CMMC 12 Step Program
Step 1. Admit You Have A Problem.
If you want to play with the big boys – or at least the Department of Defense (DoD) -you need to realize that there are going to be some rules and regulations that you will need to follow.
But you don’t want to do this? OK. Take your ball and go home. But…. you can’t be a part of any DoD contract/subcontract that generates the trillions of dollars to the Defense Industrial Base (DiB).
All done crying? Good, let’s get into it then.
Unless you have conducted an audit, or been assessed for compliance, you’re probably going to have some deficiencies in your security posture. But that’s OK! You realize you have a problem, and now we can fix it.
If you’re not aware of all the requirements, then you’re going to be in for a bit of a ‘surprise’, but to make it easy for you, we are just going to talk about security and protecting Controlled Unclassified Information. (CUI).
Step 2. Wait A Minute! What Is CUI?
Controlled Unclassified Information (CUI) is, according to the U.S. Government, “any information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies.”
Note: The term CUI for our purposes is going to include Controlled Technical Information (CTI), Contractor Attributional/Proprietary Information, Controlled Technical Information (CTI), and Controlled Defense Information (CDI).
Controlled Technical Information can be:
Research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses, and related information, and computer software executable code and source code.
Contractor Attributional/Proprietary Information can be:
Information that identifies the contractor, whether directly or indirectly, by the grouping of information that can be traced back to the contractor (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company.
DFARS Policy 204.7302 mandates that Covered Defense Information be protected and monitored on the Contractor’s information system(s). Contractors are required to report any cyber incidents (actual or potential) within 72 hours to the Department of Defense.
Step 3. Find Out How Big The Problem Really Is.
Go get a copy of NIST Special Publication (SP) 800-171A, “Assessing Security Requirements for Controlled Unclassified Information. While you’re there, get a copy of (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”.
800-171A is the document that establishes the objectives or goals to evaluate the controls that are described in 800-171. 800-171A has more granular information about how to test systems, evaluate compliance and achieve these goals. 800-171 has the defined controls.
Review these documents with your team, and if there are any items that you are not sure of, indicate that they need to be reviewed. As an example, you may have a password policy, but do you have a written password policy? Is that policy actively enforced?
There are 110 controls, but don’t let that scare you. Some of them cover similar ground, and some may not apply to your environment. Go through the best you can.
If you have more than 50% of these items achieved, do not start to cry or polish up your resume! Seriously, you should be very proud of yourself. Many companies do not have 33%. And, now you have a handle on how big the problem is.
Step 4. Present The Situation And The Resolution To Management.
After your assessment, you are going to need to put together a plan to remediate the issues. This may include drafting new policies, purchasing new hardware or software, and it will require some new training of personnel. This is going to cost some money.
How much money? It depends on what you need to remediate.
Here’s where management needs to do the analysis. If the modifications and new products are going to cost $X, is that worth the investment to get $Y in revenue?
Luckily, there is some good news. CMMC does include language that states that contractors can be reimbursed for ‘allowable costs’ towards achieving CMMC compliance. Exactly what that is and how it is determined is still a bit vague. Many people believe that the “allowable costs” will be similar to those of other contracts, while some people think it needs to be more clearly defined. If your company is purchasing materials or equipment solely for the purpose of achieving compliance, one would think that those expenses would be reimbursable.
It is important to note that you can only be reimbursed IF you are awarded a contract.
Management should also consider that most of these controls are put in place as “good security practices” and should be implemented as a matter of good business. Not solely because now you can receive DoD contracts and make the money back.
Step 5. Assemble The Avengers (or your team of superheroes)!
OK, so management made the right decision, and tasked you and the team of superheroes to go make it happen. Now what?
First, let’s take a step back…Do you have experts on staff with compliance experience? Do you have team members with all the requisite knowledge and skills to make this happen? If the answer is, “No” (which it probably is), get some outside help. Don’t feel inadequate or embarrassed. It is much better to do it right the first time, than to do it wrong, then have to pay someone to come in and fix all the errors, which can cost you twice as much – not to mention saving you headaches and stress.
