USA: CMMC as competitive advantage and five things you can do today
Historically, the United States Department of Defense ('DoD') and its allies have been very vigilant in protecting their classified information. Over the years, the DoD has been turning its attention to providing the same level of focus and rigor to unclassified but sensitive information held by its contractors and suppliers. In January 2020, the DoD released the Cybersecurity Maturity Model Certification ('CMMC') specifically targeted at improving the security posture of defense contractors and their subsidiaries. Prior to this, compliance was through self-assessment. After many incidents and increased risk, it was time to ensure consistency while implementing a carrot and stick rewards system. Alex Sharpe, Principal at Sharpe Management Consulting LLC, who consults on cybersecurity, privacy, digital transformation, disruption, and other areas, draws on his experiences and provides insight into the CMMC, its advantages for organisations, and the key steps businesses can be taking to prepare.
In principle, the CMMC is not all that different to other models. The difference lies in the impact to your business. Solicitations are being released which require bidders to be certified at a given level. The CMMC is not just a statement of your capabilities and risk but also a license to play in the big game.
The CMMC has lots of teeth and you do not have choice. Contractors and suppliers who do not achieve certain levels will not be allowed to bid on or be awarded a contract. For most, this will be Level 3 (Good). For some, it may be Level 1 (Basic). For the very select few, it will be Level 5 (Advanced).
Small business heads up
Word has it the Small Business Administration ('SBA') will be using the CMMC as the basis for a non-defence maturity model. Small businesses are being targeted more frequently and are more likely to go out of business after being attacked. It is not a bad idea to have a professional help you with an assessment.
Many contractors and supplies are waiting for the DoD to dot all of the i's and cross all of the t's before starting. This is a big mistake for three reasons:
- First mover advantage. Non-compliance prohibits your competition from bidding or being awarded a contract. Being compliant gives you an instant edge. Why not start now and take the win?
- You will fail and you will need to remediate. With very few exceptions, deficiencies will be found and you will need to remediate. In my experience, it is safe to say remediation will take at least six months. Do you really want to put your business on hold or give your competition an edge for that long?
- Audits and assessments are hell. Unless you have been through something like this before and you are a machine, this is going to cause stress. It is estimated 300k contracts and vendors will need to be assessed. The overwhelming amount are privately held and have never been through a third-party audit or assessment before. Look around, the large firms are already preparing. Have you asked yourself why? Because they know what is coming. Why not learn from those who came before and stand on their shoulders?
Low cost things you can do today
The really good news is the mechanics of audits and assessments are very predictable by design. Having been on both sides of the fence for security, privacy, IT, financial and compliance audits and assessments along with their remediations, I can tell you the basic principles are predictable. And guess what: the most common headaches and why organisations fail is also predictable. Nothing can prepare you for the shock of having an outsider giving you the cybersecurity equivalent of a cavity check. We can help you prepare. Below is a list of the top five items auditors ask for, want and need but many organisations cannot produce.
The absolute best thing you can do and the best investment you can make is to have a trained third party perform a cybersecurity assessment using the National Institute of Standards and Technology's ('NIST') Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations1.
Top five needed items
One of the first things the assessor will do is provide you a list of items for you to produce.
Hint: Ask for the list before they arrive. In my experience, below are the top 5 most valuable items that an organisation needs to produce.
1. Asset inventory and network diagrams
Don't laugh. You would be surprised to learn how many organisations cannot produce a network diagram. In the worst case, your IT folks will have something whether they admit it or not. Be sure it shows all internet connections and connections to different providers outside of the enterprise - Cloud, SaaS, PaaS, IaaS, trading partners, vendors, etc. Most organisations have a pretty good map of what is inside the perimeter. Fewer than you would think have mapped out what lies outside. In this highly connected world with more remote workers than ever, there is often more outside of the walls than inside the walls.
Asset inventories also tend to be a problem. There are many tools and techniques for keeping track. Here is a hint that always works for me. Ask your accounting department. Why? With few exceptions, everything you have is either owned or leased. If it is owned there will be a record of the purchase and most likely a depreciation schedule. If it is leased, there will be a contract and a record of payments.
2. Written policies and procedures
Straightforward, right? Well, firms often fall down in one of two ways. The most common is they do not have an inventory of their policies and procedures. Typically, an assessor does not want to review every document. Rather, they will look to see what you have, review the key items in depth and randomly select others.
Do yourself a favour, pull a copy of NIST SP 800-171 and verify you have what is required. If you would like to dig a bit deeper take a look at NIST SP 800-532 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-70123.
Hint: One of the first things I ask for is a written Information Security Plan. The first thing I do is to check the last time it was updated. Be sure yours is current.
3. Flow diagrams and process mapping
Knowing what assets you have and how they are connected is great. Knowing the sensitivity of the information, where it is stored and how it is shared is golden. If an assessor does not ask for it, they will love you for handing them one.
Many organisations will say, this is not required to properly secure the enterprise. That might be true for small shops but not for any enterprise of any size. There is a good chance, the exercise to produce these diagrams and to map these processes will make your business stronger and more secure.
Hint: The CMMC defines two types of sensitive data. Keeping this in mind while mapping out your enterprise will help you in the long run.
4. List of technical controls, safeguards and owners
In the end, it is all about controls and who owns them. Make the investment to map out the controls, the safeguards and the owners. It will be a good self-check and will help the assessor move through your assessment easily with minimal disruption to your business.
5. List of mitigations and remediations completed
There is a good chance you have been through some sort of assessment or audit. Even if it was a self-assessment or because of a data breach. Be prepared to show the results and your remediation.
Added bonus: a sixth item for good measure
Enterprises have become more and more reliant on third parties. Hackers know this, penetrations through third parties are on the rise. Some have made national news. Be prepared to produce the due diligence performed on your third parties including the contracts.
The CMMC is being done for all of the right reasons. In the end, it will make your business stronger and the world a safer place. Near term, jump on it early and turn it to your advantage. Get ahead of your competition.
Alex Sharpe Principal
Sharpe Management Consulting LLC
1. Available at: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
2. Available at:https://nvd.nist.gov/800-53
3. Available at: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm