Hasten CMMC Compliance Through Zero-Trust
It’s hard to have a conversation about cybersecurity these days without hearing about “zero trust,” a cybersecurity design philosophy that, although conceptualized over a decade ago, has reemerged as contemporary wisdom among security practitioners in both government and industry.
Zero trust has risen to prominence in the post-COVID world in part because, as a security engineering paradigm, it addresses the reality that corporate resources have moved to the cloud and users access them from anywhere, whether that’s at the office, home, or Starbucks.
For defense contractors preparing for the Cybersecurity Maturity Model Certification (CMMC) — many of them facing an uphill battle after chronic underinvestment in IT and security — zero-trust concepts may hold the key to fast-tracking the implementation of technical requirements for protecting controlled unclassified information (CUI).
Leveraging a zero-trust strategy in the cloud can help contractors scope out technical debt, modernize IT infrastructure and accelerate compliance timelines.
But even as federal agencies rush to adopt a zero-trust architecture, as directed by President Joe Biden’s “Executive Order on Improving the Nation’s Cybersecurity,” industry faces a potential hurdle in following suit: the cybersecurity rules may already be out of step with contemporary best practices.
In contrast to the adage “trust but verify,” a core concept of the zero-trust model is to never trust, always verify. John Kindervag, who coined the term “zero trust” in a 2010 paper, often states that “trust is a vulnerability that can be exploited.” Without zero trust, an adversary who gains access to a trusted account or device is free to move around a network unchallenged.
Zero trust moves cybersecurity defenses away from network-based security perimeters — characterized by firewalls, VPNs and intrusion detection systems — to user identities, devices and individual resources. Instead of broadly granting access within the protected boundary of a corporate network, zero-trust seeks to verify — authenticate, authorize and encrypt — every access request. In this way, a user’s identity becomes the new security perimeter.
Trying to log in with the correct password but from an unusual location? Prompt for multi-factor authentication. Logging in from outside the United States and your device is failing compliance checks? Block the connection and alert an administrator.
Continuous, automated verification of identity can minimize the impact of a breach. In fact, a key design principle of zero-trust architecture is to assume the network has already been breached by an adversary. This mindset, all too reasonable in today’s threat landscape, should prompt organizations to focus on security engineering concepts such as least privilege. For example, users only have the minimum permissions needed, and only at the time they need them. Or “least functionality” — systems are configured to explicitly block unnecessary applications, ports and protocols — or “defense in depth” where defenses are layered so there is no single point of failure.
The National Institute of Standards and Technology’s Special Publication 800-207, “Zero Trust Architecture,” affirms these principles, stating that the complexity of modern IT operations “has outstripped legacy methods of perimeter-based network security as there is no single, easily identified perimeter for the enterprise.”
Traditional perimeter-based security is now an unacceptable security posture for most modern organizations, including the federal government, its military and supply chains. Biden’s recent executive order directs all federal agencies to develop a plan for implementing a zero-trust architecture, and many agencies already had efforts underway. In May 2021, the Defense Information Systems Agency released the DoD Zero Trust Reference Architecture, a collaboration with the National Security Agency and U.S. Cyber Command. In its revised strategic plan for fiscal year 2022, DISA declares zero-trust architecture as the cornerstone of its strategic focus on cyber defense.
Air Force Chief Information Officer Lauren Barrett Knausenberger has articulated a vision “for the future to be completely zero trust.” The
Air Force is developing a maturity model to align its information systems with zero-trust principles.
And, in the wake of the SolarWinds attack, the Department of Homeland Security launched a Zero Trust Action Group to develop “reusable security architectures, policy guides … and reference implementations with a two-year plan to deploy zero trust department-wide.”
The writing is on the wall, or rather, in Executive Order 14028, for federal agencies. To “keep pace with today’s dynamic and increasingly sophisticated cyber threat environment,” agencies must accelerate adoption of zero-trust architectures and secure cloud services.
In a February report titled, “Embracing a Zero Trust Security Model,” the NSA “strongly recommends that a zero-trust security model be considered for … defense industrial base critical networks and systems.”
NIST SP 800-207 notes that “greenfield” zero-trust architecture, which is building it from the ground up, is likely not an option for federal agencies. It may be, however, the best option for the hundreds of thousands of subcontractors, suppliers and small businesses in the defense industrial base now preparing for CMMC.
In his epic unraveling of the federal rulemaking processes and assumptions leading up to CMMC, “A Banquet of Consequences: The Story of CUI, DFARS, and CMMC,” Jacob Horne, managing partner at DEFCERT, illustrated the gap between what the federal government assumed industry was doing to protect its networks versus the reality on the ground, where technical and organizational debt — deferred costs and efforts — has piled up within industry for decades. The contractors’ self-attestation of compliance with DFARS 252.204-7012 did virtually nothing to abate this.
