CMMC was finally born and, we will add, crying for your care and feeding as soon as possible. Coalfire Federal is posting three different articles to support the DIB. The first one written by our CEO, Bill Malone, underscoring why CMMC makes good business sense. The second one is a comprehensive and thorough review of everything in the voluminous tome, succinctly summarized into 22 pages of bulleted points, that is further compacted into a set of key highlights. This document, the third one, is more focused on answering the ‘so what’ and ‘now what’ questions regarding what CMMC coming into effect means for the DIB.
As context for the rest of this article, it is worth stating what we should all know by now - members of the DIB have been required to self-attest to compliance with NIST 800-171 since 2017, but that has not gone well, which is why the DoD decided to move to third party attestation of compliance. CMMC 1.0 included some additional requirements beyond NIST 800-171 which were then scrapped in part because it was going to be too difficult to manage a hybrid standard. The concerns caused by the CMMC ecosystem being trained against NIST 800-171 R2 followed by the release of NIST 800-171 R3 was another temporary chaotic moment that underscored the value of pulling back from a regulation based on multiple frameworks and controls to focus on one framework, even if that framework may not be perfect. Perfect is the enemy of good and right now the security of the DIB is lacking. Even having one framework there are complications associated with different versions despite the DoD’s commitment to the CMMC regulation being based on R2 as evidenced by the fact that our ally, Canada, plans to adopt an assessment standard based on NIST 800-171 R3 and wants to harmonize efforts with the US. More on that in another post.
Initial efforts to simplify CMMC and the inclusion of public comment periods, time spent reviewing those comments and testing the process all takes time. However, CFR 32 is finally here and the changes made to the published version are being fairly well received by the ecosystem – we finally have answers regarding treatment of CSPs – if they store and process CUI then they need to be FedRAMP or equivalent but if they are only managing security protection data (think metadata, for example), then the CSP would be assessed as a security protection asset. The ecosystem of MSPs and MSSPs seems to be breathing a collective sigh of relief. We have more clarity on treatment of Security Protection Assets, a better understanding what assessment teams should look like, some more details on roles and responsibilities of various parties through the ecosystem (read our other article released this week for more on those points).
Regarding the larger ‘so what’, CMMC is a bold approach to protecting the confidentiality of sensitive data that if/when compromised, undermines our national security when it falls into the hands of adversaries. This point alone is the most important reason for CMMC and why cooperation and coordination throughout the entire supply chain is so critical. Having said that, there are so many benefits that OSCs can attain if they embrace the challenge of complying as an opportunity to understand more about various aspects of cybersecurity and how to apply the principles of CMMC more broadly.
One of the frustrations facing cybersecurity professionals is that anyone who does not work in cyber thinks of cyber as a single thing. The reality is that cybersecurity is like dressing for winter in New England. You need multiple layers of protection. While CMMC is focused on one aspect of cybersecurity, confidentiality, and further narrowly focused on confidentiality of only CUI, those engaged in implementing CMMC for their organizations will get exposed to lots of ideas regarding how to build security in layers based on the domains enforced by CMMC. Every client we work with has lightbulb moments regarding their understanding of the why and how associated with implementing specific controls. It is exciting to experience the learning and an honor to participate in supporting companies critical to our national defense in their understanding of data protection.
Is CMMC a perfect cybersecurity framework? No. It is also not a static, concrete set of controls. As we learn from doing, improvements and changes take place in all things. This will be true for CMMC as well. We have already learned so much with each and every JSVA performed in preparation for CMMC’s enforcement.
A more important question than is it perfect is ‘will most companies be more secure through the process of ensuring compliance with CMMC?’ Definitely yes. As noted, OSCs are only required to secure CUI and FCI against the cybersecurity principles related to data confidentiality which means CMMC is not directly addressing other cybersecurity principles like data integrity and availability (although it does address some aspects of these principles indirectly).
