Last Updated on April 4, 2022
Events of the past two years have been a bit of a whirlwind for firms in the US defense industrial base (DIB). First CMMC 1.0, now CMMC 2.0, the interim rule, three new DFARS clauses… Many SMBs in the DIB find themselves struggling to get their bearings around security and compliance.
To cut through the confusion, we asked CMMC experts Kyle Lai, founder and CISO at KLC Consulting, and Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security, to join a recent episode of The Virtual CISO Podcast. The show is hosted as always by Pivot Point Security’s CISO and Managing Partner, John Verry.
Kyle’s LinkedIn Poll
To clarify the major roadblocks that DIB orgs see on the path to CMMC 2.0 compliance, Kyle ran an informal poll on LinkedIn. The results aligned closely with John and Caleb are seeing in their day-to-day work with clients.
By all accounts, the 3 top challenges with CMMC 2.0 right now are:
- Scoping, by a wide margin. Interestingly, the new CMMC 2.0 “scoping guide” seems to be causing more confusion than it is alleviating.
- CUI marking and asset management, which are completely intertwined with scoping.
- Getting management buy-in to make CMMC investments. This issue says a lot about the current state of cyber compliance across the DIB even after 4-plus years with the DFARS 7012 contract clause mandating self-attested compliance with NIST 800-171.
Scoping, CUI marking and asset management—you can’t have one without the others
Scoping is the first activity that you need to get through on the path to CMMC/NIST 800-171 compliance. Scoping is also inextricably connected to CUI marking and asset management. Without CUI marking you can’t know your scope, and you can’t identify the CMMC relevant assets you need to manage.
Of course, none of that is going anywhere fast if senior leaders are balking at providing the necessary resources. (More on that in another blog post.)
“How I see it is that if you don’t have good asset management and you don’t know your CMMC scope, you need to look at your contract and see what information is actually considered in scope,” observes Kyle. “If you haven’t done CUI marking, you have to find out how to define the information that is going to be in scope as CUI. Understand that first, and then make sure you have the proper asset management.”
The recommended approach is to start by identifying all your assets. Then decide which ones are in scope versus out of scope for handling CUI. Then at least you’ll know what assets you need to protect.
4 types of in-scope assets
In an effort to make scoping easier, the CMMC 2.0 scoping guide calls out four types of assets that can be part of your CMMC scope:
- CUI assets, which are the assets that directly process, store and/or transmit CUI.
- Security protection assets, which are the hardware, software, etc. used to protect the CUI, such as a firewall or endpoint protection solution. MSPs, MSSPs and other security vendors and their cloud-based or on-premises services are also considered security protected assets.
- Contractor risk managed assets, which are the assets (e.g., policies that prevent sharing CUI) you use to mitigate the risk associated with sharing CUI with third parties.
- Specialized assets, such as government furnished equipment (GFE), sensors and other IoT devices, and operational technology (OT) like test equipment, CNC machines, PLC systems, etc. that can create and/or handle CUI.
These types of assets have been in scope all along for CMMC and NIST 800-171 compliance. The problem is that many SMBs in the DIB still don’t have a handle on what assets they have, what CUI they have and how the CUI flows through the various assets. These are preliminary steps to compliance with DoD cyber standards and prerequisites for participating in DoD contracts.
To listen to this special CMMC 2.0 podcast with Caleb Leidy and Kyle Lai, Click here.
Wondering where to start with CMMC 2.0 compliance? Here is a post on that topic: CMMC 2.0 Compliance—Here’s What to Focus on Now