It seems that any day now the U.S. Department of Defense (DoD) will announce its rulemaking on the Cybersecurity Maturity Model Certification (CMMC) 2.0. According to the CMMC policy Director for the Office of the Undersecretary of Defense for Acquisition and Sustainment, Stacy Bostjanick, the Defense Industrial Base (DIB) and Federal Systems Integrator (FSI) organizations can expect an interim rule by May 2023. Once the rule on CMMC 2.0 is in effect, DIB and FSI contractors who seek to do business with the DoD will have only 60 days to become CMMC compliant after the rule’s release.
As part of this expected interim rule, DIB and FSI contractors who handle Controlled Unclassified Information (CUI) will begin seeing CMMC Level 2 compliance requirements pop up in DoD contracts. CMMC Level 2 will require businesses to attain a certain level of cyber hygiene, as well as implement a number of specific security controls that will ensure that they have a properly hardened cyber posture that the DoD feels confident working with.
But what types of security controls does CMMC Level 2 entail, what solutions are available that can alleviate the manual work and processes that go into reaching Level 2 compliance, and what common missteps should DIB and FSI organizations avoid so that they can become Level 2 compliant in time for the impending interim rule release?
To get answers to these questions and learn more about what goes into CMMC Level 2 compliance, the GovCyberHub sat down with SteelCloud COO Brian Hajost and TD SYNNEX Public Sector’s Chief Compliance Officer Don Maclean. Here is what they had to say:
GovCyberHub (GCH): How do the cybersecurity postures of the Defense Industrial Base (DIB) and Federal Systems Integrator (FSI) organizations impact the U.S. Department of Defense (DoD) and military agencies they serve? How does CMMC ensure that these organizations’ cyber defenses are hardened enough to do business with the government?
Brian Hajost: To varying degrees, depending on the program, the DIB works closely with the DoD to create and share information. This includes data that is created and shared by both the DoD and the DIB. In any case, much of this shared data is Controlled Unclassified Information (CUI). CUI is the highest classification of data that is not actually classified. It is important that the DIB protect this data and CMMC was designed to ensure that the contractor’s environment is secure.
Don Maclean: The DIB provides a wide variety of goods and services to the DoD. If bad actors gain access to the specifics of these transactions, they can use that information to work against the national security of the United States. This is particularly true when the information is classified (Secret or Top Secret) or less significant but still sensitive, like CUI.
Even if a particular company’s information is not helpful to an adversary, it is possible to aggregate information from multiple sources to gain insight into DoD activities. For example, the adversary might discover that the DoD placed a large catering order for a particular base. By itself, that is not terribly important, but when correlated with other contracts for heightened security service, and requests to block off nearby roads, they could determine that the Department might be preparing to host foreign dignitaries.
The goal of CMMC is to incentivize DIB companies to implement a set of security controls to inhibit adversaries from accessing information about DoD transactions.
GCH: Organizations that handle CUI will soon be required to meet CMMC Level 2 certification, which requires all 110 NIST SP 800-171 controls. What types of cyber hygiene controls are included in NIST SP 800-171? How do these compare to the Level 1 controls?
Brian Hajost: Level 1 controls are the most basic controls that any organization should have implemented to protect data – no matter what industry or size. Level 2 controls are much more advanced and are similar to what the government uses to protect data on its own networks. Contractors that handle CUI will be required to be certified at CMMC Level 2.
“The goal of CMMC is to incentivize DIB companies to implement a set of security controls to inhibit adversaries from accessing information about DoD transactions.” -Don Maclean
Don Maclean: It is important to understand that the Level 2 control set includes all of the 17 Level 1 controls: Level 2 is a superset of Level 1. Level 2 closely resembles the controls required of government agencies for a “Low Impact” system – the least stringent of the three control sets found in NIST SP 800-53 (“Low”, “Moderate” and “High”).
In general, the Level 2 controls simply extend the Level 1 set, but even then they consist largely of fairly basic cybersecurity measures from which most companies would benefit even if they were not seeking DoD business. For example, when it comes to Access Control (AC), Level 1 requires only four controls, while Level 2 adds another 18, which can be as specific as requiring encryption, and be as broad as requiring adherence to principles such as Least Privilege and Separation of Duties.
GCH: What advice would you give to the DIB and FSI companies that are in the midst of working on Level 2 compliance? Are there any common missteps that they should avoid?
Brian Hajost: CMMC is a maturity model. Successful certification can’t be done at the last minute. I see contractors just not giving themselves the time to implement the controls necessary for Level 2.
Don Maclean: The two most important pieces of advice are:
First, don’t delay. Yes, the process has moved slowly, but it is moving. Moreover, it was recently announced that CMMC requirements will almost certainly extend to federal civilian agencies in addition to DoD. Delay could put your public-sector business at risk.
Second, scope appropriately. You probably don’t need every system in your company to come under Level 2 compliance standards.
“Finding the right organization to help at the front end is far more important that the company that performs the assessment.” -Brian Hajost
GCH: Are there any solutions or products that can alleviate their Level 2 compliance workloads?
Brian Hajost: There are three product categories that a contractor will probably need to implement for a successful CMMC Level 2 certification. These include two-factor authentication technology for all critical systems, encryption at rest technology, and technology to automate the STIG or CIS system-level control hardening.
Don Maclean: Yes. First, configuration management tools can be extremely effective in achieving and maintaining compliance with the CMMC standards. Since the sensitivity of data drives a company’s certification journey, tools to discover and classify data are also essential to successful certification.
GCH: For the DIB and FSI organizations that are required to have Level 2 CMMC certification must be assessed by a CMMC Third-Party Assessor Organization (C3PAO). This is a departure from the self-assessments that Level 1 requires. What should the DIB and FSIs be on the look out for when selecting a C3PAO? Are all C3PAOs created equal?
Brian Hajost: This is a tricky question. The assessment should be the easy part. Getting ready for the assessment is the hard part. An organization can do both CMMC prep consulting and assessments, but they can’t do both for the same contractor. Many contractors will need help in implementing all of the controls necessary for a successful assessment. Therefore, I would suggest that finding the right organization to help at the front end is far more important that the company that performs the assessment.
Don Maclean: Attaining C3PAO status is difficult, so most of these organizations are extremely well qualified to perform the work. However, since the number of C3PAOs is small, they are overwhelmed with requests for assessments. Consequently, there is heavy pressure to speed up the process for qualification as a C3PAO – which may lead to a diminution of quality.
In selecting a C3PAO, make sure they have extensive experience in similar work, ensure that they can prioritize your company’s business, and get on their schedule early – the line is likely to be long!