products:

Sorry,

there are no posts to show...


Helpful Resources

News:

Determining whether you’re positioned to contract with the government can be intimidating. Requirements include registration with various databases, meeting standards, and of course, compliance with CMMC.

 

Fortunately, help is available free of charge through Procurement Technical Assistance Centers (PTACs).  And at CyberSheath’s CMMC Con 2021, we’re bringing together three PTAC executives for a panel to answer your most pressing contracting questions.

 

The panel will include Jodi Essex, PTAC Director for Iowa; Frank Migneco, PTAC Director for the NEPA Alliance; and Thomas Gerke, Regional Manager for PTAC in Utah. Essex has procurement experience in both the public and private sectors, including time at Iowa State University. Migneco has more than 20 years of experience working for an investor-owned utility in New Jersey managing a $35 million per year program portfolio. Gerke has 40 years of experience in government supply chain and logistics processes.

 

With 95 PTACs across the country, companies can get 1-on-1 counseling and assistance in their journey to contract with the government. Services include matchmaking and “meet the buyers” events, as well as training workshops.

 

The PTAC panel’s session will be held at 11:30 a.m. EDT followed by a LIVE Q&A during CMMC Con on Sept. 29. Register for CMMC Con 2021 now to join the discussion and learn more about no-cost resources available to assist companies with cybersecurity compliance.

Cybersecurity has become a priority in Washington with efforts beyond the executive order President Biden laid out in May. This month, the Cybersecurity and Infrastructure Security Agency (CISA) and Office of Management and Budget (OMB) offered technical guidance documents and are seeking public feedback on a venture to move the U.S. government toward a zero-trust model.

Contractors in the Defense Industrial Base (DIB) may know of zero trust as a vehicle to accomplish Cybersecurity Maturity Model Certification (CMMC) compliance. A memo from the OMB requires federal agencies to achieve specific zero-trust security goals by the end of 2024.

The government is getting more serious about tightening up cybersecurity and the scope of requirements is growing.

Amit Yoran, chairman and CEO of Tenable, will offer insight on what the government has done so far and what more it needs to do to address cybersecurity in the United States when he delivers his keynote address at CyberSheath’s CMMC Con 2021.

Yoran sits on the board of directors for the Center for Internet Security, previously served as president of RSA Security, and was the founding director of the United States Computer Emergency Readiness Team (US-CERT) program in the U.S. Department of Homeland Security. He will speak with CyberSheath CEO Eric Noonan about government actions and what companies can do to shore up their own cybersecurity outside of federal regulations.

Register for CMMC Con 2021 now to see Yoran’s address and understand more about the government’s growing role in cybersecurity compliance.

Meeting the requirements of DFARS and Cybersecurity Maturity Model Certification (CMMC) can seem daunting. The good news is that if you take a measured, informed approach, your organization can begin to take the necessary steps it needs to achieve and maintain compliance and, in doing so, continue to be eligible to secure lucrative contracts with the Department of Defense (DoD).

 

CyberSheath recently conducted training to help support the defense contractor community in meeting their compliance objectives. Our five-part cybersecurity compliance training covered a range of topics and gave attendees the knowledge and tools they needed to be successful. At the conclusion of the training module, participants who successfully completed the entire ninja training course achieved Black Belt status.  Register now for CMMC Con 2021 to see the Black Belt ninjas names displayed honoring their dedication to the training.

 

Steps to CMMC compliance

Here’s what we shared during our training to help participants prepare for the complexities and challenges of meeting the DoD regulatory requirements. 

Step 1 – Identify controlled unclassified information (CUI)

Protecting sensitive information starts with understanding the various information categories. The next step is being able to map the information your company holds to the contracting regulations you must adhere to. Depending on your relationship with the Department of Defense (DoD), there are a number of requirements to protect non-public information (NPI).

Information types include:

  • Federal Contract Information (FCI) – Non-public information associated with a federal contract. CMMC offers this description, “FCI means information provided by or generated for the Government under a contract not intended for public release.”
  • Covered Defense Information (CDI) – A form of CUI that is developed under a DOD contract. It is non-public information where a specific law, regulation, or government-wide policy is published that requires that information to be protected in some manner. 
  • CUI – Established by Executive Order 13556 as a way to standardize how to handle sensitive but unclassified information. According to this order, “CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”

 

Step 2 – Conduct an assessment

An important step toward achieving CMMC compliance at any level is to know what your starting point is. By accurately assessing your current state, you can figure out exactly what steps need to be taken to become compliant. Before getting started, determine which level of CMMC compliance you need to attain. 

