The Cybersecurity Maturity Model Certification (CMMC) standard describes the controls that the US Department of Defense (DoD) mandates to safeguard Controlled Unclassified Information (CUI) when it moves from government information systems to third-party systems, particularly those of the DoD’s prime contractors and their subcontractors in the defense industrial base (DIB).
The CMMC categorizes its 171 controls (which it calls practices) into 17 control domains. To provide further structure, it also associates each practice with one of 43 capabilities. Each practice comes into play at one of the CMMC’s five maturity levels, and applies at that level and all the higher levels.
The CMMC Security Assessment (CA) domain practices direct DIB companies to assess their current information security programs and develop a system security plan (SSP) to drive the implementation and improvement of “defined security requirements” (controls). At higher maturity levels, it further dictates that DoD suppliers systematically assess their existing security postures so they can continuously improve and stay ahead of evolving threats.
What are the CMMC Security Assessment Domain Practices?
The Security Assessment domain includes eight practices: three at CMMC Level 2, two at Level 3, and three at Level 4. This domain also defines three capabilities:
- Develop and manage a system security plan
- Define and manage controls
- Perform code reviews
The three Security Assessment practices at CMMC Level 2 form the foundation of any cybersecurity program. They require you to holistically plan, assess and update your controls:
- 2.157 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
This practice directs you to create a system security plan (SSP). Your SSP relates your firm’s security requirements to a set of security controls. Your SSP also provides a high-level description of how those controls are intended to meet the requirements. It should further describe roles and responsibilities of security staff, and references related policies and procedures. In its discussion of this control, the CMMC explains unambiguously what your SSP should look like.
- 2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
This control requires you to keep your SSP “alive” and enables you to avoid a “one-and-done” mentality. Your threat landscape and your internal environment both change continuously; therefore, you need to reassess your cyber controls on a regular basis, in alignment with your needs for keeping CUI secure and also any overlapping regulations you must comply with.
- 2.159 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
Unlike the current DFARS 7012/NIST 800-171 regime, the CMMC program does not permit Plans of Action (POA’s) as part of the certification process. All the controls defined at the maturity level a contract specifies must be operating to achieve certification and remain eligible for contract award. However, you can still use plans of action internally to help you move your security posture forward. This practice mandates that you create clear plans of action but this is an interesting one; there is no mandated format for POAs. All that “must” be documented in POAs are the deficiency, the planned mitigation (action), and the planned date of completion.
The two Security Assessment practices at CMMC Level 3 extend the basics of security planning to include monitoring of controls and security testing of internally developed software:
- 3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Based on this practice, assessors will expect you to provide a plan for monitoring and assessing your security controls on a more frequent basis than CA.2.158 requires. Your plan should create a means for assessing your company’s overall security posture to both maintain awareness of evolving vulnerabilities and to keep senior management informed about your security program’s performance. Both these outcomes are key to managing your risk.
- 3.162 Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk.
This practice requires you to ensure software you develop and use internally that presents cyber risk is assessed/tested to identify and mitigate security vulnerabilities and defects. This could involve both automated tools and manual source code review.
The three Security Assessment practices at CMMC Level 4 are about ensuring a truly mature information security posture and “security culture” that can withstand Advanced Persistent Threats (APTs):
- 4.163 Create, maintain, and leverage a security strategy and roadmap for organizational cybersecurity improvement.
As part of maturing your security posture to deal with APTs, you should maintain a security roadmap to support continuous improvement. The roadmap should complement your SSP by including priority, cost/budget and implementation timeframes for short-, medium- and long-term goals in relation to risks, adversary tactics and/or industry/government projections regarding the threat landscape.
- 4.164 Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.
This practice requires you to perform regular penetration testing on covered systems and/or system components (networks, operating environments, applications, etc.) to identify vulnerabilities. The testing needs to go beyond automated scans to include expert testers and simulated attacks. Findings should be factored into the security strategy per CA.4.163.
- 4.227 Periodically perform red teaming against organizational assets in order to validate defensive capabilities.
Red teaming is a simulated, advanced attack on your security controls by human experts, the purpose of which is to exercise and validate your defensive capabilities (network segmentation, firewalls, email controls, monitoring, etc.) While some companies may be able to field a red team with internal resources, many DIB firms will need to use third-party testers to put together a red team.
What is needed to comply with the CMMC Security Assessment Domain controls?
The Security Assessment domain practices focus on evaluating, testing and improving your security posture. It starts with your SSP and includes significant testing of systems and applications, which may require leveraging third-party expertise. Reporting to management and supporting ongoing risk assessment are also key.
For many SMBs in the DIB that don’t currently have formal security programs, all this will be new. Especially if you need to achieve Level 3 or Level 4, you may need to invest significant time to create component/services inventories and to develop data flow diagrams to support vulnerability assessments, determine how to segregate networks, and so on. You may also need new software tools to support your new Security Assessment process.
Your security posture will be a direct reflection of your Security Assessment capability. While it may be tempting to build an SSP from a template or otherwise “phone it in” so you can check the box, this will hinder your CMMC certification effort. As a Registered Provider Organization (RPO) for DIB orgs seeking CMMC certification and/or NIST 800-171 compliance, Pivot Point Security specializes in helping SMBs assess their cyber security and compliance risk and plan the best approach to achieve their goals. Contact us to discuss how we can help your business negotiate its unique DoD cyber compliance path.