Then, when you have your team, develop a plan. Specifically, and clearly, assign responsibilities to each team member based on their skills. Make sure that everyone is on the same page. Assign personnel for each task and hold them accountable.
Step 6. Create The Plan.
After your initial assessment, and a review by external help if needed, list the specific items that need to be addressed. You will probably map your list to something similar to these categories:
- Policies and Procedures
- Training and Education
Beware! It can get tricky as to how each item should be assigned. For example, you need a Multi-Factor Authentication solution? Would that be Hardware/Software since that is the basic part? Or would that be a policy that needs to be documented? Won’t users need to be trained on the system?
As a rule, communication will be key for achieving a successful plan. You can assign parts of an item to different groups, or you can assign a specific control to one group. Whatever way works best for your team is generally going to be the most successful Understand that things will happen, perspectives change, personnel change and other projects get in the way.
It is a good idea to meet regularly to ensure good communication, address changes, and see if others are having problems that can be solved as a group.
Step 7. Keep Everyone In The Loop.
You should also be communicating with management about the project, how things are going, and where appropriate, getting approval for expenditures. The more information management has, the better they will feel about their decision. Sometimes budgets are inaccurate, or prices change. Sometimes there are costs that were not originally considered. Things happen.
Step 8. Execute.
Go do it! Fix it! What are you waiting for? Sheesh…
Step 9. Review, Revise, Rescan, Monitor.
So you’ve completed the project. Kudos to all! Well now, hold on a moment…
Are all – as in ALL the deficiencies are remediated? Has every policy been clearly defined and written or re-written? Did anyone go back and verify that all the items that you were sure were good, are in fact good?
OK, but did anything in your network or business change? New equipment gets added, and old equipment gets removed often. Did that have any effect on the assessment and your changes? At the very least your network diagram has changed. Time passes, things become obsolete, support ends, End Of Life happens. Did the person in charge of _____ get replaced, and never finished their assignment? Remember, things happen…
The reality is that any system is always going to be changing. As part of achieving compliance, the system(s) need to be monitored for these changes. Security is an ongoing process of protecting against the latest threats. New threats happen daily. Monitoring your systems is always going to be important.
Unfortunately, you are never done with compliance, it is a journey, not a destination.
Step 10. Keep Up To Date.
Staying up to date on relative compliance requirements is an important part of remaining in compliance. If you do not know the rules, you won’t know if they change. There are many online sources out there. Googling CMMC will generate a number of commercial businesses that offer advice and services.
Some of the best include:
http://www.reddit.com/r/NISTControls – Reddit Community
https://cooey.life – Discord Channel with a very active community
https://www.cmmc-coa.com – CMMC Center of Awesomeness (CoA) website for the DiB.
Step 11. Government Changes.
Originally, the CMMC was supposed to be fully in effect from June 30, 2020. That obviously did not happen. An Interim Rule was issued on September 29th, which is still open for comments, and will probably change somewhat. The current regulation changed a number of things – as an example the CMMC was supposed to classify organizations from Level 1 to Level 5, but now the rule uses the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) classification. There are three levels – Basic (self-assessment), Medium (DoD performs the assessment), and High (Extensive DoD performed Assessment).
As mentioned a few times, things change, and the government has a reputation for delays and changes. Keep informed as to what the news is saying about CMMC and other regulations.
Step 12. Don’t Drink, Despair, or Drown.
This isn’t easy. Many practitioners spend years interpreting what the controls really ask for and formulating precise answers. Learning all the acronyms and applying them to your environment will make you pull your hair out.
The good news is that there are a lot of other people in similar situations and people are sharing their knowledge.
About RegDOX Solutions Inc.
RegDOX Solution’s first-to-market ITAR and NIST 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. This was recognized by the formal opinion of compliance provided by the US State Department’s Directorate of Defense Trade Control (DDTC). RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.