Skip to main content

The time to prepare for CMMC is now – what we learned from Coalfire

Jul

26

2021

Time to read

Read so far

Written by: 

Samantha Mabey

Time to read

Written by: 

CMMC-coalfire-blog-img

The Cybersecurity Maturity Model Certification (CMMC), which affects organizations in the US Department of Defense (DoD) supply chain, establishes a minimum threshold of cyber maturity that all organizations must achieve. There’s a lot to CMMC, and understanding the framework – made up of domains, practices, and processes – is only the beginning. From there a journey begins: You need to figure out where your organization is starting from, and then what’s required to get to a compliant environment and ready to be certified. We were lucky enough to have Stuart Itkin, VP of CMMC and FedRAMP Assurance at Coalfire Federal join us last week for a webinar to discuss just that. The time to prepare for CMMC is now

First, in case you’re not familiar with Coalfire Federal, they are one of the first authorized CMMC C3PAOs (Certified 3rd Party Assessment Organization) and a CMMC RPO (Registered Provider Organization). They also provide CMMC assessments and provide advisory services to organizations preparing for CMMC Certification.

As you can imagine, Stuart had some fantastic insights to share with us around the journey to become CMMC certified. Here are just a few things we learned:

Compliance is not security

CMMC came into being as a way of enhancing the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) in the DoD supply chain, as it was determined its predecessor, NIST 800-171, was not effective.

What CMMC does differently is it doesn’t look at compliance, it looks at maturity. As in, you have a security program, you’ve implemented it, you’re using/following it, and it’s working.

CMMC requirements are a pass-fail, and the requirements must be satisfied, not just addressed. This means Plans of Actions and Milestones (POA&Ms) are no longer accepted. This is because POA&Ms are cheap and don’t actually satisfy the control, and disadvantages those who are actually implementing and maintaining security controls – which can be time-consuming and expensive.

CMMC is a 100% confirming standard and the requirements are exacting

As mentioned above, requirements are pass-fail, and they must be satisfied. Further to that, the requirements are exacting. For example, if we take the practice AC.1.001 (“Limit information system access to authorized users, processes acting on behalf of authorized users, or devices including other information systems”), the requirements are:

a) Authorized users are identified

b) Processes acting on behalf of authorized users are identified

c) Devices (and other systems) authorized to connect to the system are identified

d) System access is limited to authorized users

e) System access is limited to processes acting on behalf of authorized users

f) System access is limited to authorized devices (including other systems)

And every one of those requirements, must be: satisfied, documented, corroborated, and mature.

Certification is a journey

The CMMC journey has a lot of nuances to it, but to simplify it, once you embark on the journey and endeavor to build a CMMC environment, there are four key steps involved:

  1. Identify where CUI and FCI exist in your environment. From there, if it’s possible, segment your network to create CUI and FCI enclaves.
  2. Identify gaps to satisfying CMMC requirements.
  3. Build an environment that addresses all CMMC requirements.
  4. Validate: Perform a mock assessment.

 

CMMC Certification

 

And that’s just skimming the surface. After that you enter the certification assessment process, which of course is its own journey and – much like the requirements – is exacting. To learn more on the above or about the certification process, I would recommend checking out the “The time to prepare for CMMC is now” webinar. You can watch it on demand here.

For more on how Entrust can help you with CMMC, visit our CMMC Compliance page.

For more on how Coalfire can help you become CMMC ready or if you’re ready to be CMMC certified, visit: coalfire.com/cmmc

sam-mabey_150x150
Samantha Mabey
Director of Digital Security Solutions Marketing
Samantha Mabey is Director of Digital Security Solutions Marketing at Entrust. Samantha is responsible for driving the marketing, strategy, and communications within the Digital Security Solutions portfolio.
View all of Samantha's Posts