  • Level 1 – Compliance with this level demonstrates the basic cyber hygiene required for contractors receiving FCI. It covers 17 controls across six domains.
  • Level 3 – This level is required for companies having CUI data. Compliance requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. It covers 130 controls across 17 domains.

Here are some guidelines. 

  • Start with an assessment kickoff to gather the required team, discuss the CMMC framework, outline the in-scope environment, and craft a schedule.
  • Interview key personnel, complete applicable attestations, and collect relevant artifacts.
  • Analyze all the information you have assembled and compile an initial score as pertains to the controls you have already demonstrably implemented.
  • Create a report detailing the current state including an executive summary, DFARS interim scoring rule, key observations and recommendations, and a detailed analysis of each practice.
  • Present and discuss assessment results, key compliance findings, and the path forward.

 

Step 3 – Submit your current status to the SPRS

Once you have assessed your current state and mapped your organization’s compliance against the 130 controls, it’s time to log that information into the Supplier Performance Risk System (SPRS).

Note that admitting deficiencies can seem counter intuitive, but establishing a cybersecurity baseline for your company, and then working to improve your score–making sure to update it as you comply with controls–is a good way to show your commitment to achieving full compliance.

Here is how you can get started.

  • Set up your account by visiting the procurement integrated enterprise environment (PIEE) website and enter the required information. 
  • Access the SPRS by selecting it from the drop-down menu.
  • Select ‘SPRS Cyber Vendor User’.
  • Add roles.
  • Complete the agreement.
  • Have the admin linked to the cage code approve your account.
  • Submit your assessment score.

 

Step 4 – Draft your SSP and POA&M

The system security plan (SSP) and plan of action and milestones (POA&M) provide a foundation for your remediation efforts as you work to close all of your company’s cybersecurity compliance gaps.

  • SSP – Outline how your organization manages cybersecurity and determine which approach makes sense for your environment – an organizational, system-focused, hybrid or shared compliance plan. Make sure your document includes systems information, control narratives, diagrams, artifacts, and more.

POA&M – This is a corrective action tracking mechanism. Here are the key questions to address as you develop your own POA&M.

  • What are the actions that you need to take to implement each control?
  • When do you plan to have each action completed? Include interim completion dates.
  • Who is responsible for managing and completing each action?
  • What is the compliance impact, estimated cost, and risk of each?
  • How was the weakness that requires this action identified?
  • Which control does this action correspond to and address?
  • What is the status? Is this action ongoing or completed?

 

Step 5 – Implement controls and manage compliance

Addressing security measures can seem like a huge task, as your organization must meet all 130 controls to be CMMC compliant. Here’s an overview of how to tackle this endeavor, divided into general control categories.

  • Security Monitoring Controls
    • Security Information and Event Management (SIEM) – Regular review of logs is a key part of CMMC and NIST SP 800-171 compliance, as well as a general best practice. Keep in mind that aggregating and reviewing the massive volume of logs is not practical to accomplish with manual processes.
    • Vulnerability Scanning – Vulnerability and patch management strategy is an essential requirement to meet CMMC. Unpatched vulnerabilities are often used by threat actors to exploit systems, leading to ransomware and data theft.
  • IT Infrastructure Controls – IT Infrastructure refers to all of your company’s hardware and software, both on-premise and in the cloud. Many companies struggle implementing controls in environments where CUI is stored on-premise and they have older unsupported hardware and software which puts CUI at risk. 
  • Policy and Administrative Controls – One of the key points in gaining CMMC compliance is ensuring that your controls have maturity. Make sure you are capturing what technology you are putting in place and the processes of implementing and managing that technology. 

 

No matter how skilled you and your organization are, we can support your path to compliance with CMMC. Engage with us for as much as you need. Our team is happy to partner with your internal resources to help you reach your compliance goals. Contact us to learn more.

 

RESTON, Va. — Sept. 8, 2021 Leading managed CMMC compliance provider CyberSheath announced today that Amit Yoran will provide the keynote address at CMMC Con, the nation’s largest CMMC conference. The virtual, one-day conference kicks off at 9 a.m. EDT on Wednesday, September 29, 2021. Registration for the event is still available.

 

Yoran, the chairman and CEO of Tenable, sits on the board of directors for the Center for Internet Security, previously served as president of RSA Security, and was the founding director of the United States Computer Emergency Readiness Team (US-CERT) program in the U.S. Department of Homeland Security. Yoran will speak with CyberSheath CEO Eric Noonan on President Biden’s executive order on cybersecurity, what other governmental efforts are necessary to shore up cybersecurity, and what actions companies can take to better protect themselves from attacks.