Are there more things that companies could and should do to improve their cybersecurity posture beyond CMMC? Also, yes. However, here is the reality – the easiest way into the big companies is through the small companies and the small companies are often made up of a few really smart people creating super innovative products and processes and they often don’t have in-house IT people let alone security personnel. Cybersecurity is not on their radar because their primary view of technology is as a means for improving productivity and communications without an understanding of the underlying risks, so important controls are not baked into their infrastructure, processes and procedures. As a result, the delta between where they are and where they need to be in relation to cyber security is a lot larger than it is for small companies. The bigger the delta, the harder compliance will be, the more investments required, but also the more benefit gained from perspective of reducing risk and improving security posture. If you have ignored your physical health completely, you can wake up one morning and decide you are going to run a marathon but that means you start with going for a walk that day. Companies with poor cyber security health have to start somewhere and if that company is in the DIB, compliance with CMMC is a great place to start.
On a related note, a lot has been written about why CMMC came into being as well as why self-attestation has not worked. Arguments range from ‘companies are willfully ignoring the requirements’ to ‘they are trying to comply but don’t understand what they need to do’ to ‘they don’t know the requirement exists’. Through helping hundreds of companies with NIST 800-171 and with CMMC advisory services, we have seen scenarios where each of these answers was correct in some measure.
When the concept of third-party assessments of compliance with CMMC was introduced in 2019, one of the benefits already achieved is that it brought in a lot of bright minds from advisory and compliance experts to start writing about the requirements, where to start, what to consider and how to interpret the official documentation. This alone has helped companies trying to comply without significant internal resources. The guidance on compliance in 2017 was pitiful in comparison to what it is today.
At live conferences, on video calls and in other virtual water cooler environments we have heard from many leadership members of the DIB that have said their organization is taking a’ wait and see’ approach to CMMC. The fact that it has taken a while for CMMC to land has provided the space for a lot of doubt to creep in regarding whether it will ever come to fruition. As noted above, there are a series of logical reasons for the delays, but it requires significant time and dedication to unpack all of those reasons, and most people are short on time these days. The most common scenario that we have heard is that the compliance and/or IT team has been concerned about their organization’s lack of preparedness for CMMC for a while, but the executive team has not felt comfortable dedicating the financial resources necessary to comply given their belief that it would never happen. Well, it happened. So, if your organization is behind in preparations, now (or two years ago) is the time to start.
Tag, You’re It!
A common scenario that our team sees is that someone in a client company was told ‘Tag, you are it! Make us compliant with CMMC!’ More often than not, that person did not have the background they needed to understand the requirements, nor did they have the authority to get the support they needed to effect change. These individuals may do their best working in a vacuum to create policies and procedures, do research into options for meeting some of the requirements and otherwise cobble as much of a security program together as they can, without support or knowledge regarding the big picture.
One of our top recommendations for such companies is to send at least one person involved in compliance leadership to CCP training. Even better to send that person to CCA training and better still to send 2 or more people. Even when companies hire advisors like our team to help build their roadmap to compliance, the OSC still needs to have someone who understands how to follow the roadmap, ensure continued compliance and support other internal team members in understanding their roles in meeting the requirements as well. A CCP course is one weeklong and even if a company just sends one person for one week, it will be money well spent because you will know there is one person who fully understands what the requirements are, why they exist and how they work in tandem with each other to reduce risk.
CMMC is not perfect. No cybersecurity regulation will ever be perfect. Nor will it be static. It is, however, finally here, which means there is no more room for debating whether it will happen or what to modify before it goes live.
An underlying reason for the wait and see attitude mentioned above is the larger problem is that cybersecurity has historically been viewed as a cost center in organizations, not as a strategic advantage. Any investment that ends up in the cost center column is destined to be treated as a necessary evil to be reduced to the lowest number possible. Yet companies who can show that they are compliant with CMMC may have an advantage in obtaining business with the Department of Defense since prime contractors are required to consider SPRS scores in their subcontracting decisions and so few companies are currently compliant. Also, improvements in cybersecurity posture in general reduce the risk of breach. Cybersecurity requires making investments, but a breach can financially destroy a company.
