La primera versión, CMMC 1.0, nunca fue operativa. Era compleja, contenía requisitos de control de demasiadas fuentes autorizadas y carecía de control sobre la evaluación de terceros. Finalmente, después de más de 18 meses de indignación por parte de los contratistas, el Departamento de Defensa detuvo a CMMC y dio algunas pistas sobre lo que está por venir. El contralor del Departamento de Defensa estima que podrían pasar otros siete a 20 meses antes de que CMMC 2.0 se imponga. El objetivo debe ser gestionar el riesgo, no eliminarlo. Uno debe aceptar cierto nivel de riesgo cibernético para cosechar las recompensas de la tecnología.
During the Cold War, the Defense Department wanted a network that could reroute itself around areas where nuclear weapons had been destroyed or attacked by enemy spies, so they built one and called it ARPANET, or the Advanced Research Projects Agency Network.
Scientists at major universities joined in, using it as a collaboration tool. The ARPANET, now called the internet, has become a business enabler extraordinaire, a behemoth transactional system that holds together a global economy. Like all things that evolve, it has taken on a level of complexity that businesses — large and small — are ill-equipped to address.
With the military and colleges as its sole users, we did not build the internet with security in mind. We realized this after its value as a social and business enabler became apparent, resulting in the exponential growth and increased diversity of its user base.
Unfortunately, hackers began exploiting America’s first “killer app” for financial gain, disgruntled employees used it for revenge, and end-user neophytes made mistakes. The tech industry responded with vain attempts to repurpose an already mature and efficient architecture by retrofitting it with hardware like firewalls, and software such as encryption, antivirus and real-time monitoring tools. But these efforts weren’t enough to stem the tide of assaults on our privacy, finances and reputation.
The government had to do something to rein in the beast it had created. So it used its heavy hand to impose sweeping cybersecurity regulations and control standards on big banks, broker/dealers, health insurance carriers, and critical infrastructure. But then, numerous breaches occurred at lower levels of the supply chain, attacking the same information that the big companies were spending millions to protect.
Another example of government intervention is the Cybersecurity Maturity Model Certification (CMMC), which regulates government contractors who secure controlled unclassified information (CUI).
The first version, CMMC 1.0, never had a chance. It was complex, contained control requirements from too many authoritative sources, and lacked governance over third-party assessment pricing. So finally, after more than 18 months of contractor outrage, the Defense Department put a hold on CMMC and gave out a few clues on what’s to come.
Now, there is CMMC 2.0.
The Defense Department comptroller estimates that it could be another seven to 20 months before CMMC 2.0 is signed into law. So, what can be done while waiting?
The goal should be to manage risk, not eliminate it. One must accept some level of cyber risk to reap the rewards of technology. Start managing risk now. Jump-start the risk management journey by adopting 10 low-cost/high-impact cybersecurity technologies.
Eight of these tips are native to existing Microsoft or Google office automation systems, and the monthly cost of the remaining two is less than a nice dinner for two.
Each technology addresses one or more of the control requirements of NIST SP 800-171 and 172, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” the bellwether standard for CMMC Levels 2 and 3 compliance.
The first step in securing CUI is to know where it is. Nowadays, it can be stored in various locations: user workstations, on-site servers, one or more third-party clouds, file cabinets, smartphones, smartwatches, tablets and thumb drives, to name a few. Once you know where your CUI lives, ask yourself if it should be where it currently is.
Storing CUI on thumb drives and other intelligent devices is risky because end-users control these devices. They lose them and are otherwise woefully lax in securing them. NIST 3.1.19 requires robust encryption of CUI on mobile devices and mobile computing platforms, and section 3.8 expressly discourages storing it on employee-owned devices. If you must have CUI on paper, store it in locked, fire-resistant, tamper-proof filing cabinets.
Controlled unclassified information is best secured in third-party clouds operated by reputable cloud service providers like Amazon Web Services, Microsoft Cloud and Google Cloud. These providers undergo rigorous third-party audits against the System and Organization Controls 2, a comprehensive assessment framework put forth by the American Institute of Certified Public Accountants.
Step number two: store CUI in cloud-based “vaults.” Avoid storing sensitive data on hard drives. If sensitive data is featured in office documents, watermark them “Confidential” and store them in the cloud in a virtual lockbox like Microsoft Vault or Google Vault. These cloud-based tools can secure CUI in two-factor authenticated (2FA) secured, encrypted directories.
Tip three: monitor activities performed on directories that contain CUI. Most Level 2 and 3 CMMC entities store files in local or cloud drive directories, or folders.
Most computer operating systems have logging capabilities that can be configured to capture access to specific files and directories. For example, Microsoft 365’s “Basic Audit” solution provides auditing by users at the file, directory and webpage levels that can be configured to copy, delete, download, modify, rename and upload events on named files and directories for periodic review by management.
