The Best Way to Implement CMMC

Corserva blog

Since the rollout of CMMC requirements starting in November 2020, people are looking for a CMMC compliance checklist that tells them what they need to do or buy to achieve compliance. When it comes to compliance with CMMC, there is no “set it and forget it” solution. Instead, you need to approach the effort from a “top down” standpoint and define your compliance at the highest level of the organization, starting with formal policy.

As the Department of Defense transitions from the NIST 800-171 mandate to CMMC (Cybersecurity Maturity Model Certification), there is growing interest in identifying compliant IT solutions that will make it easy for Organizations Seeking Compliance (OSC) to meet CMMC.

There are platforms that have the capability to align with the critical cybersecurity requirements. But, in general, there is no turnkey CMMC compliant solution. For an IT system to be compliant with CMMC, you need the correct technology combined with the right processes managing FCI and CUI. The DoD contract under which you are working will specify to which level of CMMC you need to meet and whether you need to protect FCI or CUI.

 

FCI (Federal Contract Information) is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments. This is information that is not marked as public or for public release.

CUI (Controlled Unclassified Information) is defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. CUI is information that is sensitive and relevant to the interests of the US and potentially its national security, but not strictly regulated by the federal government. This is information that resides on your company’s internal systems.

Examples of CUI include email, electronic files, blueprints, drawings, proprietary company or contractor information (such as sales orders and contracts), and physical records (such as printouts). It is important to understand that CUI security requirements are not restricted to digital files; CUI can include paper copies, which are specifically referred to as “printed from an information system which processes or stores electronic files transmitted or stored on servers, desktops, laptops, mobile devices, etc.”

 

Get the Free Guide to Preparing for a CMMC Audit

 

A Security Control Lifecycle Approach

With any IT system, you should take a lifecycle approach to security where you define your policies and specify approved procedures to manage CUI within the platform. Moving forward, you need to make sure you are monitoring and validating the systems, then periodically perform a management review.

 

Security control lifecycle

Instead of thinking of compliance as another tool to be purchased, take a lifecycle approach.

 

Two Critical Factors That Make an IT System Compliant with CMMC

There are two things that are required for a system to be CMMC compliant:

  1. Use of FIPS validated cryptography.
  2. Correct processes for managing CUI.

 

FIPS Encryption

The Federal Information Protection Standard (FIPS) is an encryption standard developed by NIST (National Institute of Standards and Technology) for use in computer systems.

A platform that uses FIPS validated cryptography has been submitted to NIST for validation and certification. Not only that, but every time the platform vendor updates the platform, they must re-submit to NIST for validation. NIST maintains a list of FIPS validated cryptographic platforms.

When a vendor submits their platform, NIST verifies that it works properly and that all data in transit is FIPS encrypted.

NIST is gradually transitioning from FIPS 140-2 to FIPS 140-3.

 

Could my systems already be compliant?

While there are many reasons for non-compliance with the security controls, there are two common technical reasons your existing systems may not be compliant.

  1. The platform doesn’t use FIPS validated cryptography to protect data “at rest” or “in transit.”
  2. It’s a cloud solution where data is not restricted to the 48 continental United States.

The first requirement of a compliant platform is the encryption. If the system doesn’t have the technical capability, there’s nothing you can do to make it compliant. Even if a platform is compliant natively with FIPS encryption, it must also be configured correctly.

Many cloud solutions are not compliant. Under ITAR, data cannot leave the 48 continental United States. This is one reason Google’s commercial G Suite offering is not compliant. To be compliant, a cloud solution would need to possess a US government issued FedRAMP Authorization. Another possible solution is using a US based data center to host your data in your own private cloud.

You may be using a commercial platform which is not compliant as is, but the same platform may be available in an enterprise version that is compliant. So, you could consider upgrading. But that may not be the most cost-effective way to achieve compliance.

 

What types of systems are already compliant?

Microsoft 365 Government - GCC High is one example of a system that is built to be compliant, assuming it is configured correctly.

It’s important to remember that, in general, nothing is compliant right out of the box; the configuration is a big part of it. You may have systems already in place that can be made compliant with design or process changes.