A common misconception is compliance and even cybersecurity is a box to check so a company can wait until the bell rings and rush through all the requirements toward a one-time deadline for compliance. This perspective is wrong. Your organization is a moving breathing, organic, fluid entity. Anything that moves needs constant care and attention to ensure protection. Think about how you treat yourself. Eating a salad and going to the gym one day a week will not protect you from health problems as much as doing so 5-7 days a week. Similarly, the more layers of cybersecurity protections you put in place, the more secure you are and performing regular health checks on the security of your environment helps you identify systems that need to be shoring up. Your annual physical by a third-party provider (your doctor) should identify vulnerabilities that need to be shored up that you may not have noticed but you should be vigilant all the time to identify changes and weaknesses that need attention. The same is true for your cybersecurity plan. There are important CMMC requirements that when you make changes to your infrastructure, you create a POAM until the appropriate new controls have been put in place. Annual self-attestation in between third-party assessments are still required. CMMC is not a one and done scenario but rather a full-time commitment to ensuring risk management.
One of the biggest problems confronting OSCs is understanding what CUI is, knowing when it is being created, where it lives, and how it flows through the organization. The DoD needs to do a lot more to support the DIB in guidelines for recognizing and managing CUI in their environments and hopefully this will come soon. The irony is that the controls for CMMC Level 2 are applied to the CUI boundary, but the majority of companies struggle to understand the boundary. For this reason, the Coalfire Federal CMMC team always conducts a CUI boundary analysis as the first part of a gap analysis to help our clients trace the flow of CUI throughout their organization. It is hard to imagine doing a gap analysis without this step. It is like building a house without really understanding the parameters of the land that the house is being built on.
If you are just getting started, this is where you should start - trace CUI from contracts to include all steps in how it flows throughout your organization. Use the ‘what is’ of data flow to design your desired state, reducing the footprint of CUI where possible. This unstructured, uncomfortable, challenging process will clarify a lot of things for you that will prove invaluable in the long run. If you need support with that, our CMMC team has significant experience with this process and is ready to support you as well.
This is the point at which your organization is finally ready to start addressing the control requirements. Here are some more helpful tips for this phase of the process. If you don’t have dedicated IT and security personnel, it is worthwhile hiring an MSP/MSSP to support you. We have worked with a number of good MSPs that can support companies with CUI and can offer some names of companies to consider but ultimately, we recommend that you interview at least three different companies before making a decision. Check the way they handle CUI and ensure that they meet the new requirements. Also ask each candidate MSP for a shared responsibility matrix so that you understand what they are promising and what you are still responsible for.
Consider how you are going to collect and manage evidence. Investing in a robust GRC tool is well worth the investment for all companies, and again, since the delta between current state and the required state is so much larger for small companies, they may benefit more from the structure provided by an effective GRC tool.
Consider hiring an expert advisor to support you through the preparation stages if you are behind in your preparations. If you do hire an advisor, we highly recommend you interview a few and pick one who will dedicate a team to supporting you that has cybersecurity experience, will have at least one CCA on your advisory team, and preferably has team members that have been through a JSVA. That advisory team will definitely know what good looks like, and you should feel confident that they will prepare you well for your CMMC assessment.
If you need additional support in preparing for a CMMC assessment, would like to conduct a mock assessment, or if you feel you are fully prepared and are ready to get in line for your official CMMC, contact us to learn how we can support your journey.
Amy Williams began her career in Accounting Information Systems, a precursor to cybersecurity that imbued her with the talents and knowledge that she uses today. A member of multiple fields of study, Dr. Williams has ample experience understanding fraud, system errors in internal systems, and internet security protection. She has been on the forefront of developing cyber strategies for supply chains since the world wide web made the internet popular for sharing data in business. With both a Master’s Degree and PhD from Virginia Tech, Amy Williams has held prestigious positions with the NY Citizens Crime Commission where she built an alliance with the FBI, and she led the development of BlueVoyant's CMMC and CIS Advisory Practices prior to joining Coalfire Federal.