NIST section 3.3 “Audit and Accountability” provides detailed requirements for capturing and reviewing successful and failed CUI access events. Microsoft Basic Audit features and functions exceed these requirements.
Tip number four: purchase cyber liability insurance.
In addition to lessening the financial impact of data breaches, cyber liability policies provide victims of a breach with forensic data services performed by top-shelf forensic engineers. Forensic teams follow the NIST section 3.6 requirements for documenting, containing, analyzing, remediating and reporting cybersecurity events.
Tip five: use your local Windows Defender Firewall to secure your endpoints. Enable the Windows Firewall default settings on your computers. If using a third-party firewall, save some cash and get rid of it. Perimeter firewalls are overkill for most CMMC Levels 2 and 3 efforts. However, in concert with your existing antivirus software, Windows Firewall can thwart many internal and external attacks.
Number six: restrict access to CUI by requiring two-factor authentication. 2FA technology requires two authentication methods to access computing devices and applications. Method 1 is “something you know,” like a password. Method 2 is “something you — and not the bad guys — have,” like a randomly generated integer sent to your email or smartphone. It’s that second hurdle that prevents the bad guys from accessing applications, emails, workstations, tablets and smartphones.
2FA is far and away the most potent defense against email-based phishing attacks, which according to Deloitte account for 91 percent of all cyber attacks. No wonder over half of U.S.-based businesses use it, and an additional 37 percent plan to. 2FA is a core component of NIST, to include privileged IDs, section 3.5.3, and IDs performing remote maintenance — 3.7.5. Both Microsoft 365 and Google Apps include 2FA functionality as part of their office application, security management and device management products, which are easy to install and configure.
Tip seven: block access to web-based applications that process CUI and implement a password manager.
Password managers are secure, cloud-based user login credentials and form information repositories. They are single sign-on tools that pre-fill login prompts, choose complex passwords and provide easy access to credit cards from any computer, anywhere.
As a result, you will never have to write down or remember another set of IDs and passwords, passwords will become unguessable, and you alone will be granted access to your web-based applications.
In addition, password manager functionality exceeds a whopping 42 of the 110 NIST control requirements, including all of section 3.1, “Access Control Requirements.”
Eight: protect workstations by enabling full-disk encryption.
Microsoft BitLocker is a full disk encryption feature included with Windows Vista and higher. It encrypts an entire hard drive and external storage devices, rendering lost or stolen computers useless.
Tip nine: send secure emails by encrypting email attachments that contain CUI. Never attach clear-text CUI to an email. Instead, encrypt using a product like PKZip, WinZip, or native encryption features in office applications. Likewise, never store CUI in the body of an email.
And finally, tip number 10: protect your web traffic from prying eyes. Use a virtual private network. VPNs provide end-to-end encrypted internet connections, ensuring the safe transmission of sensitive data. They prevent intruders from eavesdropping on internet traffic, making it possible to extend a company’s network far beyond its four walls.
Many cybersecurity technology vendors offer plug-and-play VPNs at reasonable monthly costs. NIST 3.3.13 requires “cryptographic mechanisms to protect the confidentiality of remote access sessions.” It’s hard to believe that only 15 percent of Level 2 subcontractors use VPNs when working from home, especially within the context of a major pandemic. This means that 85 percent of businesses beholden to the CMMC would fail a third-party assessment solely for lack of a $60 NordVPN subscription.
So now what? We know the following, everything else is conjecture.
First, NIST SP 800-171 and 172 are the sole standards against which Level 2 and Level 3 contractors will be assessed.
Level 2 subcontractors that don’t handle information deemed “critical to national security” will have the option to perform a self-assessment.
The Defense Department will create the criteria for what products and services meet its definition of “critical to national security” and decide which contractors meet it, and allow “Plans of Action and Milestones” reports in some instances.
With these reports, contractors can pass an assessment even if they do not currently meet every security control required — provided their report correctly outlines a plan of action and deadlines. Findings deemed “critical” must be resolved within 180 days.
Prior to CMMC 2.0 being signed into law, what can be done while waiting?
It would be best to continue CMMC efforts. Remember that NIST SP 800-171 compliance remains in force. Like the IRS conducts random taxpayer audits, the Defense Industrial Base Cybersecurity Assessment Center could perform audits of select contractors.
Notably, a “subset” of Level 2 entities will require third-party assessments. The selection criteria that the department will set to determine which contractors fall into this vague category is not yet known.
Many who think they are exempt from rigorous third-party audits will put their compliance efforts on hold until the Defense Department releases details of CMMC 2.0 and find out they were wrong. These wishful thinkers will have to hustle to become certification-ready.
Keep in mind that even if the department exempts a company from these audits, customers may still require them. Whether or not it’s required, a third-party assessment will help to accelerate revenue and market growth to differentiate a business by providing customers with the assurance that it has the necessary controls in place.
Most importantly, protecting CUI should not be predicated upon the release of CMMC 2.0. It’s just the right thing to do for customers and country.
