I wanted to update you all on the current state of CMMC. My sources have been validated and come from not only those on the AB board but Provisional assessors as well. The Cybersecurity Maturity Model Certification’s (CMMC’s) rollout continues but is plagued by bottlenecks and untested assumptions. The Department of Defense’s (DoD) focus is on building the capability to perform assessments. In the meantime, the requirement for defense contractors to submit their cybersecurity self-assessment to the Supplier Performance & Risk Management (SPRS) system is being enforced. Some Prime contractors are already putting into their contracts CMMC compliance language, which is funny because there is no real capacity to audit mainstream yet. Feel free to push back on those parts with a statement that says it is your intent to….. For those of you that were holding out hope that CMMC might vanish into the sunset, it's not. It's real, it has teeth, and there is no one on the Hill fighting to kill it.
1. Current news
DHS considers adopting CMMC
According to an article published by Government Contracting Network, the Department of Homeland Security (DHC) may be the first non-DoD adopter of CMMC. The DHS Chief Information Officer and Chief Procurement Officer wrote a special notice about CMMC published on sam.gov which notifies contractors that they are conducting a pathfinder assessment based on CMMC.
Scoping for CMMC
The scoping guide for CMMC is in final review. Knowing how to scope an audit will be pivotal in upcoming assessment certifications. According to sources that have seen it, the guidance in the scoping guide is minimal and is very similar to the existing NIST SP 800-171 rev2 scoping language on page 2, which states:
The requirements apply to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.9 If non federal organizations designate specific system components for the processing, storage, or transmission of CUI, those organizations may limit the scope of the security requirements by isolating the designated system components in a separate CUI security domain. Isolation can be achieved by applying architectural and design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains may employ physical separation, logical separation, or a combination of both. This approach can provide adequate security for the CUI and avoid increasing the organization’s security posture to a level beyond that which it requires for protecting its missions, operations, and assets.
9 System components include, for example: mainframes, workstations, servers; input and output devices; network components; operating systems; virtual machines; and applications.
It is still uncertain whether the scoping guide addresses the huge question of how to scope or assess Federal Contract Information (FCI) when performing a CMMC Maturity Level 3 assessment. I am concerned that assessment of FCI scope may have been completely forgotten by the DoD for CMMC Maturity Level 3 assessments. We shall see.
2. Status of the ecosystem
Why is DoD quiet?
DoD is still conducting an internal review of CMMC and avoiding public comment in the meantime. This is probably why the DoD has been very quiet for the last 6 months or so. This article from Bloomberg Government gives an overview of the internal review and timelines. From the article: “We anticipate the review to be completed in late 2021”. The article also discusses cost projections for CMMC Level 1 and Level 3 compliance. These estimates are much higher than originally reported because the DoD made an incorrect assumption that the contractors were already fully compliant with 110 controls and only needed to implement 20 more. This of course was not the case, so these costs are now all hitting at once. Call me crazy, but CMMC was put into place because the vast majority of the DoD contractors were not compliant, so basing initial cost estimates on the premise that they were just seems short sighted.
Is CMMC going away? It doesn’t look like it:
The DoD is continuing to assess CMMC assessment organizations for eligibility to perform CMMC assessments. This is a significant cost to the DoD’s cybersecurity assessment center.
The DoD is still very concerned about cyber incidents and loss of proprietary information and capabilities.
The DoD and CMMC Accreditation Body are making progress on training courses for assessors, with the first classes scheduled in November 2021.
The DoD and CMMC Accreditation Body are training Provisional Assessors directly so that they can perform assessments while the training courses are worked on.
Why no CMMC assessments yet, since we have authorized assessment organizations?
Three assessment organizations have passed their eligibility review so far.
The DoD is building a secure website to hold assessment results and certificates called “eMASS”; assessments cannot be performed until this website is ready. This seems to be the reason why we don’t see even a few assessments being performed yet.
3. Where does that leave you for CMMC?
You have time. Use this time wisely.
I share the belief of other auditors that Less than 1% of defense contractors will be able to get a CMMC certification before mid-2023. Those of you in Huntsville, Alabama that want to be first to the trough will most probably have to wait at least a year or two. The bandwidth of auditors and C3Pao’s just isn’t there
DON’T WASTE TIME THOUGH, In my experience in IT working with DoD contractors, very few have been able to migrate their systems or make major security changes (like removing admin rights from users) in less than 12 months. It takes a surprisingly long time, especially if you have Controlled Unclassified Information (CUI) in your environment already.
