November 1, 2020

Network of lights across the globe

By Andrew S.

If you work in the DoD space – and if you’re reading this blog I’m guessing you do – you are no doubt in the process of preparing for Cybersecurity Maturity Model Certification (CMMC). CMMC will soon be a requirement for all contractors who do business or who want to do business with DoD.

It may seem this requirement is somewhat off in the distance. Although security controls for CMMC are defined, assessment methodologies are incomplete and third-party assessors are not yet trained and certified. If all goes as scheduled however, CMMC certification could be required in RFPs as soon as this year. CMMC is also required for all DoD contracts by 2026.

Benefit of CMMC

The program has suffered through some delays but preparing for the eventual requirement date has a couple of benefits. First, it is prudent to prepare for CMMC in advance. When you start to dig into security requirements you may find that implementing missing security controls can take longer than initially planned.

Additionally, it will also introduce fundamental cybersecurity best practices that protect your sensitive competitive information and intellectual property. The government information you protect will travel the same electronic pathways and likely be stored in the same locations as your company data. Compliance with CMMC requirements should not be the only goal or simply a “check the box” exercise – compliance should be a by-product of good company security.

Preparing for CMMC

Unlike some others, I would not recommend doing an initial security assessment as a starting point. If you do not already have a security program in place, that is somewhat akin to asking someone to test the security of your house when you know the doors and windows are all wide open. You won’t learn much except that you have a fair bit of work to do. The best way to get started is by implementing some fundamental security controls.

Classifying Information

The first thing to understand is what should be considered Controlled Unclassified Information (CUI). CUI includes For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive But Unclassified (SBU), and a catch-all “Government Sensitive Information”, which can include Personally Identifiable Information (PII), Personal Health Information (PHI), documents labelled Procurement Sensitive, and many others.

A comprehensive list of CUI categories can be found on the National Archives website. Even if your organization does not maintain government data outside of government-controlled infrastructure, you most likely have FOUO and Procurement Sensitive documents on your internal company systems.

Identifying CUI and other information

Identifying CUI on your system is critical to the implementation of CMMC-compliant system

Determining System Boundaries

Your second order of business will be to determine your system boundary or boundaries. The systems you include within this boundary must include every asset you control that contains or could contain CUI.

Common systems you must secure will be personal systems (laptops, desktops, and mobile devices), email systems, and document storage areas – both on-prem and cloud. To the extent possible, you should limit the locations in which you store and interact with CUI. Doing so limits your attack surface and the amount of security activity necessary to protect the CUI.

Developing a System Security Plan

Depending on the level of CMMC you are implementing, you will need to create a System Security Plan (SSP) that lists all CMMC-defined controls. Write specific control statements describing how you have the controls implemented. This is document will become your preliminary gap analysis. Using the gap analysis, you will quickly determine what security controls you need to implement when you go through this initial exercise.

After the security controls are defined, and non-implemented controls are identified, you will have to make some choices and investments to implement the remaining controls. If you are planning to store CUI in the cloud, you will need to work with your cloud provider. Ensure you can protect CUI properly with your cloud provider. If you use outsourced e-mail you will have to go through the same process.

Server Rack

CMMC security controls will need to be implemented to all of your storage facilities, both on-prem and cloud

Continuous Improvement

After you have implemented the necessary security controls across your systems, the work of ensuring information security is just beginning. Implementing controls includes defining control ownership and building an ongoing governance program. You should continually assess your controls to ensure your security policies and processes are followed. By doing this effectively you are not only protecting your clients’ information, but your own competition-sensitive information as well.