The upcoming Cybersecurity Maturity Model Certification (CMMC) may be a concern to you if you are a government contractor in an organization that contains Controlled Unclassified Information (CUI). Read on about how Cybriant can guide you through the CMMC process.
Douglas Adams’s references notwithstanding consider this Cybriant’s attempt at creating a guide to CMMC. As you may have recently become aware, the Department of Defense (DoD)’s push to begin auditing its supply chain for cybersecurity compliance has sent ripples through the sector.
Now that the initial panic has worn off, you’re trying to come to grips with what exactly all this means. Before we get started, understand that anything stated here, or anywhere else, is pure speculation until the CMMC is released into the wild.
NOTE: For this article, we are going to stick with a contractor being defined as an organization containing Controlled Unclassified Information or CUI. There are as many sub-certifications as there are fish in the sea when it comes to the DoD so we’re going to stay fairly high level. Please consult your contract office or prime to understand any further requirements you may be assessed for.
The good news is that the official start of hunting audit season is 2020-2021, you’re probably a few years off from actually being audited.
How do I know this? Mostly because if you’re reading this blog then you probably don’t work for Lockheed Martin, Boeing, Raytheon, or any of the other 800 lb gorillas.
They’re probably communicating directly with their contacts within the DoD for their news. Odds are you are a sub of a larger contract or the primary of a small contract.
What do you suppose would the DoD’s top concern be? The security of a primary on their large contracts or the manufacturer of a widget that goes into the said project? Word is on the street, and logic dictates, that the whales will be hunted first, then the smaller fish.
“Ok,” you say, “I probably have some time but, how do I prepare?” I’m glad you asked.
Side Note about NIST
The “go-to” for standards for DoD is, of course, the National Institute of Standards and Technology (NIST). And when I say “go-to” I mean DOD Instruction memo (8510.01) says NIST is THE standard by which all ATOs are measured, so what NIST does is important.
In a “whaddayaknow” moment, NIST has recently released an Initial Public Draft (IPD) of the mighty 800-53 publication. If implemented this will advance the publication to version 5. Also, a few years ago all departments were in a major push to move from the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) to the Risk Management Framework (RMF).
Coincidence? I think not.
Let’s discuss NIST Special Publication 800-53 v5 Initial Public Draft. A smattering of new and revised controls around security make their way into the revised document, as one would expect. At the end of the day though, it’s all about privacy. There are two new families of controls that are explicitly related to privacy; Individual Participation (IP) and Privacy Authorization (PA).
Within IP we have these basic tenants:
- Giving users more access and authority over their data
- Allowing users more control over data accuracy and corrections
- Ensuring proper privacy notices are in place
PA contains items such as:
- Ensuring the organization has the legal right to use Personally Identifiable Information (PII)
- Have documentation to support that fact
- Privacy communications are fully developed and implemented
- What, how, and when, you can share PII
What is more interesting to us is the introduction of “joint controls” between security and privacy. Also included in the IPD are three new Appendices dedicated to the ‘how’ of implementing the privacy controls. See a pattern?
Privacy is going to be of major concern going forward. Just as NIST 800-171 is a subset of 800-53. CMMC, as discussed previously, will take from NIST 800-171 and 800-53 to produce a list of requirements around any data about a contract, including CUI. NIST has upped their game/concern for privacy. It stands to reason that this would make its way into the CMMC. Table F-2 of NIST 800-53 is a great place to start to begin understanding how important privacy will be.
Because of the privacy emphasis in the industry at large and the latest draft of 800-53 we at Cybriant suggest the following actions to prepare:
- Develop a privacy program
- Begin identifying all types of PII captured by your organization
- Develop or modify training to address privacy
- Begin updating all policies to address privacy concerns
- Record retention and destruction
- Communications policy & procedures
- Business continuity and disaster recovery
- and more
- Be thinking about
- Does your company need the PII it does have?
- How does your organization communicate privacy concerns to all parties?
- Who will be ultimately responsible for privacy?
- How will allowing redress of privacy concerns affect your processes?
Processes, People, and Technology
Yes, that old trope is back. We’ve heard it a thousand times but, it is our belief contractors will need to start getting their ducks in a row now if they want the road to CMMC compliance to be as painless as possible. Long gone are the days of throwing together a System Security Plan (SSP) a couple of Plan of Action and Milestone (PoAM)s and calling it a day. It is our strong belief that CMMC will require more than just adherence to particular security controls, an SSP, and enough PoAMs to make the auditors happy. After seeing the concerted effort to implement RMF throughout the entire organization, pushing that process down the chain is almost certain.
What do I mean by that?
The Risk Management Framework places heavy importance on ensuring that not only controls are implemented but your daily operations, the very fabric of how you run your organization, live and breathe security. Marry that with the industry-accepted thought that NIST is aligning itself closer to industry norms of ISO 27001, GDPR, etc, and there are a few items that organizations wishing to win contracts must be made aware of.
Risk Assessments take center stage
Within most frameworks, one of the main starting points is a risk assessment. This helps define the major deficiencies of the organization as compared to the standard. Not only that but, a Cybriant risk assessment allows an organization to understand its security more holistically. Being compliant does not make you secure just as being secure does not make you compliant. As such, a Cybriant risk assessment addresses both issues.
That sounds painful. And it will be. What we believe will also be a major component of the forthcoming CMMC is the importance the organization places on security and privacy as everyday business. Based on our experience, a few questions come to mind.
- Does your change management process include privacy and security concerns as a prerequisite for a change request?
- Is management made aware of the state of security within the organization regularly?
- Do you test and update your business continuity and disaster recovery plans after every change that would affect their effectiveness?
- Do you routinely test audit controls?
While we believe process and people are the most important areas to focus on in most organizations, we cannot eliminate technology. Anti-Virus is a dinosaur and signature-based Intrusion Detection Systems are going the way of the dodo.
Only worrying about whether technology is compliant is asking for trouble. Signature-based technologies are compliant with most frameworks out there but, do they make you secure? No, not really. Being compliant and breached is not preferable to being compliant and relatively secure. As we all know, if someone wants your data bad enough, they’re going to get it. Why not use the latest technology to ensure they need very deep pockets before being able to get there?
No one knows what’s coming in the final CMMC but, we do have some indicators from insiders and what has been happening in the industry. Cybriant highly recommends each organization spend a bit of time ensuring you are truly compliant with existing regulations first. Then move on to what is expected. After all, if you prepare for what we believe to be a privacy-first mentality moving forward and it fails to come to fruition, are you worse off?
Cybriant is an award-winning cybersecurity service provider. We provide 24/7 continuous threat detection with remediation, risk assessments, and more. We make enterprise-grade cybersecurity services accessible to the mid-market and beyond.
NIST 800-53 v5 IPD – https://csrc.nist.gov/csrc/media/publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf