Last Updated on August 10, 2021
Cybersecurity Maturity Model Certification (CMMC) assessments are getting underway, and the DIBCAC’s assessments of NIST 800-171 compliance are ongoing. Thousands of SMBs in the US defense industrial base (DIB) will need to survive one or both of these audits in the months to come.
If your business is among them, you need to be doing all you can right now to prepare for success. There’s too much at stake to leave anything to the last minute.
To share best-practice steps to make sure you’re confident and ready for a CMMC and/or NIST 800-171 assessment, we asked two of our top consultants to team up on The Virtual CISO Podcast: George Perezdiaz, CMMC/NIST Security Consultant, and Caleb Leidy, CMMC Consultant/Provisional Assessor. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.
Step One: Get an objective self-assessment
“For a NIST 800-171 DIBCAC assessment you have to account for the NIST 800-171 objectives,” George advises. “If you have not done your self-assessment and had a fresh set of eyes come in and look at what you have implemented, deployed and maintained for the last three-plus years, then you’ll be going blind into your assessment. Likewise, for CMMC you have to definitely account for your control owners and your assessment guide objectives, including that institutional knowledge of the practices, policies and supporting processes and procedures.”
Step Two: Thoroughly understand each requirement’s intent
Caleb, a former DIBCAC assessor, adds: “One big thing that we saw a lot with the DIBCAC is [a lack of] understanding of the requirements. Get those requirements out, read through each one and make sure that you understand the intent behind each and every requirement. We came across a lot of folks who [we knew] didn’t have things implemented just based on the fact that they were asking us during the assessment phase, ‘What does this mean?’ So, get that understanding upfront.”
Step Three: Make sure you have great documentation
Caleb continues: “Another key for actually going through your assessment, and even running a good program day-to-day, is documentation. Having everything thoroughly and accurately documented based on what you do or what you want to do. And make sure your settings, your configurations and your implementation of those controls match up to that, and vice versa—that everything that you have implemented has some sort of backing documentation behind it. That makes it a lot easier from an assessment perspective.”
Step Four: Optimize the scope of your CUI enclave
“For me, it all starts with scope—any security engagement does,” John observes. “In this particular case, you must understand most importantly the flow of both CUI and FCI, depending upon which of the two that you have. You also need to understand whether or not [you] have requirements above and beyond CMMC Level 3 that [you might not be] aware of. Things like NOFORN or ITAR data. To use a stupid analogy, if you don’t have the ladder against the right wall before you climb it, you’re not going to be happy when you get to the top.”
“It all starts with making sure that you got that right, and I think the best way to do that is to get that front section of the System Security Plan (SSP) nailed down and make sure you’re super comfortable with it,” adds John. “Make sure that you’ve got the idea of [a CUI] enclave established well. And then not even accepting the fact that this is our current enclave. Because many organizations have broader access and broader use of data than they probably need to. And that’s going to increase their cost on a go-forward basis and the complexity of operating the environment. … Think through, this is the way we do it now, but is there a way we can do it a little bit better that’s going to reduce the scope of the CUI enclave?”
Step Five: Make absolutely sure you know exactly what CUI you have
“Agreed,” Caleb replies. “Understanding the data… That’s the other huge question. Even from a consultant perspective now, and doing assessments with the DIBCAC, [organizations often ask], ‘Can you help us identify what our CUI is?’ We know the DoD has had a rough history in identifying CUI in contracts. And that’s flowed down through other contracts, subcontracts and suppliers… We recently had someone who we were on a call with say, ‘I know we don’t have CUI, because I’ve personally never seen a paper come through that was marked CUI.’ So, getting that understanding of what that is, digging into that NARA registry and understanding what data you have and how you use it is a huge deal.”
Unfortunately, CUI doesn’t come “pre-marked.” It’s up to you to study the government’s guidance on defining, categorizing, and marking CUI, in relation to your data. There’s no way you’ll pass a CMMC or NIST 800-171 assessment if you haven’t identified your CUI.
“It’s all about that traceability [of CUI],” concurs George. “What I often reference is FIPS 199, [the federal standard for] the classification and categorization of your information and your information systems. That essentially is where I recommend you start so that you can see where the data’s coming in, what data’s coming in and what level of protection you have to have around that data. So that’s how I like to start with the scope [of CUI].”
“And to Caleb’s point, the government [often] puts a blanket purchase statement [into contracts] that throws just about every DFARS and FAR regulatory requirement in there,” George recommends. “It’s the organization’s due diligence and responsibility to challenge those things if they know that that product is not specific to the DoD—that it’s commercial off-the-shelf. By all means, challenge it. That requirement can become rather expensive if you do not have CUI or just government protected data in general.”
Want to make sure your SMB has every possible trump card in hand going into its CMMC or NIST 800-171 assessment? Be sure to catch this podcast episode with assessment experts Caleb Leidy and George Perezdiaz.