One question we hear all the time is around the compliance of a specific platform; for example, “Is Office 365 NIST 800-171 compliant?” Well, it can be, depending on how it is configured.

Some platforms may get you most of the way there, just missing one or two security controls. For example, the O365 E3 platform meets everything except the forensic analysis requirement of DFARS 252.204-7019.

There are task-specific tools with compliance built in (such as tools for NIST compliant file sharing), but before implementing any new software, you should take a step back to see if it aligns with your lifecycle approach.

 

NIST and CMMC

 

Protecting CUI with Technology Plus Processes

There are platforms that have the capability to align with the CMMC compliance requirements. But there is no solution that is plug and play, despite what you might hear from some vendors.

Instead, you need to take a lifecycle approach.

  1. Governance (Policies and Procedures)
    Define your security policy and approved procedures for the control of CUI.
  2. IT Operations (Design and Operations)
    Deploy and configure your technology platforms to align with your organization’s policy and management approved processes and procedures.
  3. Monitoring, Reporting, and Auditing
    On an ongoing basis, validate and audit your procedures.
  4. Ongoing Validation
    Perform management review and review policies at least annually.

 

The security control lifecycle is key to everything.

Compliance comes down to two things: data at rest and data in transit (where data = CUI).

Email is a major component of compliance. For example, if an employee can email a file to their Gmail account (which is outside of your control) that data is now at risk and could result in penalties or revenue loss.

Compliance is the way to manage that risk. With the transition to CMMC, the DoD is managing the risk to CUI by making companies operating in federal supply chains responsible for protecting CUI.

 

Costs to Compliance

I can’t overemphasize the importance of the lifecycle approach.

There are vendors who may try to get you to purchase their so-called compliant systems without an understanding of your complete IT environment. You can end up spending more money than necessary.

Another issue you face is that change is always happening in your IT environment. That’s the advantages of IT managed services. If you partner with an MSP who understands CMMC, they can implement the necessary controls as part of your onboarding. And most importantly, maintain your compliance with the ongoing management of your systems. Compliance is not a one-time thing.

 

Compliance is Not a Shopping Cart

It’s tempting to believe you can buy the perfect software to gain compliance. (Learn more in the blog post, "What is CMMC compliance?")

Instead, what we recommend to our clients is they take a phased approach.

  1. Perform an assessment (yourself or with help from a third party) to understand your current environment.
  2. Develop your System Security Plan (SSP) and Plan of Action with Milestones (POA&M).
  3. Upload your SSP and POA&M into the DoD Supplier Performance Risk System (SPRS), as required by DFARS 252.204-7019.
  4. Work towards fixing any gaps in security starting with highest risk to lowest.

For the most cost-effective way to meet compliance, you need a roadmap based around the security lifecycle. You need to understand the impact to revenue and business operations.

 

The Path to CMMC Compliance

Corserva provides NIST assessments for DoD contractors and subcontractors who need to comply with NIST 800-171. We can create SSPs and POA&Ms, as well as perform required remediation identified during an assessment.

Corserva is listed on the Marketplace of the CMMC Accreditation Body (CMMC-AB). As a CMMC-AB Registered Provider Organization™ (RPO), Corserva can advise companies in preparation for a CMMC assessment by a C3PAO.

RPO

Corserva offers an easy process for your organization to prepare for a CMMC assessment. Request a quote today to protect your government contracts and prevent cyber threats.

GET A QUOTE

 

Post Date: April 7, 2021 // 12:45 PM

Topic category:

NIST & CMMC

Author:

Adam Keely

Adam is a security analyst and CMMC-AB Registered Practitioner (RP). He is a member of Corserva’s assessment and compliance team, guiding companies in meeting business objectives with NIST 800-171 and CMMC. Adam spent 5 years in the United States Marine Corps as a Communications Electronics Technician before entering the corporate world, where he has worked in web development and cybersecurity.

Share:

   

SUBSCRIBE TO RECEIVE BLOG POSTS

RECENT POSTS

POSTS BY TOPIC

POSTS BY DATE