 

CMMC Con will also include a discussion with Aries Security CEO Brian Markus and lawyer Greg Thyberg speaking on the False Claims Act case, a panel on Procurement Technical Assistance Centers (PTACs) with a live Q&A, and a session hosted by Microsoft on evolving technology.

 

Microsoft, a platinum sponsor for the event, will cover Microsoft 365 and Azure in its session, with a focus on CMMC ML3 preparations, and leveraging government cloud offerings. Phil West, U.S. National Director of Modern Work and Security at Microsoft, will be speaking at the session.

 

“Last year we saw a huge response from attendees before CMMC compliance was even required,” Noonan said. “Now that it has taken effect, and the need for comprehensive cybersecurity is greater than ever, we look forward to equipping contractors in the Defense Industrial Base (DIB) with a greater understanding of the evolving threat landscape and tools to help them face those challenges.”

 

CyberSheath recently conducted free training to support the defense contractor community to meet their compliance objectives. The five-part compliance training covered a range of topics and prepared attendees with the knowledge and tools that will make them successful. At the end of the training module, 30 participants were awarded “black belt” status. Those that received black belts will be honored at CMMC Con 2021 through the displaying of their names at the event.

 

About CyberSheath Services International, LLC

Established in 2008, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at www.cybersheath.com.

 

Contacts

CyberSheath Services International, LLC

Kristen Morales at Kristen.Morales@cybersheath.com

 

A look at recent headlines would have you believe that the biggest risks for CMMC noncompliance are exposed data and ransomware demands. But many organizations are exposed to a much different kind of risk, according to an ongoing case that involves a DIB contractor.

 

In September 2015, Aerojet Rocketdyne Holdings, Inc. laid off Brian Markus, its CISO, two months after Markus refused to sign a document that claimed the company had met compliance and instead authored an internal memo noting his concerns. Markus, now the CEO and co-founder of Aries Security, filed suit the next month under the False Claims Act.

 

The qui tam, which means Markus can sue on behalf of the federal government, was amended to allege that Aerojet Rocketdyne terminated his employment based on his efforts to stop the company from defrauding the government. The ongoing case is due to be heard before a jury next March.

 

Markus holds several licenses and certifications in cybersecurity and is a member of the President’s National Security Telecommunications Advisory Committee. Prior to joining Aerojet Rocketdyne, Markus spent eight years at Raytheon in senior IT security and management roles and 10 years as a “security goon” for DEF CON, one of the world’s most notorious hacker conventions.

 

Markus, along with lawyer Greg Thyberg, will join CyberSheath vice president of security services Carl Herberger for a discussion about the importance of cybersecurity compliance for contractors within the DIB. Register for CMMC Con 2021 now to see the discussion and understand more about how the False Claims Act applies to the world of cybersecurity compliance.

As your organization works to strengthen its security surrounding its IT infrastructure to meet the requirements of the NIST 800-171 framework, and in anticipation of securing Cybersecurity Maturity Model Certification (CMMC) Maturity Level 3 compliance, a few issues frequently require attention.

Working to address these challenges will raise your company’s Supplier Performance Risk System (SPRS) score. This can be instrumental in demonstrating your commitment to exceptional cybersecurity hygiene to government entities looking to use your products or services. 

 

We’ve found these issues that require remediation at most companies we have assessed.

 

Absence of Documentation

With CMMC looming, a lot of companies are examining their policies, procedures, and standard documentation. At CyberSheath, before we get to the remediation process, we assess where an organization is in terms of compliance readiness. Generally what we find is most companies have very little documentation around what they’re doing and how they’re governing their security controls.

Lack of internal resources can make formulating the appropriate documentation a challenge. While we can craft that documentation, the hard part is getting each company to go through their records and align policies and procedures with their unique organizational practices. What we call best practices do not necessarily translate to being applicable to their business. For example, best practice for an activity timeout could be 10 minutes. However for your business, perhaps it makes sense to extend that time period to 30 minutes. 

 

No Multi-factor Authentication (MFA)

We’ve discovered that most companies either have MFA partially applied or not applied at all. Meaning maybe these entities are using Microsoft 365 and have activated MFA for when they’re logging into that environment. That is not sufficient. Part of the requirement is you need to have multifactor turned on even when you are logging on locally. Meaning when you turn on your laptop and type in a password, you should also have to have a second factor to access your laptop. From what we’ve seen in our assessments, this step almost never happens.

