Tackling CMMC Compliance: Twelve steps to achieving certification.
As published in Signal Magazine Tackling CMMC Compliance | SIGNAL Magazine (afcea.org)
Cybersecurity Maturity Model Certification is a serious and involved process that will take time and resources, and for small companies, it's often difficult to know where to start. Using these twelve steps, companies can effectively manage the transition from noncompliance to compliance.
Step one: Identify controlled unclassified information. Some companies jump right in with a self-assessment, hoping to find they’re close to certification. But what are they assessing? The entire company? Do they have controlled unclassified information (CUI)? The first and most important step is to understand what the contract says about CUI. If a small business doesn’t have CUI associated with a contract, there’s no requirement to achieve Cybersecurity Maturity Model Certification (CMMC) Level 3 certification. If a business has a relevant Defense Federal Acquisition Regulation Supplement (DFARS) clause in a contract, then it must identify what information or data is CUI. The program’s security classification guide should describe what information is classified as CUI, and hopefully, the government has done a good job of identifying and marking it.
One method to identify and visualize where CUI is in the system is to build a dataflow diagram. This helps track the flow of CUI information as it enters the system, is accessed and processed by users and devices, and is stored and exits the system. The completed dataflow diagram will show where CUI, in logical or physical form, needs to be protected while in custody. Once complete, a company will have identified what needs to be hardened to CMMC Level 3 standards and what needs to be certified.
This step offers an opportunity to adjust existing business processes to reduce the amount of CUI in a system and/or reduce the number of people/systems that access CUI. A reduced CUI footprint also reduces the number of systems and people to be certified. The end goal is to reduce the CUI boundaries to the bare minimum, presenting a smaller attack surface for adversaries and a smaller, more affordable system to be certified.
Step two: Conduct a risk assessment. The data flow diagram should have identified all the assets that CUI interacts with within the environment. Identifying the threats to those assets and any possible vulnerabilities will allow the identification of risk. Examine each asset and possible threats to it, then study the vulnerabilities that may or may not exist to that threat. The outcome of this step should be a completed risk assessment and a risk mitigation management plan for risks that could not be remediated.
Step three: Conduct user training. Some studies suggest that 85 percent of cyber incidents are caused by the user. Granted, the system most likely had an existing vulnerability that a threat exploited on an asset. The user was just the last step in the attack chain when they clicked on a bad link or malicious attachment. Hopefully, a well-trained user won’t be that enabler. During this step, a company should accomplish three things: 1) Train all personnel that use the system; 2) Screen employees through a background check; and 3) Identify individuals who require access to the system and CUI.
Training users, administrators and managers on protecting CUI and what actions are acceptable on a system is critical. All the protections in the world won’t help if a user emails a CUI file to their personal email account so they can work on it at home over the weekend. The government provides training resources through the Center for Development of Security Excellence.
Typically, screening users is accomplished at the time of hiring. Most companies conduct background screening on new hires. If a company has a facility clearance (FCL) and employees hold government security clearances, that may be leveraged.
Finally, identify which employees need to access the CUI. In a 100-person company, if only 10 people interact with the CUI in the execution of the contract, they should be the only ones granted access to it. Once again, the goal is to reduce the attack surface. The fewer people with access, the fewer the chances of compromise.
Step four: Assess existing documentation. Early reports from Certified Third Party Assessor Organizations (C3PAO) undergoing certification by the U.S. Defense Department claim documentation is a major shortcoming. The maturity aspect of CMMC requires documentation for a set period (yet to be determined, but at least three months). Telling an assessor that the company has a policy isn’t going to cut it with CMMC. They will want to see the policy, ensure that it addresses the issue and is being followed. They will also want to see the plan that supports the management and resource allocation of the policy. CMMC calls for a System Security Plan (SSP) for each system and a policy, plan and implementation procedures for each of the 17 security domains.
