The Department of Defense is in the midst of one of the biggest pushes ever to shore up the nation's cyber defenses, both internally and externally. In order to provide specific safeguards and controls to help further protect information, the "Cybersecurity Maturity Model Certification" or the “CMMC" has been established.

What Exactly Is The CMMC?

Background

According to a recent study, conducted by Juniper Research, the overall amount of financial losses the United States will experience by the year of 2024 is expected to exceed $5 trillion (SOURCE: 1). This represents a Year Over Year (YoY) growth rate of nearly 11% until we hit that mark. It is expected that this statistic is only going to proliferate further down the road. One of the largest cyber victims will be what is known as the "Defense Industrial Base”, referred to as the “DIB" for short. The grouping of companies involved in this network is extensive.

For example, it represents more than 300,000 businesses across Corporate America, and any subsidiaries or branch offices that have locations on a global platform. This number grows even more when you include the nonprofit organizations and academic institutions that are tasked with the following for our nation's military system:

• Research and engineering

• development of new system designs

• acquiring and procuring of needed raw materials

• final production and delivery of new products and services.

Introduction To The CUI

If any of the above have been compromised in any way, shape, or form, this would, of course, have massive and devastating consequences for the United States armed forces on a global level. This is especially true when it comes to the loss of both Intellectual Property (IP) and Controlled Unclassified Information (CUI). The latter can be explicitly defined as follows:

"CUI is a government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract.” (SOURCE: 2).

In other words, CUI is information that can be accessed to varying degrees by external third parties. However, it is not designed to be released to the public at large, because of some of the sensitivity that is involved with the datasets. As a result, there are fewer controls that are associated with the CUI. Because of that, this presents a prime opportunity for the Cyberattacker to penetrate the system and gain access to the information covertly.

An Overview of The CMMC

In order to provide specific safeguards and controls to help further protect CUI, the "Cybersecurity Maturity Model Certification" or the “CMMC" has been established.

This framework was actually launched by the Office of the Under Secretary of Defense for Acquisition and Sustainment, or the "OUSD (AS)" for short.  Although one of the primary objectives of the CMMC is to protect the CUI, one of the other main themes is to limit entrance to the external contractors that can gain access to it. Although these parties primarily reside in the United States, they could also have connections to associates in overseas offices- places where the CUI could be released intentionally, or non-intentionally, to potentially malicious third parties.

These contractors form what is known as the "Supply Chain" for the Department of Defense (DoD). Along with the other entities described earlier in this whitepaper, this category also includes many small to medium-sized businesses. These organizations are the most prone to Cyberattacks. According to the Verizon 2019 Data Breach Investigations Report, it is those entities that have up to 250 contractors (or more) that are at most risk for exposing CUI via Email, or any other electronic means. (SOURCE: 3).

One of the driving forces behind the CMMC is the list of best practices and standards that have been set forth by the National Institute of Standards and Technology, also known as “NIST”. Before the adoption of the NIST framework, the guiding principles for implementing some controls for the CUI came from the NIST SP 800-17, and the "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”.

In order to prove their level of trustworthiness when it comes to accessing the CUI, these external contractors in the DoD Supply Chain will have to be certified through the CMMC framework primarily via through CMMC based Third Party Organizations also known as “C3PAOs" for short. This is a requirement before any bidding on DoD contracts can take place, and direct proof of certification must be stipulated in any Request For Proposals (RFPs) that will be submitted.

It is crucial to keep in mind that merely achieving CMMC certification does not guarantee that the third-party contractors will gain immediate and automatic access to the CUI datasets. Instead, the DoD will have final oversight as to the types of CUI that will be disseminated. The first version of the CMMC (Version 1.0) was released in 2019, and the next version was expected to launch sometime in 2020.

How To Get Ready For The CMMC

Although there are lot of moving parts to the CMMC, Defense Contractors as well as their Subcontractors must be certified at specific levels before they will be allowed to bid on contracts that are given out by the Department of Defense (DoD). Here are some key steps that one must take in order to be fully ready to achieve full and complete CMMC Accreditation:

1) Determine your CUI Environment:

Once you win a contract the DoD will share relevant information and data in order to accomplish your contractual obligations. As a Defense Contractor you will be specializing in the tenets of the contract, Thus, in this regard, you need to get an idea as to the kind of CUI that you will need, as well as how you plan to store, process, and transmit this information in a secure manner.

2) Define appropriate Controls:

At this stage you will need to identify and implement the appropriate controls to safeguard the CUI that you will be using. All of this will be based upon what has been set forth in the NIST 800-171, with regards to controls. You will need to ascertain if you have what is known as a “Flat” or “Segmented Network”. If you have a flat network you will most likely have to deploy most of the Controls that have been specified. If it is the latter, then you will need to only implement those controls that are relevant to those subnet(s) in which the CUI will be stored, transmitted, and processed.

3) Compile relevant documentation:

In this particular instance, you will need to clearly ascertain all of the Data Privacy and

Compliance laws/regulations that directly and indirectly apply to the CUI you will be handling. Further, you will need to prepare an exhaustive set of documentation that clearly details how your organization will meet the compliance portions of those regulations. This will include (but not be limited to) the creation of best practices, standards, how the Controls will audited and monitored so that they are always safeguarding the CUI, and more. Keep in mind that you will not be dealing with just United States laws/regulations, there are also international ones that you may to have to address as well. In order to optimize the creation and updating processes of your documentation, it is important to adopt a hierarchical methodology.

4) Define who will be accountable and responsible for the CUI:

In this phase, you will need to clearly identify those individuals and teams in your organization

that will be overseeing the dissemination of the CUI datasets. It is necessary to very clearly map out the communications processes and workflows so nothing falls through the gaps. This ensures that any chances of miscommunications that could potentially expose the CUI to the wrong hands is mitigated.

5) Define System Security Plan(SSP) and Plan of Action & Milestones(POA&M):

These are two distinct pieces of documentation that are updated in real time (on an as-needed basis). Any issues that could have a profound impact upon the integrity of the CUI that you have been entrusted with by the DoD will be added. For example:

• The intention of the SSP is to serve as a “database” of sorts as to the people, processes, and technology that are embracing the CUI. Any changes to any or all of them need to be documented here.

• The POA&M is meant to serve specifically as a “Risk Register”. For example, any deficiencies that have been found in the controls need to be thoroughly documented here, as well as the actions that took place to remediate the situation(s).

It is important to note here that the primary objective of these two pieces of documentation is

to further address how your organization as well as your Subcontractors will achieve 100%

compliance with the statutes and provisions that have been set forth by the CMMC. Finally, the

score that you receive in the end from compiling these two pieces of documentation must be

reported to what is known as the “Supplier Risk Performance System”, or “SRPS”. Here are some details that must be included in this submission:

•  The name of the System Security Plan;

•  The relevant CAGE Codes;

•  A brief description of the layout of your IT and Network Infrastructures;

•  The date you took the actual assessment;

•  The score you achieved;

•  The plan of action to get 100% compliance.

6) Adopt the appropriate Risk Management Methodology:

There are obviously a lot of Methodologies and Templates you can use, but what is of primary

interest relating to the CMMC is that your organization deploys an adequate framework. This should show a CMMC Auditor that you are taking a proactive stance in managing the risks that are associated with handing CUI. Also if needed, your organization can adopt multiple risk frameworks for those specific segments that will be handling the CUI.

7) Adopt the appropriate set of Metrics, Key Performance Indicators (KPIs), and Key Risk Indicators (KRIs):

It is important that the Metrics and KPIs reflect how the management of the controls is done on

a real-time basis. In other words, a snapshot at one particular point in time is not enough; they must provide the CMMC auditor a useful trend analysis, over the long term, showing how the CUI is being handled.

8) Take the NIST 800-171 Self-Assessment Examination:

The primary backbone for the CMMC is the documentation which is known as the “NIST 800-171”. Before the CMMC came into being, all of the Defense Contractors and their respective subcontractors could assess themselves regarding the state of their current cybersecurity environment and submit a completed questionnaire for the DoD. But under the new guidelines, all of the Contractors and their Subcontractors now must submit the questionnaire to the DoD in order to confirm the validity and authenticity of the assessment.

Conclusion

The above may sound daunting, but Webcheck Security can help. Reach out to us at getintouch@webchecksecurity.com and let us know hoe we can assist you! Now that you a solid understanding of what the CMMC is about, our next article will deal with the updated, which is known as the “CMMC 2.0”.

Sources

1) https://www.juniperresearch.com/press/press-releases/business-losses-cybercrime-data-

breaches

2) https://www.dcsa.mil/mc/ctp/cui/

3) https://enterprise.verizon.com/en-gb/resources/reports/dbir/