Part 1: Laying the Groundwork for Achieving Certification
In June of this year, my colleague Tom Taylor wrote about the DoD’s announcement to instate the Cyber Security Maturity Model Certification (CMMC) and elaborated on the fact that, with the CMMC, the DoD appears to be addressing our customers’ core compliance pain points:
- Varying standards – It’s not always easy to read and/or interpret the DFARS standards. Under the new CMMC compliance, there will be ONE unified DoD cybersecurity standard that combines NIST SP 800-171, NIST SP 800-53, AIA MAS 9933, FIPS and others. In other words: one standard, one maturity model.
- Varying levels of security – CMMC requirements will not be “all or nothing.” There will be a range of CMMC compliance. RFPs will reflect what level is needed by DoD for each contract.
- Affordability – Security will now be an allowable cost on DoD contracts.
- Supply chain verification – CMMC third-party certifiers will have the tools able to conduct audits and collect metrics and risk management information for the entire supply chain.
Since its announcement in May, the DoD kicked-off a “listening tour” to solicit feedback from the Defense Industrial Base sector, according to the CMMC website. As the questions and comments roll in, the federal team at Tripwire will be providing a three-part blog series to address our customers’ concerns and offer guidance on how to prepare between now and the time that companies start to see the CMMC requirements as part of Requests for Information (January 2020). As part one of this series, I want to address what will likely be the first part of the CMMC process for any organization – its security level rating. According to the DoD:
Your company will specify [to an independent third-party commercial certification organization] the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.
The first question to our DoD contractor customers regarding their security level rating is as follows: Do you have visibility into how well you are doing right now? Can you determine your current state, specifically, how well you are doing from a cyber hygiene perspective? If the answer is “no,” or if you are unsure of how much visibility you currently have, you first need to understand and document systems that will be in scope and then map how CUI flows through your environment in order to understand where that data is stored. Ensuring visibility of these systems is the first step to laying the groundwork for achieving the CMMC. Next, you will want to deploy a solution that can evaluate those systems against policies that the CMMC will be derived from (e.g. 800-171, ISO 27001, etc.). Look to vendors who have a history of supporting new and updated policies. Another important measure is to ensure that your tracking is sufficient to provide consumable data to a third-party assessor. If you don’t already have one, find a solution that provides audit-ready reports. Lastly, we are advising our customers to try as much as possible to reduce the scope of the environment that must remain in compliance. Those who have concerns about obtaining the CMMC should review the listening tour webinars and/or attend a live gathering. The CMMC FAQ website is also a good resource of clarification. Learn more about how Tripwire helps secure government agencies against cyberattacks and meet evolving compliance requirements here.
