Commentary: It’s Time to Get a Jumpstart on CMMC 2.0

By Pete Sfoglia

iStock illustration

During the Cold War, the Defense Department wanted a network that could reroute itself around areas where nuclear weapons had been destroyed or attacked by enemy spies, so they built one and called it ARPANET, or the Advanced Research Projects Agency Network.

Scientists at major universities joined in, using it as a collaboration tool. The ARPANET, now called the internet, has become a business enabler extraordinaire, a behemoth transactional system that holds together a global economy. Like all things that evolve, it has taken on a level of complexity that businesses — large and small — are ill-equipped to address.

With the military and colleges as its sole users, we did not build the internet with security in mind. We realized this after its value as a social and business enabler became apparent, resulting in the exponential growth and increased diversity of its user base.

Unfortunately, hackers began exploiting America’s first “killer app” for financial gain, disgruntled employees used it for revenge, and end-user neophytes made mistakes. The tech industry responded with vain attempts to repurpose an already mature and efficient architecture by retrofitting it with hardware like firewalls, and software such as encryption, antivirus and real-time monitoring tools. But these efforts weren’t enough to stem the tide of assaults on our privacy, finances and reputation.

The government had to do something to rein in the beast it had created. So it used its heavy hand to impose sweeping cybersecurity regulations and control standards on big banks, broker/dealers, health insurance carriers, and critical infrastructure. But then, numerous breaches occurred at lower levels of the supply chain, attacking the same information that the big companies were spending millions to protect.

Another example of government intervention is the Cybersecurity Maturity Model Certification (CMMC), which regulates government contractors who secure controlled unclassified information (CUI).

The first version, CMMC 1.0, never had a chance. It was complex, contained control requirements from too many authoritative sources, and lacked governance over third-party assessment pricing. So finally, after more than 18 months of contractor outrage, the Defense Department put a hold on CMMC and gave out a few clues on what’s to come.

Now, there is CMMC 2.0.

The Defense Department comptroller estimates that it could be another seven to 20 months before CMMC 2.0 is signed into law. So, what can be done while waiting?

The goal should be to manage risk, not eliminate it. One must accept some level of cyber risk to reap the rewards of technology. Start managing risk now. Jump-start the risk management journey by adopting 10 low-cost/high-impact cybersecurity technologies.

Eight of these tips are native to existing Microsoft or Google office automation systems, and the monthly cost of the remaining two is less than a nice dinner for two.

Each technology addresses one or more of the control requirements of NIST SP 800-171 and 172, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” the bellwether standard for CMMC Levels 2 and 3 compliance.

The first step in securing CUI is to know where it is. Nowadays, it can be stored in various locations: user workstations, on-site servers, one or more third-party clouds, file cabinets, smartphones, smartwatches, tablets and thumb drives, to name a few. Once you know where your CUI lives, ask yourself if it should be where it currently is.

Storing CUI on thumb drives and other intelligent devices is risky because end-users control these devices. They lose them and are otherwise woefully lax in securing them. NIST 3.1.19 requires robust encryption of CUI on mobile devices and mobile computing platforms, and section 3.8 expressly discourages storing it on employee-owned devices. If you must have CUI on paper, store it in locked, fire-resistant, tamper-proof filing cabinets.

Controlled unclassified information is best secured in third-party clouds operated by reputable cloud service providers like Amazon Web Services, Microsoft Cloud and Google Cloud. These providers undergo rigorous third-party audits against the System and Organization Controls 2, a comprehensive assessment framework put forth by the American Institute of Certified Public Accountants.

Step number two: store CUI in cloud-based “vaults.” Avoid storing sensitive data on hard drives. If sensitive data is featured in office documents, watermark them “Confidential” and store them in the cloud in a virtual lockbox like Microsoft Vault or Google Vault. These cloud-based tools can secure CUI in two-factor authenticated (2FA) secured, encrypted directories.

Tip three: monitor activities performed on directories that contain CUI. Most Level 2 and 3 CMMC entities store files in local or cloud drive directories, or folders.

Most computer operating systems have logging capabilities that can be configured to capture access to specific files and directories. For example, Microsoft 365’s “Basic Audit” solution provides auditing by users at the file, directory and webpage levels that can be configured to copy, delete, download, modify, rename and upload events on named files and directories for periodic review by management.

NIST section 3.3 “Audit and Accountability” provides detailed requirements for capturing and reviewing successful and failed CUI access events. Microsoft Basic Audit features and functions exceed these requirements.

Tip number four: purchase cyber liability insurance.

In addition to lessening the financial impact of data breaches, cyber liability policies provide victims of a breach with forensic data services performed by top-shelf forensic engineers. Forensic teams follow the NIST section 3.6 requirements for documenting, containing, analyzing, remediating and reporting cybersecurity events.

Tip five: use your local Windows Defender Firewall to secure your endpoints. Enable the Windows Firewall default settings on your computers. If using a third-party firewall, save some cash and get rid of it. Perimeter firewalls are overkill for most CMMC Levels 2 and 3 efforts. However, in concert with your existing antivirus software, Windows Firewall can thwart many internal and external attacks.

Number six: restrict access to CUI by requiring two-factor authentication. 2FA technology requires two authentication methods to access computing devices and applications. Method 1 is “something you know,” like a password. Method 2 is “something you — and not the bad guys — have,” like a randomly generated integer sent to your email or smartphone. It’s that second hurdle that prevents the bad guys from accessing applications, emails, workstations, tablets and smartphones.

2FA is far and away the most potent defense against email-based phishing attacks, which according to Deloitte account for 91 percent of all cyber attacks. No wonder over half of U.S.-based businesses use it, and an additional 37 percent plan to. 2FA is a core component of NIST, to include privileged IDs, section 3.5.3, and IDs performing remote maintenance — 3.7.5. Both Microsoft 365 and Google Apps include 2FA functionality as part of their office application, security management and device management products, which are easy to install and configure.

Tip seven: block access to web-based applications that process CUI and implement a password manager.

Password managers are secure, cloud-based user login credentials and form information repositories. They are single sign-on tools that pre-fill login prompts, choose complex passwords and provide easy access to credit cards from any computer, anywhere.

As a result, you will never have to write down or remember another set of IDs and passwords, passwords will become unguessable, and you alone will be granted access to your web-based applications.

In addition, password manager functionality exceeds a whopping 42 of the 110 NIST control requirements, including all of section 3.1, “Access Control Requirements.”

Eight: protect workstations by enabling full-disk encryption.

Microsoft BitLocker is a full disk encryption feature included with Windows Vista and higher. It encrypts an entire hard drive and external storage devices, rendering lost or stolen computers useless.

Tip nine: send secure emails by encrypting email attachments that contain CUI. Never attach clear-text CUI to an email. Instead, encrypt using a product like PKZip, WinZip, or native encryption features in office applications. Likewise, never store CUI in the body of an email.

And finally, tip number 10: protect your web traffic from prying eyes. Use a virtual private network. VPNs provide end-to-end encrypted internet connections, ensuring the safe transmission of sensitive data. They prevent intruders from eavesdropping on internet traffic, making it possible to extend a company’s network far beyond its four walls.

Many cybersecurity technology vendors offer plug-and-play VPNs at reasonable monthly costs. NIST 3.3.13 requires “cryptographic mechanisms to protect the confidentiality of remote access sessions.” It’s hard to believe that only 15 percent of Level 2 subcontractors use VPNs when working from home, especially within the context of a major pandemic. This means that 85 percent of businesses beholden to the CMMC would fail a third-party assessment solely for lack of a $60 NordVPN subscription.

So now what? We know the following, everything else is conjecture.

First, NIST SP 800-171 and 172 are the sole standards against which Level 2 and Level 3 contractors will be assessed.

Level 2 subcontractors that don’t handle information deemed “critical to national security” will have the option to perform a self-assessment.

The Defense Department will create the criteria for what products and services meet its definition of “critical to national security” and decide which contractors meet it, and allow “Plans of Action and Milestones” reports in some instances.

With these reports, contractors can pass an assessment even if they do not currently meet every security control required — provided their report correctly outlines a plan of action and deadlines. Findings deemed “critical” must be resolved within 180 days.

Prior to CMMC 2.0 being signed into law, what can be done while waiting?

It would be best to continue CMMC efforts. Remember that NIST SP 800-171 compliance remains in force. Like the IRS conducts random taxpayer audits, the Defense Industrial Base Cybersecurity Assessment Center could perform audits of select contractors.

Notably, a “subset” of Level 2 entities will require third-party assessments. The selection criteria that the department will set to determine which contractors fall into this vague category is not yet known.

Many who think they are exempt from rigorous third-party audits will put their compliance efforts on hold until the Defense Department releases details of CMMC 2.0 and find out they were wrong. These wishful thinkers will have to hustle to become certification-ready.

Keep in mind that even if the department exempts a company from these audits, customers may still require them. Whether or not it’s required, a third-party assessment will help to accelerate revenue and market growth to differentiate a business by providing customers with the assurance that it has the necessary controls in place.

Most importantly, protecting CUI should not be predicated upon the release of CMMC 2.0. It’s just the right thing to do for customers and country. 

