How to prepare your organization for the new CMMC Certification.
The https://cmmc-certification.com/ is a new requirement from the U.S. Department of Defense (DoD). It mandates that DoD contractors obtain third-party certification to ensure appropriate levels of cybersecurity practices are in place to meet “basic cyber hygiene,” as well as protect controlled unclassified information (CUI) that resides on partner systems. This is the first time the DoD will require contractors, subcontractors, and suppliers to be certified to participate in the DoD supply chain.
What is CMMC?
The CMMC is built upon established National Institute of Standards and Technology (NIST) 800 – 171, special publications, and DFAR regulations, which until now specified the cybersecurity standards that all Defense Industrial Base (DIB) companies had to adhere. Specifically, DFARS clause 252.204-7012 stipulates that any company that accesses or stores CUI must self-assess its cybersecurity capabilities and self-attest that it meets all 110 security controls of NIST SP 800-171 or have in place a Plan of Actions and Milestones (POAM). Due to failings and public cybersecurity breaches across the Federal government in recent years, the DoD has upped the ante for the supply chain and is disallowing these self-assessments and POAMs. CMMC certification will require companies to demonstrate effective cybersecurity practices and procedures sufficient to satisfy an annual, accredited, third party audit.
Whom does this affect?
The DoD recognizes that their contracts have different risk profiles, so that each RFP will list a CMMC level requirement from 1-5.
The lower levels (1-2) apply to DoD contractors who don’t deal with (CUI), only Federal Contract Information (FCI). These contractors don’t hold government information on their corporate networks, so these levels’ security requirements are much less stringent. Most contractors that provide basic supplies and commodities to the government typically only fall under level 1.
For Level 3 and above, DoD contractors handle CUI. Representative CUI can be information like schematics for DoD equipment that permits adversaries to reverse-engineer or learn about military capabilities. Another example is maintenance plans for aircraft equipment on a CUI network. This requires a level of protection very similar to the current NIST SP 800-171 recommendations. Level 3 represents a large part of the DIB, and in fact, it is expected to be the standard for 95% of the contractor pool for information technology companies.
At the highest levels (4-5), the CUI being protected is at a high level of sensitivity. These networks may be primary targets of cyber adversaries. Examples of this information are weapon test results or detailed manufacturing schematics. Not surprisingly, securing your network up to level 4 or 5 applies to a smaller, select subset of the DIB and can be very expensive without a plan and effective tools.
If the DoD represents a current or future part of your revenue streams, serious attention and preparation for CMMC are an absolute must.
How will CMMC work?
All assessments of cybersecurity compliance will be conducted by Third-Party Assessment Organization/s (C3PAOs). The CMMC expands upon NIST 800-171 by supplementing its 110 security requirements. Good, repeatable cyber hygiene governs these additional, mandatory practices.
CMMC will measure scope similar to how NIST SP 800-171 is performed. Higher levels of CMMC at Level 3 or above apply to systems that house CUI. The following information categories correspond to differing levels of CMMC and are more fully defined here.
- COTS (Commercial Off-The-Shelf) Information
- Typical products or services that are sold in substantial quantities in the commercial marketplace
- FCI (Federal Contract Information) Information
- Non-public information provided by/for the government under a contract
- CUI (Controlled Unclassified Information)
- Information requiring special labeling and safeguards
- CTI (Controlled Technical Information)
- Technical information with military or space application subject to special controls – subset of CUI
- Classified Information
- Classified information is outside the scope of CMMC
- COTS (Commercial Off-The-Shelf) Information
Until the CMMC is fully implemented, CMMC and NIST SP 800-171 mandates will coexist, in most cases up to five years, the typical performance period maximum of DoD contracts. Over the next several years, the number of defense contracts subject to CMMC requirements will ramp up significantly, and those that are governed by NIST SP 800-171 will decline to zero.
CMMC Impact on the DIB beyond Prime Contractors
CMMC mandates don’t merely apply to prime contractors; they impact subcontractors as well. Primes are required to maintain CMMC information requirements across their supply chain where there is a continuity of information to the lowest level. As such, the largest primes are already beginning to encourage if not force their suppliers to obtain CMMC, ranging from positive actions like providing consulting resources and tools to a more restrictive approach of not including non-compliant CMMC subcontractors on their bid and execution teams. For many small businesses (SMBs), subcontracting is the primary if not only source of company Federal revenue.
