August 27, 2020
If you have already worked on your NIST SP 800-171 compliance, you should be well on your way to being ready for Cybersecurity Maturity Model Certification (CMMC) Level 3 certification. You will need these documents to complete where we are now: Step 4.
In case you need a quick reminder of what the POA&M includes, this is your prioritized list of security gaps you need to close if you want to get certified and be able to bid on future RFPs. All defense contractors need to achieve 100% adherence to the security controls to obtain your certification.
In our CMMC Best Practices Guide, we shared some of the most common security gap areas, whether you are a large or small business. Defense contractors can solve these security gaps with administrative and technical solutions.
Gap remediation: administrative solutions
Using an administrative solution for gap remediation means the gaps are addressed by documenting your internal policies, standards & procedures, and training all your staff. Examples of these types of solutions include:
- marking Controlled Unclassified Information (CUI)
- incident response
- Acceptable Use Policies and Rules of Behavior
- managing removable media and portable storage, such as USB flash drives
Gap remediation: technical solutions
Other security controls have a more technical solution that involves the configuration of security settings in the software and the addition of security capabilities in your IT environment. Examples of these types of controls include:
- multifactor authentication
- role-based access controls
- audit logging
- automated detection and alerting for unauthorized system access
There may be more than one way to remediate gaps. Take USB flash drives, for example. While you can have an administrative policy to prohibit the use of USB flash drives, a technical (and arguably more robust) solution would involve installing software that detects and blocks USB drives on company computers. Another technical solution would include the installation of monitoring software on all computers to log data transfer activity.
Cloud-based software vendors simplify CMMC certification and share responsibility
Many defense suppliers are looking to cloud-based software systems to get CMMC certified. If a supplier chooses to work with a cloud-based software vendor, many of these security controls become the responsibility of the vendor. In the typical software-as-a-service model, users do not have privileged access directly to application servers or databases, which greatly simplifies access management.
Cloud-based software vendors that are already FedRAMP-authorized or have a NIST SP 800-171 attestation will also have other technical controls implemented, such as the encryption of data-at-rest and data-in-transit using FIPS-validated cryptographic modules. They will already have selected an appropriate system design based on how their software is architected.
A comparison: what it looks like to manage encryption requirements on-premises vs. in the cloud
Adherence to encryption requirements is one area defense contractors need for CMMC compliance. Let’s look at how managing the decisions and work for this one area differs whether you choose to handle it on-premises or with a cloud-based solution.
There are several encryption requirements to consider with on-premises software deployment. Defense contractors can:
- Implement Full Disk Encryption on all your enterprise servers and end-user devices. This implementation will encrypt a database on the server as well as all files, including sensitive documents. Full disk encryption is compatible with all software but can impact the performance of your applications. Consider whether your hardware needs a refresh.
Quick Tip: BitLocker for Windows systems will support CMMC compliance, but make sure you are fully updated. Out-of-date versions may not encrypt the hard drive, depending on its firmware.
- Enable Transparent Data Encryption on your sensitive application databases. This feature is called “transparent” because software accessing the database does not require any modification to continue operating. This may also have a performance impact on your application, and you should check whether you database license includes this feature.
Quick Tip: If you are using automated methods to replicate your database for backup purposes, your backup may not be automatically encrypted. Consider encrypting the backup database or store the backup on a server with Full Disk Encryption.
- Encrypt data before storing it in the database. This requires your software vendor to build this feature into the application. Since this is generally out of your control for commercial software, the other options for data encryption are your best bet.
- Encrypt individual sensitive files. Tools exist that can encrypt a “file vault” on your otherwise unencrypted drive. This would require users to individually identify the files that need encrypting and the internal policies and procedures to document this.
Depending on which option you choose, note that this affects where the ITAR and CUI boundary is within your IT environment.
What encryption requirements do defense contractors need to address or consider if they work with a cloud vendor?
- None. One of the benefits of a cloud solution is that the cloud software vendor has already addressed all these decisions for you.
Criteria for choosing a CMMC-compliant cloud software vendor
If you decide that working with a cloud software vendor is the route for your organization, here is a list of critical criteria to use when evaluating the vendor’s ability to help you quickly achieve CMMC compliance. If the cloud vendor can’t meet all these requirements, keep looking.
- Identify a vendor that has independent third-party security authorizations, which ensures that the security controls selected and implemented are appropriate for how they’ve designed their cloud-based software. Trust, but verify!
- Look for other operational security capabilities that could be included in your service subscription license and take these into account when evaluating options and comparing the total cost of ownership.
Quick Tip: Look for cloud software vendors that automate their cloud operations using “infrastructure as code” to provision services and accounts. This kind of automation minimizes the possibility of manual errors that could result in security breaches due to misconfiguration. Cloud vendors that have multi-tenant solutions are most likely to have this kind of automation in place.
- Choose a cloud vendor that requires all customers to have multifactor authentication (MFA). While many offer MFA as an option, credential abuse is one of the most common types of cyberattacks. In a multi-tenant environment, a single customer with weaker security could place the entire environment at risk. If you don’t already use MFA, check with cloud vendors to see which single sign-on and MFA options they support to get a shortlist to consider.
Quick Tip: For on-premises systems, where should you put MFA? You will need it at the point just before access to CUI is possible. If no CUI is kept on the local computer, then a software-only MFA solution for access to sensitive data in cloud applications is enough. Otherwise, you will need MFA for logging on to the computer itself, such as a smart card or other hardware-based solution.
- They provide security incident and event management (SIEM) capabilities. One of the most important CMMC requirements that appears starting at Level 3 is maintaining a SIEM system that collects all audit logs in one place for data correlation and analysis. SIEM is not required by NIST SP 800-171, so this is one of the significant areas of additional investment you will need.
What are SIEM audit logs?
All of your IT assets generate SIEM audit logs, including your network equipment such as firewalls and load balancers. In fact, your network equipment generates the most data that would be captured by a SIEM tool, which are usually priced based on the volume of data. Simply moving your most “chatty” applications to a cloud vendor that includes SIEM as part of their service could significantly reduce the cost of monitoring your remaining on-premises IT, particularly if you have multiple sites.
Remember, CMMC Level 3 only covers systems that store, process, or transmit CUI. If you need to, go back to Step 1 and re-evaluate your IT systems and business processes to re-define your system boundaries and minimize the scope for SIEM and CMMC assessment.
Get the help you need to become CMMC compliant
This fourth step is not for the faint of heart. The gap remediation required at this stage requires a lot of painstaking, detailed work to fix all the identified problems. Unfortunately, documenting the problems or getting fixes started aren’t enough to maintain your eligibility to bid on new contracts. Defense contractors must fix all problems before they can achieve CMMC.
If you have limited cybersecurity expertise in-house, moving to the cloud as part of your CMMC approach could be the fastest and most painless strategy. Look closely at the responsibilities that transfer to the cloud software vendor, and make sure any cloud software vendor you consider has independent, third-party attestations like FedRAMP or NIST SP 800-171.
While it doesn’t eliminate your CMMC requirements such as MFA, encryption, or SIEM, moving CUI to the cloud can significantly reduce both the effort and cost of getting and staying compliant. And, when you choose to work with a cloud software vendor, you have a partner to help navigate the compliance journey and share responsibility for maintaining compliance in the future.