Many companies either don’t have documentation or have shelf-ware, policies written long ago, stuck on the shelf and forgotten. Very few companies have the detailed policies, plans and implementation procedures required. Assessing what can be used and identifying what’s missing can be one of the most cumbersome and time-consuming steps.
Step five: Apply the CMMC practices. Once a company knows what it’s protecting, who needs to access it, and how to protect it, the rest is easy. Right? Simply apply step four! Utilizing the CMMC Assessment Guide, ensure each objective for each practice is being met. Take this opportunity to fine-tune documentation and implementation, as well as gather proof (screen captures, links, directions to documents) in the SSP.
Step six: Conduct a gap analysis. Through the viewpoint of an assessor, go through the list of 130 practices, 99 processes, and 657 objectives again. It’s easy to say, “Oh yeah, we’re definitely doing that.” But a third-party assessor would say, “Prove it.” Ideally, the assessor should be someone from outside the company. If that’s not possible, ensure whoever leads the assessment takes a hard stance on acceptance criteria. Once again, the CMMC Assessment Guide should be closely followed.
Step seven: Conduct remediation. While walking through step six, annotate the SSP with practices that have not been met. Capture items that are absent, not being done, and/or things that can’t be proven. These items will be added to the plan of action and milestones and must be addressed before scheduling a C3PAO assessment. Assign each open item to someone along with a recommended course of action and a due date. Work through the plan of action until all unmet practices, processes and objectives have been met.
Step eight: Finalize SSP and documentation. This is the last step prior to bringing in the C3PAO. Use this time to finalize and organize documents, and brief management, administrators and users on what to expect during the assessment. A C3PAO won’t be adversarial, but they will ask tough questions and request proof. Establish a good mindset within the team to avoid a negative relationship. Nothing makes an assessor dig deeper than a belligerent or uninformed assessee.
Step nine: Conduct a C3PAO assessment. Prior to this step, identify and contract with a CMMC Accreditation Body-approved C3PAO. Finding and scheduling an assessment will depend on the number of C3PAOs certified by the Defense Department at the time, the contractual requirement for CMMC Level 3 certification, and good timing and luck. Until the CMMC ecosystem is fully mature, getting an assessment will be challenging. The C3PAO will have a process in place; follow it.
Step 10: User access. After receiving certification, allow users to access and use the system. If it’s a new system, create their accounts and grant them access. If it’s an existing system, give them the green light to begin processing CUI. If the company has been operating under an NIST SP 800-171 self-assessment, this step should already have been accomplished.
Step 11: Migrate CUI data. After the users have access, they can begin safely accessing CUI. It’s critical that CUI is only allowed into the system through approved conduits identified in the dataflow diagram and assessed by the C3PAO. It’s easy to fall into the trap of complacency thinking certification has been achieved and there’s nothing more to worry about. Maintaining an understanding of what CUI is being processed, where it’s coming from and how it’s being stored is critical to ensuring it stays within the identified safe boundaries of the certified system.
Step 12: Use and monitor the system. After certification, the work doesn’t end. New users must meet the screening and training requirements prior to being granted access to the system. Any changes to the environment must be reviewed through a change management process and security practices considered, developed, tested and applied. Major changes may require a re-certification by the assessor and C3PAO. Systems need to be patched in a timely manner and monitored for compromise. Finally, users must be continuously trained on safe use of the system and cybersecurity best practices.
These steps are not the only way to achieve certification. Every company’s journey will be different depending on the maturity and complexity of its systems. These steps provide a logical and methodical roadmap for small, resource-constrained companies to achieve certification. At the end of the day, it’s not about compliance; it’s about security. Compliance is only a mechanism to ensure thousands of companies are secure.
Rick Palermo, CISSP, CMMC-AB registered practitioner, is the executive vice president of operations at Ascolta. Prior to Ascolta, Palermo worked at Booz Allen Hamilton, and served 22 years in the Marine Corps. On his last tour, he was the military assistant to the Defense D