“Organizational debt accumulates as it is never the top priority, until it’s suddenly the only priority,” Horne wrote. Confronted with CMMC and its process maturity requirements, many contractors are being forced to come to terms with years of underinvestment in the people, processes and technology needed to effectively manage cybersecurity. Although he is quick to caution against reliance on technology, the majority of CMMC practices are non-technical in nature. Horne sees zero-trust architecture as an opportunity to scope out technical debt: “For organizations that have kicked the can down the road for years, [zero-trust architecture] is the decision to ‘abandon ship’ and tunnel through corporate networks as if they are equally untrustworthy.”
Cloud-based information systems can be rapidly deployed and shift some of the burden of security and compliance to service providers.
Amazon, Microsoft and Google — all of which offer FedRAMP authorized services — collectively spent $97 billion in capital expenditures in 2020 alone, while the manufacturing industry, in contrast, lags well behind average in spending on IT as a percentage of revenue.
A cloud-first strategy seeks to reduce and control technical debt by adopting cloud services wherever possible. By leveraging cloud services as the underlying architecture for organizational systems, an organization can effectively reduce the scope of technical responsibilities that must be performed internally such as maintenance, hardware refresh and physical security.
The application of a cloud-first strategy can result in reduced system complexity, decreased operational footprint, and allow an organization to inherit certain security and compliance practices from the cloud service provider in a shared responsibility model.
“Cloud service providers have scale and assets that promote constant advances in security to stay abreast of agile, persistent adversaries,” says Robert Metzger, a government contracts attorney at Rogers Joseph O’Donnell and co-author of MITRE’s “Deliver Uncompromised” report.
Adopting a zero-trust architecture in the cloud may be crucial to reducing the exposure of traditional perimeter defenses and accommodating today’s remote workforce, Metzger said.
So, what’s the catch?
The CMMC practice SC.3.180 requires organizations to “employ architectural designs, software development techniques and systems engineering principles that promote effective information security.”
As the dominant contemporary model for security architecture, zero-trust architecture is an obvious choice for promoting effective information security. But NIST SP 800-207 identifies a perceived gap between federal cybersecurity frameworks and the regime: "There is a misconception that [zero-trust architecture] is a single framework with a set of solutions that are incompatible with the existing view of cybersecurity. ... This gap is based on a misconception of zero-trust architecture and how it has evolved from previous cybersecurity paradigms," NIST said.
The CMMC model, like the NIST special publications it builds upon, contemplates a traditional, on-premises environment, where blinking boxes protect the network from adversaries on the outside. In that mindset, requirements like AC.2.015 "route remote access via managed access control points" set up organizations implementing zero-trust architecture for a tricky justification.
What exactly, in today’s cloud-first world, is remote access? In the CMMC clarification to AC.2.015, remote access is defined as “access to organizational systems by users (or processes acting on behalf of users) communicating through external networks” such as the internet. If, as in a zero-trust architecture, all networks are treated as inherently untrusted, are the underlying requirements satisfied?
Metzger argues that “while NIST SP 800-171 and CMMC are written around different principles and expecting different methods than zero trust, adoption of its technologies and techniques will undoubtedly contribute to compliance, with the added benefit of outcomes superior to the minimums that might be acceptable.”
Consider CMMC practice PE.3.136, which requires organizations to enforce safeguarding measures for controlled unclassified information at alternate work sites and clarifies that organizations should “define and implement safeguards to account for protection of information beyond the enterprise perimeter.”
In a zero-trust architecture, an alternate work site is no more or less trusted than a corporate network. With identity as the perimeter, zero-trust mechanisms like telemetry-based access control and encryption provide safeguarding measures for data, regardless of where the user is logging in from.
Zero-trust concepts and supporting technologies are not so far off from a literal, conservative reading of CMMC practice requirements, but it is apparent that it is not the architecture that the CMMC model had in mind.
Which begs the question, how can federal rulemaking and any attendant certification processes ever keep pace with the fast-moving cybersecurity domain?
Metzger suggests that a focus on security outcomes, rather than prescriptive methods, could address the problem. “Experience in recent years shows too painfully that the techniques, tactics and practices of adversaries outpace entirely the rate of rulemaking or the pace of certification regimes.
“Indeed, an excess of rules and surplus of process can increase opportunities for adversaries to find, study and exploit the ‘seams,’” he said.
“That’s why it is important to think more about security outcomes than to rely upon rule-based regimes — especially those reliant upon perimeter security of on-premises networks.”
It is important to remember, as the DoD Zero Trust Reference Architecture points out, that “no single device or capability produces a zero-trust framework.” Similarly, CMMC is not a one-off project and cannot be reduced to technical implementations. We should be careful not to look to zero-trust architecture as a panacea for cyber and supply chain risk.
But, as the federal government pushes to adopt zero-trust architectures and secure cloud services, the defense industry should look to cloud-native zero-trust architecture as an effective strategy for meeting compliance requirements, protecting sensitive data, and modernizing IT infrastructure in one fell swoop.
Ryan Heidorn is a co-founder and managing partner at Steel Root, where he leads the firm’s cybersecurity practice. He also serves on the board of the National Defense Industrial Association’s New England Chapter.