The Cybersecurity Maturity Model Certification (CMMC), which affects organizations in the US Department of Defense (DoD) supply chain, establishes a minimum threshold of cyber maturity that all organizations must achieve. There’s a lot to CMMC, and understanding the framework – made up of domains, practices, and processes – is only the beginning. From there a journey begins: You need to figure out where your organization is starting from, and then what’s required to get to a compliant environment and ready to be certified. We were lucky enough to have Stuart Itkin, VP of CMMC and FedRAMP Assurance at Coalfire Federal join us last week for a webinar to discuss just that. The time to prepare for CMMC is now
First, in case you’re not familiar with Coalfire Federal, they are one of the first authorized CMMC C3PAOs (Certified 3rd Party Assessment Organization) and a CMMC RPO (Registered Provider Organization). They also provide CMMC assessments and provide advisory services to organizations preparing for CMMC Certification.
As you can imagine, Stuart had some fantastic insights to share with us around the journey to become CMMC certified. Here are just a few things we learned:
Compliance is not security
CMMC came into being as a way of enhancing the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) in the DoD supply chain, as it was determined its predecessor, NIST 800-171, was not effective.
What CMMC does differently is it doesn’t look at compliance, it looks at maturity. As in, you have a security program, you’ve implemented it, you’re using/following it, and it’s working.
CMMC requirements are a pass-fail, and the requirements must be satisfied, not just addressed. This means Plans of Actions and Milestones (POA&Ms) are no longer accepted. This is because POA&Ms are cheap and don’t actually satisfy the control, and disadvantages those who are actually implementing and maintaining security controls – which can be time-consuming and expensive.
CMMC is a 100% confirming standard and the requirements are exacting
As mentioned above, requirements are pass-fail, and they must be satisfied. Further to that, the requirements are exacting. For example, if we take the practice AC.1.001 (“Limit information system access to authorized users, processes acting on behalf of authorized users, or devices including other information systems”), the requirements are:
a) Authorized users are identified
b) Processes acting on behalf of authorized users are identified
c) Devices (and other systems) authorized to connect to the system are identified
d) System access is limited to authorized users
e) System access is limited to processes acting on behalf of authorized users
f) System access is limited to authorized devices (including other systems)
And every one of those requirements, must be: satisfied, documented, corroborated, and mature.
Certification is a journey
The CMMC journey has a lot of nuances to it, but to simplify it, once you embark on the journey and endeavor to build a CMMC environment, there are four key steps involved:
- Identify where CUI and FCI exist in your environment. From there, if it’s possible, segment your network to create CUI and FCI enclaves.
- Identify gaps to satisfying CMMC requirements.
- Build an environment that addresses all CMMC requirements.
- Validate: Perform a mock assessment.
And that’s just skimming the surface. After that you enter the certification assessment process, which of course is its own journey and – much like the requirements – is exacting. To learn more on the above or about the certification process, I would recommend checking out the “The time to prepare for CMMC is now” webinar. You can watch it on demand here.
For more on how Entrust can help you with CMMC, visit our CMMC Compliance page.
For more on how Coalfire can help you become CMMC ready or if you’re ready to be CMMC certified, visit: coalfire.com/cmmc