From time immemorial, it seems like that anyway, the National Institute of Standards and Technology (NIST) issued the Federal Information Processing Standards (FIPS) 140 which outlines the various standards for encryption that are to be used for processing federal information.
There are four levels to this standard.
Level 1: The lowest level of security requiring only the most basic cryptographic modules. It doesn’t require physical security mechanisms either.
Level 2: Takes level one and adds a physical security mechanism such as tamper-evident seals and pick resistant locks.
Level 3: Takes level two and adds more of the same. Harder to get into and compromise without obvious and immediate evidence to indicate the fact. Also can incorporate auto-destruct mechanisms.
Level 4: This is where the book is thrown at cryptography. The highest level requiring physical and logical protections as well as the strongest algorithms.
Fortunately, the job of deciphering whether your systems are FIPS compliant doesn’t involve a mathematics degree but it does require a bit of work.
Where do we start?
Cryptographic Module Validation Program
NIST has provided a resource for all things FIPS 140. Provided below is a great link to bone up on the requirements and standards that are dictated by FIPS. If you were to peruse the website you’ll learn very quickly that theory and practice are not the same animals. An algorithm itself may be validated as sound, but that does not mean the way a device or piece of software utilizes that algorithm is certified. You could, and when an algorithm is first certified you do, have a certified algorithm that you can’t use because no product or software using the algorithm has been certified.
Every device, module, or software your company employs to handle Controlled Unclassified Information (CUI) must be FIPS certified. There are three methods to handling this:
Assume: This is the most popular method of dealing with FIPS compliance. It involves assuming all your devices are compliant or simply remaining ignorant of the very need for them to be compliant. Sufficed to say, this is not our recommended course of action.
Vendor Validation: What are support and salespeople for other than answering mundane questions you can’t be bothered to find out? There is one caveat to this. How much do you trust your vendor? This is an important question because regardless of what your vendor tells you, you are ultimately responsible for utilizing a non-compliant device.
Self Validation: Go to the NIST website provided below and check for yourself. Does this mean you have to go find every piece of software, hardware, COTS, etcetera that you use for encryption that’s within scope? In theory yes, in practice, not always as we will see below.
Fortunately, most vendors are cognizant of the need for FIPS validation. As such many provide easy to implement configurations to ensure only FIPS certified technologies are used. For example, Microsoft has a handy dandy registry edit that enforces FIPS-certified algorithms across an entire domain or on a per-machine basis. (Links provided below). Use these options. This would be something to ask all your vendors to ensure updates do not auto-deploy the latest encryption technology which may not be FIPS certified as of yet.
Any time you’re going to be using encryption within scope for CMMC you must use a FIPS validated method. Fortunately, that’s not all that hard to do. Unfortunately, it still requires some effort on your part. Here are a few things that will make your life easier:
Check with your vendor if there’s a “FIPS compliant switch”
On those without said switch go to the website below to find your product and make a note of what specific settings and configurations are FIPS compliant. Use those.
It’s another checkmark to address, but I hope it’s not mysterious anymore.
You see, I’ve audited and assessed enough companies to see the plot and be yelling at the screen. A majority of companies out there may know CMMC is coming. They may even know that it’s different than NIST 800-171r1 and that there are varying stages of compliance. What they’re missing, what I’m screaming at the screen saying “why are you running further into the woods?!?” is the amount of work needed to bridge the gap of where you are to where you need to go.
It’s a lot. Whatever you are thinking, it’s more than that. Much more.
Often companies, even those that are fully or mostly compliant with 800-171 will have possibly hundreds of man-hours to meet CMMC. What’s a security professional to do? Start working.
Step 1: Learn
The first step is to download a copy of the latest draft regulations. Download each document and get reading. What you’ll find there is a description of what the Department of Defense is trying to accomplish. The various levels, controls, and descriptions of those controls as well as further explanation.
Next, sign up for the CMMC Accreditation Board’s email alert list. This will keep you abreast of new developments in the CMMC certification process. I would also familiarize yourself with the website in general as there is a wealth of information about how everything is going to work.
Step 2: Plan
I wouldn’t suggest starting at the top of the Appendices PDF and going to town on controls. We must first understand what level we need to meet. This would be a question for your contract office contact. They will probably have a good idea of what is going to be needed on the next round of contracts that will require a CMMC component.
