CMMC 2.0: What Should You be Doing Now?
Speaker: Johann Dettweiler
Johann Dettweiler [0:01] Hello, thank you for joining today’s Webinar, talking about CMMC 2.0
Johann Dettweiler [0:07] This webinar is going to focus on the three things that you should be doing right now. Honestly, there’s tons of things that you should probably be doing right now, but these, in my opinion, are probably the most important or at least the top three things that should be considered.
Johann Dettweiler [0:25] My name is Johann Dettweiler, I am the Director of Operations with Cerberus Sentinel.
Johann Dettweiler [0:31] I have a lot of experience with government compliance, the FedRAMP Program, the FISMA program, and I’ve also been reading up and studying the CMMC to Guide Program since its inception. So I hope I can give you some valuable information.
Johann Dettweiler [0:48] My number one consideration that I recommend every organization take a look at is scoping your boundary.
Johann Dettweiler [0:56] So it’s very important to understand, that, while CMMC is an organizational certification, it’s a certification that focuses on an organizational system that’s defined in NIST 800-971, Revision two on page 10. You’ll see there’s a call out box that says, What an organizational system is.
Johann Dettweiler [1:17] The important thing to understand is that, basically, it’s any component that has the ability to process store or transmit CUI.
Johann Dettweiler [1:28] It’s very important when you’re designing your boundary that you take into consideration, only those components that are going to be interacting with CUI, and you want to explicitly exclude any components that are not going to have the ability to process CUI.
Johann Dettweiler [1:44] This refines your boundary, and it makes complying with CMMC 2.0 less resource intensive because you’re only applying the secure, the, the requirements of CMMC 2.0
Johann Dettweiler [1:57] at the areas where they’re specifically needed.
Johann Dettweiler [2:01] So you’re not working to, you know, secure hosts or move, or implement encryption on hosts that are not going to ever touch CUI. You’re only doing it, where it’s absolutely necessary.
Johann Dettweiler [2:16] It’s very important that this boundary be as small and as targeted as possible. You really want to focus on only those components that are going to process CUI.
Johann Dettweiler [2:28] Now, hand in hand with that is my second recommendation, which is that you have to understand the type of CUI data that’s going to be processed within your system.
Johann Dettweiler [2:38] There are some types of CUI data that have additional handling caveats, and additional security requirements, above and beyond what’s talked about in CMMC 2.0.
Johann Dettweiler [2:49] Oh, so, while you may be compliant with CMMC, you may not necessarily be meeting the requirements of the data that your process.
Johann Dettweiler [2:59] The DOD has a CUI registry that you can go to to understand what type of data you may be processing.
Johann Dettweiler [3:08] Also, each additional agency within the DOD tends to have their own rules and guidance following.
Johann Dettweiler [3:15] Tends to have their own rules and guidance that kind of outlines any special handling caveats or any additional requirements that they may have.
Johann Dettweiler [3:25] Now this is really important to understand because certain types of CUI data have very explicit handling caveats.
Johann Dettweiler [3:32] Some of the best examples, of course, are ITAR or EAR data, where that type of data is only allowed to be processed, stored, or transmitted within the continental United States, and it’s only allowed to be accessed by US persons.
Johann Dettweiler [3:49] If you think about that, there’s a lot of organizations out there that use Microsoft Office 365.
Johann Dettweiler [3:56] Now the commercial version of that is a global service and that explicitly cannot meet the requirements of … or an EAR. It would not meet the span, special handling caveats.
Johann Dettweiler [4:08] I’s very important that going in as you’re sort of designing what your boundary and what your network is going to look like.
Johann Dettweiler [4:16] That you understand that if you have data has sensitive handling caveats, special handling caveats, you may actually be required to design the system to ensure that it remains in a certain location, and it’s being accessed by the appropriate personnel. It’s very important that you understand that going in.
Johann Dettweiler [4:36] The last thing I recommend, my last recommendation, is that you select appropriate third-party services. So, if you’re going to utilize a third-party service to help you implement any of this CMMC 2.0
Johann Dettweiler [4:50] data requirements, it’s absolutely vital that you select service providers that can be compliant with CMCC 2.0 themselves.
Johann Dettweiler [5:00] Now, DOD and the Cyber AB have both said that FedRAMP, moderate, or equivalent are acceptable to meet the compliance requirements of CM MC 2 dot 0.
Johann Dettweiler [5:12] In addition, you could ask that the third-party vendor provide some sort of independent verification.
Johann Dettweiler [5:19] That an independent group has come in, reviewed their compliance and has determined that they are, in fact, in line with CMMC 2.0
Johann Dettweiler [5:29] So, there’s multiple ways to kind of go about it.
Johann Dettweiler [5:33] But it’s very important that you select a service that you know can be compliant.
Johann Dettweiler [5:39] In the future, as everyone starts to go through the CMMC 2.0 assessments, if your third-party provider goes through an assessment and is unable to achieve the level of certification needed, that means that your network in your system is no longer going to be compliant because those services are part of your network, they’re part of your system.
Johann Dettweiler [6:04] And in order for you to implement the CMMC compliance appropriately, you need to make sure that your service providers are doing it as well.
Johann Dettweiler [6:12] So, there’s a big risk there in not knowing the compliance ability of your third-party service providers.
Johann Dettweiler [6:19] one of the places that you can go to that will kind of give you a leg up is the FedRAMP.gov marketplace.
Johann Dettweiler [6:27] That marketplace lists all of the currently FedRAMP, moderate or high authorized systems.
Johann Dettweiler [6:34] And so that will allow you to kind of shop as it were for potential third-party service providers.
Johann Dettweiler [6:42] So, those are my top three recommendations. Obviously, there’s so much more that we could go into. But those are three really, really key areas that need to be considered as you all start on your CMMC journey.
Johann Dettweiler [6:56] Want to thank you all for taking the time to join us today, and please join us for future webinars. We’ll break down and … a little bit more.