sure to have your technical talent probe the assessor for technical knowledge.

Some of the brightest most capable employees and coworkers I have ever had the privilege to work with do not have college degrees or certifications; however, by what metric do we normally measure a potential employee?  The reason we do this is because it is very difficult to assess whether a potential candidate has the “right stuff” so we fall back on the defacto standard.

The same can be said for how most security professionals choose a security assessment vendor.

Hopefully, I have given you the tools to look past the standard fodder of evaluating a security vendors and equipped you to ask intelligent questions and look for signs that you have found the diamond in the rough.

Jason Hill

Jason Hill

Director of Strategic Services

Jason is an accomplished Infosec Speaker, AlienVault certified instructor and engineer, Risk Assessor, Security Consultant, and Security Trainer.

 

Learn More About Our Assessments

People, Process, Technology in Cybersecurity or: How I Learned to Stop Worrying and Love the Process!

People, Process, Technology in Cybersecurity or: How I Learned to Stop Worrying and Love the Process!

People, Process, and Technology is the cornerstone of ITIL, but can it also be used to ensure a proper cybersecurity foundation? The answer may surprise you!


Let’s just get this out of the way. You are not secure. There I said it.

Let me qualify that statement: when I say you are not secure what I mean is that regardless of the money, talent, resources, or luck your organization possesses, your organization (or any other) cannot consider itself completely impervious to outside aggressors. Just like a Major in boot camp, let me tear your assumptions down for a moment so I can build them back up.

According to Gemalto, 82 records were compromised every second in 2017. It is widely accepted that the nation-state failure rate is as near to nothing to make no difference. There are spear phishing kits available to allow anyone, even your mom, to launch a targeted attack against you. You have to be right every time; a hacker only has to be right once. A bird in the hand . . . . . I could go on, but I think you get the point.

“But,” you say “I just bought something with ‘NEXT-GEN’ in the product description. That’s got to make me secure!” No, it won’t. Nothing short of throwing all copies of your secure data into a volcano will make your data completely secure.

 

people process technology

 

What we must strive for, what we must get up every morning and make it our mission to accomplish, is the process. A far too common mistake is that once we place security controls around our data we believe the job is done. Once we buy and install that tool, outsource that task, or hire that consultant firm we are not done. Let’s look at the tried and true foundation of People, Process, Technology and see how that fits into your cybersecurity plan – we are going to switch it up and discuss process last.

According to ITIL News, using People, Process, and Technology for a successful implementation is not only good old-fashioned common sense but also like a 3-legged stool. The stool analogy is used because any leg that is too short or too long will cause an imbalance.

People, Process, Technology

People

Here’s one thing everyone in security knows: People like clicking on all the links! Hackers know this, even that rich Prince from Nigeria knows this! In Jim Collins book, Good to Great, he discusses how the leader of your organization is a like a bus driver and the employees are the bus riders.

You are a bus driver. The bus, your company, is at a standstill, and it’s your job to get it going. You have to decide where you’re going, how you’re going to get there, and who’s going with you.

Most people assume that great bus drivers (read: business leaders) immediately start the journey by announcing to the people on the bus where they’re going—by setting a new direction or by articulating a fresh corporate vision.

In fact, leaders of companies that go from good to great start not with “where” but with “who.” They start by getting the right people on the bus, the wrong people off the bus, and the right people in the right seats. And they stick with that discipline—first the people, then the direction—no matter how dire the circumstances.

While this may seem like a stretch in the cybersecurity world, the analogy holds true in the sense that everyone on board the bus must be on the same mission. We don’t want to let anyone (cybercriminals) on the bus or let any corporate secret fly out the bus windows.

Train your people and make sure policies are understood from the top down.

Technology

If that “next-gen” tool were able to keep you secure without your ability to understand and effectively use it, why isn’t everyone buying it and not the others? Because no tool by itself can effectively secure your data. You must be knowledgeable of what the tool is telling you, how to effectively deploy it, and how to customize it to your environment. If you don’t take the time to do these things you might as well have dug a hole and thrown the money in, it’s the same thing. Too many times I have seen a very expensive product simply create heat. The security product was implemented, but time was not dedicated to truly use the product. Now it’s ignored.

On the other hand, you could outsource the task of doing all that.….

Great! You’ve contracted an MSSP to watch your security for you. Job’s a good’n. Nope. I’ve trained many, many MSSPs, probably near fifty plus. I’ve been instrumental in starting two successful MSSPs. This experience has taught me several things of which one is critically important to this conversation.

It can be summed up by a question: How do you know they provide value?