Most organizations are going to tell you that as soon as you understand your required level, start working on Level 1. That is true, but experience tells us there’s actually a few steps that should be tackled before starting work.
The Good, the Bad and the Ugly
Identify those controls that you already fulfill. The good news is that each control removed is time, money and effort saved. The bad news is that there aren’t going to be as many removed controls as you might expect.
The number one issue most people face when tackling this task is determining what exactly the government means on a particular word, phrase, or sentence. Shall vs. Must vs. Could. It’s quite confusing. Fortunately, the Appendices not only include clarification information but also the specific sections of documents, such as CIS or NIST, that helped guide the decision. However, at the end of the day, you can always call Cybriant to help you through the muddy waters. We eat and breathe this stuff and can help define for your environment what your options are.
Internal or Outsource
There’s a very good chance you’re not going to have the manpower, resources, budget, or capabilities to fulfill every control. Identify the controls you can tackle internally and those that an outside resource will need to be brought in to help or fully manage. Each company is different so this is going to be completely deterministic on a variety of metrics. A good rule of thumb is that you should outsource anything you are not an expert in. That does not mean you should be wholly ignorant of the subject. I’m a firm believer in learning enough about a subject so you have a BS meter.
Many organizations miss this. There’s a good chance you’re going to have to spend money on the upgraded system or security components, services (Level 4 requires a 24/7 SOC), and any number of minor or major expenses. Go through all the requirements and identify what products or services you may need to purchase.
The process to identify and acquire those items can occur in conjunction with internal efforts on the remaining controls. Vendors must be found, decision-makers convinced and any number of organization-specific purchasing hurdles jumped before the product/service ends up on your doorstep. Get started with this ASAP.
Once you have what you’ll be doing and what others will be doing it is time to identify the estimated time it will take to complete each requirement you are performing internally. A rough estimate is fine here as we are simply attempting to ensure that we don’t wait for the last two controls and they turn out to be a two-month project. We’ll want to always be chipping away at smaller controls while working towards the large encumbering ones.
Step 3: Implement the plan
Finally. The CMMC already outlines the path towards certification in the five levels. Ideally, you start with level one. Once you have successfully fulfilled all the requirements, move to level two and so on until you achieve the necessary level. That is easy in theory, not in practice.
As discussed in the previous section it is imperative you have identified what you insource or outsource, what needs to be purchased, and what will take the most man-hours. Concurrent action should be taken on purchasing equipment, outsource service provider contracts, and internal control implementation. Again, if planned accordingly the most amount of progress will be made with the least amount of effort.
Finally, we can start working on actually implementing controls. This is where you can take the CMMC at its word and begin on all your Level 1 tasks. Logically move to level 2 after you’ve gotten the basics down. In fact, the CMMC calls level 2 an intermediate step to level 3. No one is supposed to stay on level 2.
Notice, the bulk of this blog is related to planning. It is essential that planning receive the proper attention before actually pulling the trigger on enacting anything. If you don’t plan properly you’ll increase the work.
With over 20 years of experience in the areas of IT Security, Infrastructure and Managed Services, Jason is an accomplished security consultant and security trainer.
Jason has had cybersecurity consulting responsibilities for a variety of clients encompassing the globe utilizing the NIST-RMF, NIST- CSF, and ISO 27001 frameworks as well as his experience as a PCI QSA. Having a background in system architecture and design, Jason brings a uniquely refreshing perspective on information security which provides clients and partners value beyond industry norms.
Cybriant announces a new service for Department of Defense contractors in regards to the upcoming Cybersecurity Maturity Model Certification (CMMC).
Cybriant, a leader in cybersecurity services, today announced a new service to prepare Department of Defense contractors for the upcoming Cybersecurity Maturity Model Certification (CMMC).
Beginning in the fall of 2020, CMMC compliance will be a prerequisite for all new contracts including prime and subcontractor for the Department of Defense. Any contractor storing or transmitting controlled unclassified information (CUI) will need to achieve Level 3 compliance.