What role do STIGS play?
Throughout the DoD, the DISA Security Technical Implementation Guides (STIGs) are a fundamental component of hardening systems per the Risk Management Framework (RMF), a Federal, whole of government requirement for government systems. NIST 800‑171 specifies that any federal contractor that works with Controlled Unclassified Information (CUI) must follow this policy framework. Notable attention has been given recently to STIGs as they relate to the DIB. NIST requirements for government stipulate that Federal environments be hardened to either STIG/CIS standards, and the DoD has settled on STIGs as the baseline of choice. CMMC reinforces this internal government requirement to the DIB, with levels 3 through 5 stipulating an infrastructure hardening mandate akin to RMF or FedRAMP High.
STIGs are an operationally implementable sourcebook of DOD Information Assurance (IA) controls, security regulations, and best practices for securing operating systems, networks, and applications. More importantly, STIGs provide security guidance for actions like mitigating insider threats, containing applications, and security information system credentials and assets.
Uncertain about what is required and how to assess and document in preparation for CMMC? Check out these STIG & CMMC Control Matrix documents for Windows 2016, Windows 10 and Red Hat 7. These documents show the crosswalk between the 800-53 controls fulfilled by the STIGs and how they map to CMMC levels:
- STIG & CMMC Controls Matrix for Windows 2016
- STIG & CMMC Controls Matrix for Red Hat 7
- STIG & CMMC Controls Matrix for Windows 10
The CMMC problem faced by SMBs
We know the application of STIGs meets the mandates of CMMC for Federal contractors in the DIB. The challenge is the amount of labor and cost required to implement STIGs in any environment. Cybersecurity consultants and systems integrators alike are aware that these information assurance practices often take months to implement even the smallest number of endpoints in a Federal environment.
This makes CMMC certification using traditional means of implementing security controls prohibitively costly for SMBs in the DIB. Short of an affordable means for SMBs to achieve certification will reduce the Federal supplier pool as the cost of compliance drives companies out. This dynamic is contrary to stated Federal government goals on supply chain diversity, damages SMBs, and weakens the strength and resiliency of the DoD
Is there a solution?
Automate the Technical Requirements of CMMC
SteelCloud has been automating STIG and CIS compliance for Federal government customers for years using a patented, automated scan and remediate solution called ConfigOS. Federal agencies use our ConfigOS automated compliance software to affordably maintain a robust cyber infrastructure to become and stay compliant. Larger integrators have deployed this software in support of their Federal programs or for their internal CMMC requirements.
The ConfigOS solution hardens infrastructures around the given application stacks used on them, and this differs by environment depending upon program mission, tools of preference, and operating system. ConfigOS is used to build custom signatures to support these environments to apply STIG automation and provide reporting artifacts for RMF accreditation requirements, typically reducing system hardening efforts by 70-90%. Similar results can be expected for the technical requirements of CMMC, making the unaffordable mandate much more palatable for SMBs trying to get or keep their place at the Federal contracting table.
How to get compliant and stay compliant with ConfigOS
Our ConfigOS software automatically scans and remediates the onerous controls requirements imposed by CMMC on the DIB, reducing hundreds of hours of work to 60 minutes or less. Because these controls frequently change (DISA updates STIGs quarterly at a minimum), the ConfigOS software not only gets companies into initial CMMC compliance but keeps them in compliance year over year. SteelCloud’s ConfigOS software hunts down hidden non-compliances across the network and automatically remediates them in minutes. It serves as a documentable basis for accepted CMMC controls process that paves the way to successful audits time and again.
Contact us today to learn more about how SteelCloud can help with CMMC certification.
|OSD Main CMMC Site||https://www.acq.osd.mil/cmmc/index.html|
|OSD CMMC Doc. Site||https://www.acq.osd.mil/cmmc/draft.html|
|NARA CUI Registry||https://www.archives.gov/cui|
|OSD CMMC Presentation||https://www.acq.osd.mil/cmmc/docs/CMMC_v1.0_Public_Briefing_20200131_v2.pdf|
|CMMC Model Document||https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf|
|NIST 800-171 Document||https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf|
|NIST 800-128 Document||https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-128.pdf|
|NIST 800-70 Document||https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-70r4.pdf|
|NIST 800-53 Document||https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf|