Since the rollout of CMMC requirements starting in November 2020, people have been looking for a CMMC compliance checklist that tells them what they need to do or buy to achieve compliance. When it comes to compliance with CMMC, there is no “set it and forget it” solution. Instead, you need to approach the effort from a “top-down” standpoint and define your compliance at the highest level of the organization, starting with a formal policy.
As the Department of Defense transitions from the NIST 800-171 mandate to CMMC (Cybersecurity Maturity Model Certification), there is growing interest in identifying compliant IT solutions that will make it easy for Organizations Seeking Compliance (OSC) to meet CMMC.
There are platforms that have the capability to align with critical cybersecurity requirements. But, in general, there is no turnkey CMMC-compliant solution. For an IT system to comply with CMMC, you need the correct technology and the right processes managing FCI and CUI. The DoD contract under which you are working will specify to which level of CMMC you need to meet and whether you need to protect FCI or CUI.
FCI (Federal Contract Information) is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments. This is information that is not marked as public or for public release.
CUI (Controlled Unclassified Information) is defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. CUI is information that is sensitive and relevant to the interests of the US and potentially its national security, but not strictly regulated by the federal government. This is information that resides on your company’s internal systems.
Examples of CUI include email, electronic files, blueprints, drawings, proprietary company or contractor information (such as sales orders and contracts), and physical records (such as printouts). It is important to understand that CUI security requirements are not restricted to digital files; CUI can include paper copies, which are specifically referred to as “printed from an information system which processes or stores electronic files transmitted or stored on servers, desktops, laptops, mobile devices, etc.”
A Security Control Lifecycle Approach
With any IT system, you should take a lifecycle approach to security where you define your policies and specify approved procedures to manage CUI within the platform. Moving forward, you need to monitor and validate the systems, then periodically perform a management review.
- Governance - Policies and Procedures
- IT Operations - Design and Operations
- Monitoring, Reporting, and Auditing
- Ongoing Validation
Instead of thinking of compliance as another tool to be purchased, take a lifecycle approach.
Two Critical Factors That Make an IT System Compliant with CMMC
There are two things that are required for a system to be CMMC compliant:
- Use of FIPS-validated cryptography.
- Correct processes for managing CUI.
FIPS Encryption
The Federal Information Protection Standard (FIPS) is an encryption standard developed by NIST (National Institute of Standards and Technology) for use in computer systems.
A FIPS-validated cryptography platform has been submitted to NIST for validation and certification. Not only that, but every time the platform vendor updates the platform, they must re-submit to NIST for validation. NIST maintains a list of FIPS-validated cryptographic platforms.
When a vendor submits their platform, NIST verifies that it works properly and that all data in transit is FIPS encrypted.
NIST is gradually transitioning from FIPS 140-2 to FIPS 140-3.
Could my systems already be compliant?
While there are many reasons for non-compliance with the security controls, there are two common technical reasons your existing systems may not be compliant.
- The platform doesn’t use FIPS-validated cryptography to protect data “at rest” or “in transit.”
- It’s a cloud solution where data is not restricted to the 48 continental United States.
The first requirement of a compliant platform is encryption. If the system doesn’t have the technical capability, there’s nothing you can do to make it compliant. Even if a platform is compliant natively with FIPS encryption, it must also be configured correctly.
Many cloud solutions are not compliant. Under ITAR, data cannot leave the 48 continental United States. This is one reason Google’s commercial G Suite offering is not compliant. A cloud solution must possess a US government-issued FedRAMP Authorization to be compliant. Another possible solution is using a US-based data center to host your data in your own private cloud.
You may be using a commercial platform that is not compliant as is, but the same platform may be available in an enterprise version that is compliant. So, you could consider upgrading. But that may not be the most cost-effective way to achieve compliance.
What types of systems are already compliant?
Microsoft 365 Government - GCC High is one example of a system that is built to be compliant, assuming it is configured correctly.
It’s important to remember that, in general, nothing is compliant right out of the box; the configuration is a big part of it. You may have systems already in place that can be made compliant with design or process changes.
One question we hear all the time is around the compliance of a specific platform; for example, “Is Office 365 NIST 800-171 compliant?” Well, it can be, depending on how it is configured.
Some platforms may get you most of the way there, just missing one or two security controls. For example, the O365 E3 platform meets everything except the forensic analysis requirement of DFARS 252.204-7019.
There are task-specific tools with compliance built-in (such as tools for NIST-compliant file sharing), but before implementing any new software, you should take a step back to see if it aligns with your lifecycle approach.
Protecting CUI with Technology Plus Processes
There are platforms that have the capability to align with the CMMC compliance requirements. But there is no solution that is plug and play, despite what you might hear from some vendors.
Instead, you need to take a lifecycle approach.
- Governance (Policies and Procedures)
Define your security policy and approved procedures for the control of CUI. - IT Operations (Design and Operations)
Deploy and configure your technology platforms to align with your organization’s policy and management-approved processes and procedures. - Monitoring, Reporting, and Auditing
On an ongoing basis, validate and audit your procedures. - Ongoing Validation
Perform management review and review policies at least annually.
The security control lifecycle is key to everything.
Compliance comes down to two things: data at rest and data in transit (where data = CUI).
Email is a major component of compliance. For example, if an employee can email a file to their Gmail account (which is outside of your control) that data is now at risk and could result in penalties or revenue loss.
Compliance is the way to manage that risk. With the transition to CMMC, the DoD is managing the risk to CUI by making companies operating in federal supply chains responsible for protecting CUI.
Costs to Compliance
I can’t overemphasize the importance of the lifecycle approach.
There are vendors who may try to get you to purchase their so-called compliant systems without an understanding of your complete IT environment. You can end up spending more money than necessary.
Another issue you face is that change is always happening in your IT environment. That’s the advantage of IT managed services. If you partner with an MSP who understands CMMC, they can implement the necessary controls as part of your onboarding. And most importantly, maintain your compliance with the ongoing management of your systems. Compliance is not a one-time thing.
Compliance is Not a Shopping Cart
It’s tempting to believe you can buy the perfect software to gain compliance.
Instead, we recommend that our clients take a phased approach.
- Perform an assessment (yourself or with help from a third party) to understand your current environment.
- Develop your System Security Plan (SSP) and Plan of Action with Milestones (POA&M).
- Upload your SSP and POA&M into the DoD Supplier Performance Risk System (SPRS), as required by DFARS 252.204-7019.
- Work towards fixing any gaps in security, starting with the highest risk to the lowest.
You need a roadmap based on the security lifecycle for the most cost-effective way to meet compliance. You need to understand the impact on revenue and business operations.
The Path to CMMC Compliance
Corserva provides NIST assessments for DoD contractors and subcontractors who need to comply with NIST 800-171. We can create SSPs and POA&Ms and perform the required remediation identified during an assessment.
Corserva is listed on the Marketplace of the CMMC Accreditation Body (CMMC-AB). As a CMMC-AB Registered Provider Organization™ (RPO), Corserva can advise companies in preparation for a CMMC assessment by a C3PAO.
Corserva offers an easy process for your organization to self-attest to CMMC (if eligible) or prepare for a CMMC assessment. Request a quote today to protect your government contracts and prevent cyber threats.