Make sure that you are using the correct scope for your preparations.
- Sit down with your department heads and write down what applications and devices have CUI on them or access CUI. Once you have this data map done, see if there are any areas of consolidation that you can implement to reduce the scope of the CUI environment.
- Boundaries: Ensure that you have strong logical and physical boundaries around your FCI and CUI scopes, such as firewalls with deny-by-default rules. Remember that Virtual Local Area Networks (VLANs) by themselves are not a boundary unless there is an active firewall in between the VLAN and other networks.
- Protect systems with FCI or CUI (stored, processed, or transmitted). Note: If the FCI or CUI is properly encrypted in transmission, the network equipment in between source and recipient (such as the entire Internet) doesn’t count as transmitting the data.
- Protect systems that provide security for FCI or CUI systems. Common security systems include antivirus, directory servers, log servers, firewall, facility security like door locks.
Level 4 and 5
If you are concerned that your company may need CMMC Maturity Level 4 or 5, try not to worry about it for now. There is no assessment guide for level 4 and 5. There is no assessor training for level 4 and 5 even being developed. I don’t expect to see the capability for level 4 and 5 assessments for at least 1 year after regular assessments become fully functional. The CMMC Accreditation Body and DoD do not seem very concerned about Level 4 and 5 right now. They are focused on Level 3.
4. Tips to prepare for CMMC
Get your house in order
- If you have not performed a recent risk assessment, then have one done against DFARS. Some organizations will add the additional CMMC level 3 controls as a pre-gap project.
- Take that information and develop your plan for remediation.
- Then put those remediations into place. Update
- Create Policies for all controls and publicize them to your staff. Have them sign off on them and create a culture of awareness (which takes time)
- If your IT team has been pushing you to bring in a new product or service, and has shown youwhat control it maps to, then start implementing
- Change your SPRS score to reflect your new level of cyber maturity
- Run tabletops tests on Disaster Recovery, and Incident response plans.
- Start asking your vendors and partners about their level of compliance and document those answers.
- For the love of god, please implement MFA (multi factor authentication) if you haven’t already, make sure backups are as secure as they can be and put an active threat hunting program in place. (you will need this just to renew your E&O cyber insurance policy.)
Start working on training your staff on proper data security hygiene. Make sure your IT company is trained in running a “process mature” organization like F1 Solutions based in Huntsville, Alabama. Make sure you have a trained compliance team as well as a trained technical maintenance team. Manual processes, written administrative processes, and physical protections are the majority of the effort involved in CMMC level 3 compliance. There is no one tool or process alone that will make you compliant. It will take layers and layers of tools, processes, and policies to achieve compliance. Train your staff and focus first on being excellent at standardizing your build processes, account management, change management, and continually monitoring and responding to problems.
If you use a cloud like Microsoft to store, process, or transmit, FCI or CUI, or to perform security for your FCI or CUI, make sure to ask for audit reports from that cloud provider. The audit that was performed needs to include an assessment of the CMMC requirements for your level (level 1 or level 3) in order to prove that the cloud is acceptable for YOUR assessment.
Where possible, obtain a Customer Responsibility Matrix from the cloud provider which states the requirements you are responsible for, versus them. In the long term, every CMMC-compliant cloud will need to build this process. In the short term, very few clouds have this information available unless they have been FedRAMP authorized.
F1 Solutions is working hard to create a mapping against CMMC level 3 controls to Microsoft license components as well as additional third-party solutions that we bring to the table. We are inventing this from scratch so be patient, but we are getting close. Out of the almost 100 other MSP’s that we talk to no one has this 100% fleshed out yet.
How is F1 looking into the future?
- We are actively staying connected with contacts in the know and updating our clients regularly.
- We are a RPO and have 2 RP’s on staff and are assessing our clients who approve the work
- We are working on our exclusive cross mapping of Microsoft and F1 offerings against CMMC level
3. We already have hundreds of hours into this. We have the mapping almost done and are working on writing the policy statements. We hope to have this within the next few months
- We are reminding all of our clients to take advantage of our CaaS services (Compliance as a Service) all of these products and services are mapped to specific controls and will need to be addressed in someway
- We are always looking at better and more secure ways of managing your backup program. Currently we use the leading backup solutions product in the recommended way. However, we think we can do even better. F1 has spent a lot of time working on an even more secure solution for this critical process. It is in testing now and we hope to roll it out to our client who wants it in late September.
- We are constantly looking at our own security posture and making changes on an ongoing basis
- We are evaluating additional security products and features on a continual basis