Pete Sfoglia, Ph.D., is executive vice president and co-founder of Insurun Advisory Services.

Topics: Cybersecurity

Comments (2)

Re: It’s Time to Get a Jumpstart on CMMC 2.0

Regarding step 2, if you are a Defense Contractor, do NOT mark office documents as "confidential". The word "confidential" is a classification marking for the federal government. The last thing any Defense Contractor wants to have is something marked confidential on their unclassified systems. Use the term "business sensitive", or at least combine terms to say "[business name] confidential" to delineate between federal government confidential and business confidential.

Please update this article. The information in Step 2 will will confuse many people, and only promulgates disinformation in the community.

John at 1:45 PM
Re: It’s Time to Get a Jumpstart on CMMC 2.0

Sounded more like a marketing pitch for what exists versus what we need to protect exactly what? In the interests of the DoD where its systems (NSS or IS missing from this discussion) are either Mission Essential Information Systems, Mission Critical Information Systems and/or Mission Critical Control Systems (MCCS), are we sure using a civil standard as are NIST (often w/o DoD acquisition office participation in their review or formulation) will meet the original intent of CMMC and realize a cost-benefit ratio as are the use of COTS has yet to justify? Protect the data - and when the new CUI standards are out later next year, we will have to shift to them. But all other existing DoD security standards need a review and perhaps consolidation into one User Guidebook before adding another termed CMMC at present. And since CUI/CTI and all other classified information affects TSN/SCRM, we need to look past the civil side of into the military maintenance and supply data systems and their existing data dictionaries before adding another layer of security, policies and acronyms to the current mix where we just keep adding on more for the DoD Program Acquisition Offices to manage vice actually doing their real engineering, logistics and testing jobs. We have either no databases for many existing security mandates or none at all depending on the program, PEO and system under discussion. And focus remains too affixed on NIST RMF Certification and getting an ATO to take on another layer of security w/o asking ourselves as to what we are really doing overall within the DoD and within its supporting defense contractors. If CMMC is so vital and proven and already cost justified, then let's start removing other systems required by the DoD and contractors to adhere to and manage. And regardless if any existing security mandates ranging from physical, personnel, INFOSEC, ... are supposed to be protecting the data of contractors, suppliers, the DoD or USG overall, where is the map showing a critical component of a particular system's mission being tracked from its inception in a drawing tree (model or not) through manufacturing, test, fielding, and including the contract(s) and vendors at (Hint: there is none at present, just concepts). And moving the data to a secure cloud (a new name for an old concept) or not, the biggest threat to trade secrets, proprietary information and processes, and mission capabilities lay where - the people. Do we extend CMMC into the Universities where the hiring of foreign nationals or the exchange of information with foreigners is the norm? My solution is to tighten existing access to data starting with personal security of foreign nationals as our allies do in the EU (not a native bran citizen, forget applying even in their space program or aviation standards offices), make CMMC an ISO/CMMI certification standard and draw the map that we who actually use these systems know that shows the tracking of that critical component and its data through the systems in the DoD that are not in place or are disparate, accessible to only a few inside the program office, and address the existing data systems and their data dictionaries from the program office's data systems (e.g., Team Center mandated by AFLCMC for all NSS programs) to those supposedly in place at the PEO level, through the DLA system and out into the maintenance and supply systems (e.g., MDD, MADW using Advana in the USAF) before adding more acronyms, requirements, processes from a CIO perspective vice physically in place and Adaptive Acquisition Framework (AAF) point of view. And start thinking about employing Blockchain for the data structures and communication pipes themselves that exist in terms of costs and speed to implement. And since the DoD is not the main element within the former Defense Contractors portfolios outside of a few programs as was during the Cold War, extending CMMC down through every middle to small contactor and vendor is a pipe dream in my 50 years of working with every engineering, program office and support data system and most contractors. Time to step back and redraw the map based on the critical component and data in the program office and prime contractor and then through the DoD and individual military service logistics chain along with a plan to protect the data regardless of a IT Information Systems (IS) or National Security Systems (NSS) [can we start using these formally directed terms vice IT-centric (i.e. IT vv. PIT) legacy terms in these discussions?] vice another proven-to-fail set of NIST standard checklists (but great for establishing common terminology)? I feel CMMC will be tough to implement, enforce, monitor for compliance and will not address where major security breaches are in terms of people and too many hands in the DoD Cyber soup and pleural of existing data systems directed for use between the DoD CIO, A&S, R&E, ... and lower echelon commands. Ask yourself as to whether one can immediately tell me where a piece of data has been just now w/o some serious log file analysis aside from its systems to store and transmit it?

Joseph D Yuna at 7:08 AM
Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.