The struggle here may be that additional resources and tools need to be procured, which adds another cost. Also, a lot of the remediation we assist clients with circles back to a culture change being a huge challenge. 

 

Shared Accounts

Perhaps your IT group has one generic, admin user ID with a shared password. While this ID is only assigned to IT, it could be leveraged by multiple people. This practice creates an accountability issue because it becomes difficult to identify exact users. Another example would be a shared computer on the floor of a manufacturing company, used by 10 people. A lot could happen between those 10 users, making it challenging to tell which one of the users performed what tasks or even who executed a potentially malicious act. 

In a similar vein, it’s also relatively common for companies to mistakenly or intentionally provision users accounts that grant individual works outside of management with admin access. It’s pretty easy to see how this could go horribly wrong. While many users do not notice or act on this level of access, it does open up the entity to all sorts of security issues. 

 

If your organization would like assistance in determining their current security posture, including assessing whether or not they need to remediate these common issues, give us a call. We will be happy to work with you to identify compliance gaps, craft a plan to address any issues, and help your company improve its SPRS score. 

As your organization works toward achieving CMMC compliance, creating your System Security Plan (SSP) and Plan of Action and Milestones (POA&M), are critical steps in the process. The documents both provide a foundation for your remediation efforts as you work to close all of your company’s cybersecurity compliance gaps.

Find the right SSP for your organization

Your SSP will outline how your organization approaches cybersecurity. It is your opportunity to narrate your security controls including discussing your environment and how you meet the intent of your controls. Before you begin drafting your plan, you need to determine which approach to take. Select one of the below to get started.

  • Organizational plan – Sometimes called an enterprise system security plan, these plans represent a system security approach across an organization defining a standard cross-organization adoption of control requirements. Organizational plans work well for less complex organizations where all technology can be represented in a single document.
  • System focused plan – This approach concentrates on security through the lens of a particular system, IT service, or enclave, and fully documents control implementation details from the perspective of a specific system only.
  • Hybrid plan – This plan is between an organizational system security plan and a single system or enclave system security plan. It takes the idea of standardization from the organizational plan, but documents your deviations from your overarching standard in addendums or appendices.
  • Shared compliance – This is a type of hybrid plan that documents the accountability of control implementation that lies with a service provider. The organization should ensure, contractually or through verification, that inherited controls are in place at the service provider and that they are applicable to the systems and/or services in scope for system security planning.

 

SSP document structure

Regardless of the type of plan you proceed with, here is guidance on how to structure your SSP.  Include the following report elements.

  • System information – In this section it is important to include ownership and accountability for each system you are documenting, as well as a systems environment description, data flows and interconnections, users and roles, and hardware and software components.
  • Control narratives – For each control, note the status, which should be compliant, partially compliant, not compliant, not applicable, or inherited, and provide a narrative about the status. Also include discourse on the control implementation. This is your opportunity to discuss a control requirement. For every control where you are partially compliant or not compliant, provide a summary of planned actions to get you to compliance and direct readers to your POA&M.
  • Other considerations – There are other types of information that can be helpful to include in your SSP including:
    • Diagrams and visual representations to illustrate what your system is and how it works.
    • Assessment guide and supplemental guidance to assist your narratives and show what you need to achieve and how you will meet your objectives.
    • Expected or maintained evidence and artifacts to demonstrate how you will or are implementing the controls.
    • Maturity references including policies, practices, and plans to tie the pieces together and make it easier for a certifier to track down those pieces of evidence that confirm your controls are not newly implemented.
    • CUI authorizations to show the flow of CUI in your environment. This should talk to where CUI should exist, where it is stored, how it should be accessed, and how it flows.

 

Take the steps to compliance with a POA&M

A POA&M is a corrective action tracking mechanism. Here are the key components to have as you develop your own POA&M to assist with your CMMC compliance efforts.

  • Corrective actions list in the form of actionable tasks – What are the actions that you need to take to implement each control?
  • Milestones and timeline to achieve compliance – When do you plan to have each action completed? Include interim completion dates.
  • Ownership and resourcing of tasks – Who is responsible for managing and completing each action?
  • Prioritization – What is the compliance impact, estimated cost, and risk of each?
  • Weaknesses or deficiency – How was the weakness that requires this action identified?
  • Control mapping – Which control does this action correspond to and address?
  • Status – What is the status? Is this action ongoing or completed?

