By: Johann Dettweiler, Director of Operations at Cerberus Sentinel
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a compliance requirement that all Department of Defense (DoD) Contractors (aka, the Defense Industrial Base — the DIB) will soon have to meet. It is expected to be placed in DoD contracts, requests for proposals (RFPs), and requests for information (RFIs) as early as spring 2023, with full implementation by fiscal year 2026.
CMMC 2.0, which emerged from the National Institute of Standards and Technology Special Publication (NIST SP) 800-171, consists of three certification levels that reflect the maturity and resilience of the DIB’s cybersecurity infrastructure:
- Level 1 requires 10+ fundamental cybersecurity practices for a minimum level of data protection of Federal Contract Information (FCI).
- Level 2 requires all 110 practices of NIST SP 800-171 for DoD contractors that handle Controlled Unclassified Information (CUI).
- Level 3 builds on CMMC Level 2 and adds practices from NIST SP 800-172, with stricter and more advanced requirements for safeguarding CUI, mitigating risks from advanced persistent threats, and creating and maintaining a CMMC implementation plan.
As we near spring 2023, I suggest your organization do these three things now to be ready.
First, you must scope your boundary appropriately.
I cannot stress too strongly how important this is. Your boundary must be scoped in accordance with the DoD level 2 scoping guidance: https://www.acq.osd.mil/cmmc/docs/Scope_Level2_V2.0_FINAL_20211202_508.pdf.
It is important to understand that your organization should not target its entire network for CMMC compliance. You need to evaluate your networks; determine where CUI data is being processed, stored, and/or transmitted; and draw a boundary only around the components that will touch CUI data. All other hosts and services can and should be explicitly left out of the boundary.
Your boundary should be drawn as small as possible, in accordance with DoD guidance, so you don’t expend unnecessary resources on protecting assets that do not touch CUI data. Narrowing the CMMC 2.0 boundary, as appropriate, also makes the environment more focused and easier to manage from a governance standpoint.
If you have a development and/or test environment, only include them in the boundary if they directly process, store, and/or transmit CUI. This will avoid unnecessary expenditures and allow for the flexibility and agility these environments often need.
Second, you must understand the type of CUI data that your organization processes, stores, and/or transmits.
The type of CUI data your organization processes, stores, and/or transmits determines which type of resources are allowed access to the CUI data as well as specifies any types of handling caveats (e.g., the data must remain in the CONUS (Continental U.S.), or only U.S. citizens may have access to the data).
Your organization can determine its CUI types in the CUI Registry, a government-wide online repository (https://www.archives.gov/cui) for federal-level guidance regarding CUI policy and practice. You can—and should—also consult your agency’s CUI policies for any additional or differing requirements and/or handling caveats that may exist.
The process of defining what type of CUI your organization handles goes hand in hand with defining your system boundary, as it will govern the assets and resources that will be allowed to process, store, or transmit CUI. For example, International Traffic in Arms Regulations and the Export Administration Regulations data have restrictions requiring that the data remain CONUS and is only accessed by approved personnel. This restricts the types of platforms this data can be hosted on. Microsoft 365 commercial (one of the more common cloud applications) is a global service and does not meet these requirements. So this type of CUI cannot touch, in any way, Microsoft 365 commercial products/services.
Because of special handling caveats for some CUI, it is critical that your organization understand the requirements prior to expending resources to build out your CMMC-compliant environment. These caveats will also determine which personnel can be authorized to access CUI.
Third, your organization must select appropriate and responsible third-party services.
Both the DoD and the Cyber AB (formerly the CMMC Accreditation Body) have explained that any third-party services used to provide security services within an organization’s CMMC boundary should be FedRAMP Moderate Equivalent or above or have the ability to demonstrate compliance with CMMC 2.0
Because CMMC is seemingly undergoing a slow roll-out, it is likely that many third-party service providers will not undergo CMMC compliance assessments for a few years. This will leave many organizations seeking services, unclear as to whether a third-party provider can meet the CMMC compliance requirements. Because of this, the FedRAMP.gov Marketplace should serve as the baseline when selecting third-party services. Selecting a third-party provider unable to demonstrate CMMC and FedRAMP compliance will raise red flags for your organization and will likely ensure CMMC non-compliance.
When selecting services, organizations should evaluate the service to see whether an on-premises deployment versus a cloud deployment may be more appropriate. Generally, managing services within the system boundary is always easier and more secure than using cloud-services. Organizations should only use cloud-services when they understand their compliance and customer requirements.
Moreover, organizations should be wary of any third-party services that provide “compliance in a box.” I have found may third-party service providers use that type of marketing language to attract potential customers. Those solutions, however, are typically designed by those that are more service-oriented and lack the compliance experience and expertise to truly help their customers become CMMC compliant. If an organization is interested in such services, they should make sure that the third-party provider has past performances and documented expertise, together with a concise and understandable Customer Responsibility Matrix outlining what their organization is responsible for once implementing the third-party provider’s service.
Cerberus Sentinel is a certified CMMC-AB Licensed Training Provider (LPT). We have certified instructors who can train those seeking Certified CMMC Professional and/or Certified CMMC Assessor certifications. Cerberus is in the process of becoming a C3PAO to provide assessments to organizations seeking certifications (OSCs).