The Department of Defense has defined 5 levels of CMMC compliance, each with a set of supporting practices and processes. To meet a specific level, each contractor must meet the practices and processes within that level and below. The Department of Defense has released the following descriptions of each level of CMMC:
Level 1: Basic Cybersecurity Level 2: Inclusive of universally accepted cybersecurity best practices Level 3: Coverage of all NIST 800-171 rev 1 controls Level 4: Advanced and sophisticated cybersecurity practices Level 5: Highly advanced cybersecurity practices
Cybriant is aligned with the new CMMC guidelines and is knowledgeable of all the latest updates concerning CMMC. Our services are mapped to fully account for CMMC requirements levels 1 through 5 and can assist with CMMC certification efforts.
With the coming mandate of CMMC, many companies may be struggling to address the various requirements within the model. Many things have changed between the current standard NIST SP 800-171r1 and CMMC which will require a great deal of work for current contractors.
Cybriant can enable contractors to bridge the gap of missing security controls to help them quickly and efficiently become compliant. Contractors can rely on Cybriant’s strategic and managed services to ensure their security and satisfy CMMC compliance requirements.
While the CMMC Accreditation Board-Certified Auditors is pre-launch, Cybriant has taken the necessary steps to become a Third-Party Assessment Organization (3CPAO) when the program becomes functional in order to assist contractors’ preparation for the upcoming audits.
“CMMC is still in flux and there is a great deal of misinformation,” said Jason Hill, Director of Strategic Services. “Cybriant can provide guidance and operational resources to demystify the preparation process and ultimately achieve CMMC certification.”
Cybriant assists companies in making informed business decisions and sustaining effectiveness in the design, operation, and monitoring of their cyber risk management programs. We deliver a comprehensive and customizable set of strategic and managed cybersecurity services. These services include Risk Assessments, vCISO, 24/7 Managed SIEM with LIVE Monitoring and Analysis, 24/7 MDR, 24/7 Vulnerability Scanning with Patch Management. We make enterprise-grade cyber security strategies and tactics accessible to businesses of all sizes. Find out more at https://www.cybriant.com.
The upcoming Cybersecurity Maturity Model Certification (CMMC) may be a concern to you if you are a government contractor in an organization that contains Controlled Unclassified Information (CUI). Read on about how Cybriant can guide you through the CMMC process.
Douglas Adams references notwithstanding consider this Cybriant’s attempt at creating a guide to CMMC. As you may have recently become aware, the Department of Defense (DoD)’s push to begin auditing their supply chain for cybersecurity compliance has sent ripples through the sector.
Now that the initial panic has worn off, you’re trying to come to grips with what exactly all this means. Before we get started, understand that anything stated here, or anywhere else, is pure speculation until the CMMC is released into the wild.
NOTE: For this article we are going to stick with a contractor being defined as an organization containing Controlled Unclassified Information or CUI. There are as many sub certifications as there are fish in the sea when it comes to the DoD so we’re going to stay fairly high level. Please consult your contract office or prime to understand any further requirements you may be assessed for.
The good news is that the official start of hunting audit season is 2020-2021, you’re probably a few years off from actually being audited.
How do I know this? Mostly because if you’re reading this blog then you probably don’t work for Lockheed Martin, Boeing, Raytheon or any of the other 800 lb gorillas.
They’re probably communicating directly with their contacts within the DoD for their news. Odds are you are a sub of a larger contract or the primary of a small contract.
What do you suppose would the DoD’s top concern be? The security of a primary on their large contracts or the manufacturer of a widget that goes into the said project? Word is on the street, and logic dictates, that the whales will be hunted first, then the smaller fish.
“Ok,” you say, “I probably have some time but, how do I prepare?” I’m glad you asked.
Side Note about NIST
The “go-to” for standards for DoD is, of course, National Institute of Standards and Technology (NIST). And when I say “go-to” I mean DOD Instruction memo (8510.01) says NIST is THE standard by which all ATOs are measured, so what NIST does is important.
In a “whatdayaknow” moment, NIST has recently released an Initial Public Draft (IPD) of the mighty 800-53 publication. If implemented this will advance the publication to version 5. Also, a few years ago all departments were in a major push to move from the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) to the Risk Management Framework (RMF).
Coincidence? I think not.
Let’s discuss NIST Special Publication 800-53 v5 Initial Public Draft. A smattering of new and revised controls around security make their way into the revised document, as one would expect. At the end of the day though, it’s all about privacy. There are two new families of controls that are explicitly related to privacy; Individual Participation (IP) and Privacy Authorization (PA).