 

POA&M process and workflow tips

Start with a template and your assessment data as input. Select your template and aggregate all the information you uncovered in your internal assessment, external assessment, or audit. These will be your two inputs to leverage in building your plan of action and milestones.

Convert assessment recommendations to actionable tasks. Sometimes assessment-speak is at a high level. Make sure you are breaking down each requirement into steps that make sense. Include the necessary detail to address the steps your organization needs to take to bring you into a compliant state.

Populate your POA&M and follow your planned timeline. Note any changes to your targeted dates and make sure that you’re actively using this plan to help you achieve compliance.

Maintain your POA&M as you close out your tasks. Once you complete a task, move the status to complete. If you appropriately maintain your POA&M, it is easy to track your progress and note your outstanding items. It also establishes an audit trail of tasks that you are closing out.

 

SSP and POA&M Resources

The documents listed below are useful as you build your own SSP and POA&M.

 

If you have questions about how your organization can craft its SSP and POA&M, contact the experts at CyberSheath. We have helped clients assess and document their cybersecurity state, implement controls, and achieve and maintain compliance. Get started today.

 

The cyber universe has become the next battlefield–a place where threat actors, malicious entities, cyber criminals, activists, and nation states are challenging U.S. hegemony globally. We’ve seen instances where millions, or even billions, of dollars of research and decades’ worth of work has been stolen by hostile nation states. Against this backdrop, it is imperative to secure the supply chain to help defend cyberattacks from impacting the U.S. Department of Defense (DoD).

The DoD created the Cybersecurity Maturity Model Certification (CMMC) to address these threats and help secure the defense industrial base. Prior to CMMC, the DoD leveraged compliance with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and NIST 800-171 to set standards for supply chain cybersecurity. So how well are defense contractors implementing these requirements–and which controls are the most problematic?

Let’s look at the data.

 

How we collected the data

Over the past several years CyberSheath has conducted approximately 600+ assessments to determine NIST and CMMC readiness for a wide variety of organizations. Here is a demographic snapshot of the clients evaluated:

  • 86% privately held
  • $3M to $5B+ revenue
  • 10 to 100K+ employees
  • Industries: manufacturing, aerospace and defense, construction, telecommunications, retail, business services, software, and energy, utilities and waste industries
  • SPRS scores of -175 and as high as +10

 

Supplier Performance Risk System (SPRS): Note that as of last year, the government requires you to have an overall score regarding your cybersecurity compliance status. This SPRS score is determined through using government scoring mechanisms and criteria, which assess where you stand on the requirements. These results are to be used by contracting officers to evaluate cybersecurity risk when they’re issuing contracts. The score ranges from -203 to +110.

 

The top 5 failing controls

After we analyzed the data on the assessments we performed, we were able to determine the controls that companies most often did not have fully or properly implemented. The list is rather astounding in those two thirds to three quarters of the companies that we’ve assessed are noncompliant in these controls.

 

Control CategoryControl DetailNon-Compliance
1Access ControlAC.2.016: Control the flow of CUI in accordance with approved authorization.66%
2Configuration ManagementCM.2.064: Establish and enforce security configuration settings for information technology products employed in organizational systems.69%
3Identification and AuthenticationIA.3.083: Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.71%
4Incident ResponseIR.3.099: Test the organizational incident response capability.69%
5Media ProtectionMP.3.122: Mark media with necessary CUI markings and distribution limitations.74%

 

This list provides a great indication of where your company should focus its initial investment. If you only have a limited amount of dollars to work with, prioritizing these requirements in the short term might make sense but in the long term CMMC compliance is an all or nothing proposition.
 

In the short term…How to increase your SPRS

Let us walk through an example of the impact of the assessment, findings, and recommendations that we at CyberSheath provide to clients. Typically, a report would open with a statement noting that the assessed company has a significant amount of work to become compliant with the DFARS mandate and to close all identified DFARS and CMMC gaps.

Key recommendations are made to outline corrective actions which are typically heavy-lift items taking significant resources and time to implement. Throughout the report, we identify additional items that represent significant risk to the organization’s environment that should be addressed as soon as possible.

We then provide specific guidance on which controls should be implemented to lift the company’s SPRS score up 50 or more points. For example:

  • Security Governance Practices – 6 Controls – DoD Scoring Impact: +13 Points
  • Vulnerability Management – 4 Controls – DoD Scoring Impact: +11 Points
  • Incident Response Planning – 7 Controls – DoD Scoring Impact: +11 Points
  • Logging and Monitoring – 10 Controls – DoD Scoring Impact: +21 Points

 

For the long term…CMMC ML3 Data enclave use cases

Part of the compliance challenges you face could be addressed by establishing data enclaves, which will also have a positive impact on your SPRS score. Here are cascading use cases on how enclaves could help your organization.