Nifty charts? Awesome. Wizbang product suite? Sweet! Suites that cost more than your first car? Shiny. However, all of that is for naught if you have not educated yourself in the mechanics of what they provide. Most people outsource what they are not good at, wouldn’t a better idea be to outsource what you are good at? The more you know about the topic the less you must worry about whether that vendor is doing a good job. If you don’t stay current, educate yourself on cybersecurity and constantly engage your vendor, what value do they really bring?

Process

people process technologyIt is said wisdom is the appropriate application of knowledge. You may have learned many things about cybersecurity, but if you can’t effectively use that knowledge in everyday life what use is it? This is where everything we’ve discussed above fits into “the framework”. I’ve described what a framework is and how to pick one in other blogs.

With a framework, we can take each new product; align it with our goals, test the product, and verify our management of the product is appropriate. With each outsourced task, we can quickly and easily see if the value exists by the iterative processes inherent in frameworks. With each consultant, we can direct and manage the work and relationship using the process of satisfying the framework.

Cybersecurity is a process. It is not a rush to prepare for a single point in time audit and relaxing until the next time. By embracing that iterative steps, incremental progress is the proper way to secure your environment, you inherently become secure.

Well, at least until George clicks on that link again.

Is My Company Secure?

Is My Company Secure?

Saying “My company is secure” is like saying “My team scored 27 tonight”. The metric doesn’t matter if you have nothing to compare it against.

Enter the framework.

A framework is a standardized methodology for selecting, implementing, testing, and maintaining a set of security metrics, also called security controls. There are many frameworks to choose; NIST, ISO, NERC, PCI, etc., etc. The point is that you want to compare yourself against a known yardstick.

Without this comparison, it is very easy to enter a never-ending cycle of buying the next security wiz-bang product, implementing the wrong controls for your environment, or hiring a consultant to test something that really doesn’t need to be tested. Frameworks are like a lighthouse in the middle of fog as they help guide you to your objective, overall security, by steering you around would be obstacles. So how do you choose a framework?

Often the framework is chosen for you. Maybe you have credit card data (PCI), health information (HIPAA), or are a publicly traded company (SOX) in which it is mandated that you comply. There may be a push from upper management to appease a customer or the latest hack has scared them straight. In that case, you need to establish the framework that fits your corporation best. Choosing the framework is outside the scope of this article, but there are many sources on choosing a framework.

Once you have chosen a framework the real work begins. Each framework is unique, but they all follow the same basic pattern. Select the security controls for your environment, implement those controls, test the effectiveness of the controls, and finally make sure that controls are persistent as the environment inevitably changes.

Selecting a Security Framework

In this portion of the process, we will be selecting which controls apply to your environment. For example, let’s say we process credit cards. While one company may take the credit card data and use it in a self-developed system to acquire information, another may never see that data by using a point to point encryption device. This would completely change how to apply the PCI framework to our environment. The framework will provide instructions and rules on how to apply the framework to your environment and what should be included or not but, ultimately it will be an interactive process with data owners and security.

Implementation

The rubber meets the road at this stage. Here we will be applying the security control requirements to the pertinent systems. This is not going to be a step by step guide. Remember the framework is built so that many different organizations with different technologies can apply the recommendations to their environment. This will require converting phrases such as “the organization approves and monitors non-local maintenance and diagnostic activities” into auditing SCOM events.

Testing

Far too many people jump to this stage of the process. In fact, many consider testing the definition of information security. Penetration testing, vulnerability scans, social engineering; these are all sexy (as sexy as information security can be) and do produce volumes of “look what we did” reports. However, a stack of paper defining what should be done at this moment is not a plan, it’s a band-aid. The question is, what is the use of trying to follow a framework and implementing a slew of security controls only to say, “I think it’s working”. We must verify.

Monitoring

Now for the boring phase. This is the day to day assurance that what you have put in place is working. Think “who watches the watchers”. We are wanting to put in place the tools that will alert us to any deviation to the plan. True security is not a point in time analysis of what is now, it is looking ahead to what could be and be planning for as many contingencies as possible. Monitoring is a critical step in not only establishing our security program but, the success of that program over time.

By using a framework, we are converting information security from something that is at best a hodgepodge of duct tape into a strategy. Strategy takes us from reaction to prevention and that takes us from front news to boring company that protects their customer’s data. In security, you want to be boring.

Cybriant is a holistic cybersecurity service provider which enables small and mid-size companies to deploy and afford the same cyber defense strategies and tactics as the Fortune 500. We design, build, manage, and monitor cybersecurity programs. Follow Cybriant @cybriantmssp and cybriant.com.

Not sure where to start?

Schedule a conversation. We are really nice cybersecurity experts. We’ll walk you through the process and if you would like to use our services, great. If not, that’s fine, too. We are here to help.