Within IP we have these basic tenants:
Giving users more access and authority over their data
Allowing users more control over data accuracy and corrections
Ensuring proper privacy notices are in place
PA contains items such as:
Ensuring the organization has the legal right to use Personally Identifiable Information (PII)
Have documentation to support that fact
Privacy communications are fully developed and implemented
What, how, when, you can share PII
What is more interesting to us is the introduction of “joint controls” between security and privacy. Also included in the IPD are three new Appendices dedicated to the ‘how’ of implementing the privacy controls. See a pattern?
Privacy is going to be of major concern going forward. Just as NIST 800-171 is a subset of 800-53. CMMC, as discussed previously, will take from NIST 800-171 and 800-53 to produce a list of requirements around any data pertaining to a contract, including CUI. NIST has upped their game/concern for privacy. It stands to reason that this would make its way into the CMMC. Table F-2 of NIST 800-53 is a great place to start to begin the understanding of how important privacy will be.
Because of the privacy emphasis in the industry at large and the latest draft of 800-53 we at Cybriant suggest the following actions to prepare:
Develop a privacy program
Begin identifying all types of PII captured by your organization
Develop or modify training to address privacy
Begin updating all policies to address privacy concerns
Record retention and destruction
Communications policy & procedures
Business continuity and disaster recovery
Be thinking about
Does your company need the PII it does have?
How does your organization communicate privacy concerns to all parties?
Who will be ultimately responsible for privacy?
How will allowing redress of privacy concerns affect your processes?
Processes, People, and Technology
Yes, that old trope is back. We’ve heard it a thousand times but, it is our belief contractors will need to start getting their ducks in a row now if they want the road to CMMC compliance to be as painless as possible. Long gone are the days of throwing together a System Security Plan (SSP) a couple of Plan of Action and Milestone (PoAM)s and calling it a day. It is our strong belief that CMMC will require more than just adherence to particular security controls, an SSP and enough PoAMs to make the auditors happy. After seeing the concerted effort to implement RMF throughout the entire organization, pushing that process down the chain is almost certain.
What do I mean by that?
The Risk Management Framework places heavy importance on ensuring that not only controls implemented but your daily operations, the very fabric of how you run your organization, lives and breathes security. Marry that with the industry-accepted thought that NIST is aligning itself closer to industry norms of ISO 27001, GDPR, etc, and there are a few items that organizations wishing to win contracts must be made aware.
Risk Assessments take center stage
Within most all frameworks one of the main starting points is a risk assessment. This helps define the major deficiencies of the organization as compared to the standard. Not only that but, a Cybriant risk assessment allows an organization to understand their security in a more holistic manner. Being compliant does not make you secure just as being secure does not make you compliant. As such, a Cybriant risk assessment addresses both issues.
That sounds painful. And it will be. What we believe will also be a major component of the forthcoming CMMC is the importance the organization places on security and privacy as everyday business. Based on our experience, a few questions come to mind.
Does your change management process include privacy and security concerns as a prerequisite for a request for change?
Is management made aware of the state of security within the organization regularly?
Do you test and update your business continuity and disaster recovery plans after every change that would affect it effectiveness?
Do you routinely test audit controls?
While we believe process and people are the most important areas to focus on in most organizations, we cannot eliminate technology. Anti-Virus is a dinosaur and signature-based Intrusion Detection Systems are going the way of the dodo.
Only worrying about whether technology is compliant is asking for trouble. Signature-based technologies are compliant with most frameworks out there but, do they make you secure? No, not really. Being compliant and breached is not preferable to being compliant and relatively secure. As we all know, if someone wants your data bad enough, they’re going to get it. Why not use the latest technology to ensure they need very deep pockets before being able to get there?
No one knows what’s coming in the final CMMC but, we do have some indicators from insiders and what has been happening in the industry. Cybriant highly recommends each organization spend a bit of time ensuring you are truly compliant with existing regulations first. Then move on to what is expected. After all, if you prepare for what we believe to be a privacy-first mentality moving forward and it fails to come to fruition, are you worse off?
Cybriant is an award-winning cybersecurity service provider. We provide 24/7 continuous threat detection with remediation, risk assessments, and more. We make enterprise-grade cybersecurity services accessible to the mid-market and beyond.