  • Level 1: Data vault and collaboration SharePoint libraries – This secure SharePoint enclave can be hosted in GCC High or a commercial cloud depending on whether data is subject to export.
  • Level 2: Windows Virtual Desktop, SharePoint, Microsoft Office applications, and OneDrive – This approach is secured using Active Directory partitions and Windows Virtual Desktop. Desktops are shared, but data security is enforced to CMMC compliance standards. Great for users who only access Office applications, SharePoint Online, and OneDrive, there is no option to host private application servers.
  • Level 3: Level 2 plus private applications – Customers are segregated on private network segments with network security boundaries adding security beyond Active Directory partitioning. Desktops are private and only accessed by a single company. There is an option available for private application servers on the customer network segment. This approach works well for users looking for an affordable cloud platform while needing to use custom applications or file servers.
  • Level 4: All business operations enclaved – In this approach, all servers and desktops reside in the customer’s MS Azure tenant. Users access the environment using corporate credentials. It is the most expensive option, as all components including Active Directory are completely private. Companies can host any applications or files in their environment and can optionally connect the enclave to their corporate infrastructure.

 

Future-proof your business

Follow these steps to assess your current state, implement controls, and manage compliance to bring order to your cybersecurity challenges.

  1. Assess operations for compliance with NIST 800-171
  2. Generate a system security plan (SSP)
  3. Document plans of action and milestones (POA&Ms)
  4. Implement the security requirements
  5. Maintain compliance

 

As a company, you need to commit to running a cybersecurity compliance marathon–but you don’t have to do it alone. At CyberSheath, we have the expertise and experience to help you cross the finish line by continuously increasing your SPRS score and becoming compliant with your required level of CMMC. Contact us to get started.

 

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.

 

Ransomware attacks were a big point of discussion at the recent G7 summit and headlined the list of topics that President Biden discussed with Russian President Vladimir Putin at their summit in Geneva.

 

The U.S. and some of its tech giants are scrambling to find answers as to how to prevent further attacks and increase safeguards for data. As one facet of that plan to improve, the CMMC-AB has begun approving third-party assessment organizations to certify that defense contractors adhere to CMMC requirements.

 

Matthew Travis, who became CEO of the CMMC-AB in April, said to expect certified assessor training in mid-to-late summer. The CMMC-AB has also recently added a vice president of training and development, a director of operations, a curricula manager, and operations specialist. The board is recruiting to fill more roles as it moves closer to its goal of a full launch for assessor training.

 

Jeff Dalton, the vice chairman of the CMMC-AB and head of the accreditation process, will be among the speakers at CyberSheath’s CMMC Con 2021 and will give attendees an inside look at the progression of CMMC and the path forward.

 

Register for CMMC Con 2021 now to see Dalton’s address and learn more about how to navigate the rapidly shifting future of cybersecurity compliance.

An important step toward achieving CMMC compliance at any level is to know what your starting point is. By accurately assessing your current state, you can figure out exactly what steps need to be taken to become compliant.

 

Before getting started, determine which level of CMMC compliance you need to attain.

  • Level 1: Compliance with this level demonstrates the basic cyber hygiene required for contractors receiving federal contract information (FCI). It covers 17 controls across six domains, including:
    • Access Control
    • Identification and Authentication
    • Media Protection
    • Physical Protection
    • System and Communications
    • System and Information Integrity
  • Level 3: This level is required for companies having controlled unclassified information (CUI) data. Compliance requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, and required training. It covers 130 controls across 17 domains, including:
    • Access Control
    • Asset Management
    • Awareness and Training
    • Audit and Accountability
    • Security Assessment
    • Configuration Management
    • Identification and Authentication
    • Incident Response
    • Maintenance
    • Media Protection
    • Physical Protection
    • Personnel Security
    • Recovery
    • Risk Management
    • Situational Awareness
    • System and Communications
    • System and Information Integrity

 

Assessment Process

In order to be successful, it’s important that everyone involved buys into the need for the assessment and is engaged in the process. We recommend the following approach.

Kickoff

Begin with an assessment kickoff, where you:

  • Provide an overview of the CMMC framework for the team members who may be included in the assessment process.
  • Outline the in-scope environment to guide the assessment team in formulating questions they should be asking about how you are controlling your data.
  • Identify points of contact across departments, including IT, your information security representative, and HR.
  • Discuss the information that will need to be shared as part of the process, including which artifacts are going to be required, and how they are going to be shared with the assessment team.
  • Craft a schedule and start planning your assessment interviews based on availability.

Interviews

The assessment team then interviews key personnel, being sure to ask informed questions to confirm if you have the processes in place to meet the requirements of a control. If the point of contact for your organization is able to attest that you’ve met a specific control, the assessment team should make a note of the attestation, as well as note the relevant artifacts that should be collected to validate that attestation.

Examples of controls and related artifacts include:

  • Control: Complex password enforcement
    • Artifact: Group policy setting screenshot demonstrating that you have configured password complexity
  • Control: Training content
    • Artifact: Presentation that has been internally made, or a screenshot of a platform such as KnowBe4 or InfoSec

Analysis

After interviews and follow-ups conclude, the assessment team begins analyzing the notes and compiling the initial scoring. Artifacts that have been submitted are analyzed to verify implementation. If an artifact was not submitted or was found to be improperly configured, the control would result in a failure. Keep in mind that to be considered compliant, your company must have the control fully implemented.

Report

Once the assessment team has analyzed the data and scored the controls, the report is drafted. The draft report should include these elements.

  • Executive summary with an overall compliance breakdown for CMMC L1 or CMMC L3
  • DFARS Interim Scoring Rule with the score to be submitted into the Supplier Performance Risk System (SPRS)
  • Key observations and recommendations, including areas discovered where your company has its biggest compliance gaps
  • Detailed analysis of each practice, including observations on how your organization is meeting or not meeting a requirement. If a practice is not being met, a recommended action item is noted within the recommendations piece of the practice control

Once the draft report is complete, it should be released to your company’s leadership team and any other larger audience within your organization with ample time to review and provide feedback prior to submitting the final report.

Out-briefing

The assessment team should then schedule one final meeting to present and discuss assessment results, key compliance findings, and the path forward for how your company can meet these requirements. This is also a great opportunity to field questions individuals may have with the compliance findings and recommendations.

Timeline

CyberSheath finds the below schedule to be most successful in performing a CMMC compliance assessment.

 

WeekWhat to do
1
  • Hold kickoff meeting
  • Confirm scope and objectives
  • Identify points of contact
  • Start collecting and reviewing artifacts
2 and 3
  • Conduct the security framework review
  • Schedule interviews and follow-ups
  • Analyze the data
  • Collect remaining artifacts
4 and 5
  • Write and issue draft report
  • Share with leadership and your greater audience to review the findings and provide feedback
  • Start writing your draft system security plan (SSP)
6
  • Issue your final draft report
  • Hold out-briefing to review high-level findings
  • Get sign-off from leadership
  • Start talking about your path forward to remediate compliance gaps
  • Document and finalize your SSP

 

If you need any assistance with your assessment to determine your CMMC readiness, contact the experts at CyberSheath. We have extensive experience helping organizations identify compliance gaps and craft remediation plans addressing issues.

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel shortages and higher gas prices. A ransomware attack on JBS, the world’s largest meat processor, could disrupt meat markets.

 

We’re at a tipping point in security. Nation-state attacks have doubled in the past three years, growing more aggressive in their targets and impact. The severity of attacks is drawing action from the federal government and enforcement of existing cybersecurity standards, drawing new attention to the need for frameworks like CMMC.

 

What does this escalation in nation-state attacks mean for national security and the defense industrial base? Retired Brigadier General Dr. Robert Spalding returns to CMMC Con 2021 to share his perspective on the latest attacks and their reverberations.

 

One of the most enjoyed speakers at the inaugural CMMC Con, Dr. Spalding has served in senior positions of strategy and diplomacy within the Defense and State Departments for more than 26 years. He was the Senior Director for Strategy to the President at the National Security Council and the chief architect for the current widely praised National Security Strategy.

 

A skilled combat leader and a seasoned diplomat, Dr. Spalding has written extensively on national security matters in The Washington Post, The Washington Times, Foreign Affairs, The American Interest, War on the Rocks, FedTech Magazine, Defense One, The Diplomat, and other edited volumes. His Air Power Journal article on America’s Two Air Forces is frequently used in the West Point curriculum.

 

Dr. Spalding is a Life Member of the Council on Foreign Relations. He has lectured globally, including engagements at the Naval War College, National Defense University, Air War College, Columbia University, S. Rajaratnam School of International Studies in Singapore, Johns Hopkins Applied Physics Laboratory, and other Professional Military Educational institutions.

 

Register for CMMC Con 2021 now to see Dr. Spalding’s keynote and learn more about how to navigate the rapidly shifting future of cybersecurity compliance.

One of the first steps in crafting the cybersecurity plan for your company is knowing what information needs to be protected. With all of the designations of information forming an alphabet soup, figuring out how to proceed can seem challenging.

 

Protecting sensitive information starts with understanding the various information categories. The next step is being able to map the information your company holds to the contracting regulations you must adhere to. Depending on your relationship with the Department of Defense (DoD), there are a number of requirements to protect non-public information (NPI).

 

Identify NPI and Map to Applicable Regulations

Familiarize yourself with the different kinds of NPI, which is defined as information associated with a DoD contract that is not intended for public release. There are several regulations established to protect different classes of NPI. 

  • Federal Acquisition Regulation (FAR) 52.204-21 establishes 15 requirements to protect federal contract information (FCI).
  • Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 invokes NIST SP 800-171 to protect covered defense information (CDI), which is also a term for controlled unclassified information (CUI).
  • DFARS 252.204-7021 invokes Cybersecurity Maturity Model Certification (CMMC) to protect both FCI and CDI/CUI.

 

What information you have dictates how you need to protect it. For example, under the CMMC framework, if what you are protecting is FCI, there are 17 cybersecurity controls required to protect that information. If you have CUI, there are 130 controls.

 

Important note: These regulations do not apply to commercial off-the-shelf products and services (COTS). If you are a vendor who only supplies COTS solutions, then these designations do not apply to your business. FAR 2.101 states that these items are considered COTS, “…any item of supply (including construction material) that is:

  • A commercial item (Item that can be sold, leased, or licensed to the general public);
  • Sold in substantial quantities in the commercial marketplace; and
  • Offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace; and
  • … Does not include bulk cargo.”

 

COTS products and services  include catalog items such as laptops, keyboards, and printers; commercially available applications; and janitorial services for public buildings.

 

Determine Your Information Type

 

FCI

Definition – FCI is non-public information associated with a federal contract. CMMC offers this description, “FCI means information provided by or generated for the Government under a contract not intended for public release.” FAR 52.204-21 expands on this to state, “FCI means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.” 

 

Examples

  • Contract schedules
  • Statements of work
  • Non-technical requirements
  • Delivery information

 

CDI

Definition – CDI is a form of CUI that is developed under a DOD contract. It is non-public information where a specific law, regulation, or government-wide policy is published that requires that information to be protected in some manner. 

 

Introduced in DFARS 252.204-7012, this term means “unclassified controlled technical information or other information…that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is:

  • Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”

 

Examples

  • Controlled technical information (CTI), such as engineering drawings, technical reports and notes, bills of materials, software executables and source code
  • Export controlled information (EAR or ITAR)
  • For official use only (FOUO) documentation, which is under the DoD realm, but no longer a valid classification.
  • Operations security (OPSEC) plans

 

CUI

Definition – CUI was established by Executive Order 13556 as a way to standardize how to handle sensitive but unclassified information. According to this order, “CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”

 

Examples – Same as above for CDI

 

Resources

  • National Archives and Records Administration (NARA) CUI Registry: This is a registry of all CUI categories. Look through it because it has links to the specific law, regulation, or government-wide policy that causes that category of information to be designated as CUI. 

https://www.archives.gov/cui/registry/category-list

  • DoD CUI Registry: This registry highlights those categories that are in the NARA registry but are relevant to DoD contracts. Some of the NARA CUI categories are relevant to other federal government agencies. It also provides links to additional resources.

https://www.dodcui.mil/Home/DoD-CUI-Registry/

 

While this blog provides you the information you need to get started on determining how to classify your information, the experts at CyberSheath would be happy to help your company identify your CUI and create plans for safeguarding it. Contact us to take the next step in learning how to protect your sensitive information.

Sign Up Today for Your Free Training

Learn more about how to categorize non-public information in our upcoming defense contractor cybersecurity compliance training. Registration is only open May 26, 2021 until June 9, 2021. Get started today.

Cyber Compliance Training - Register Now

 

The constant evolution of cybersecurity standards that must be met in order to do business with the Department of Defense (DoD) can be overwhelming. Make sure your team is capable of achieving and maintaining compliance with Defense Federal Acquisition Regulation Supplement (DFARS) and Cybersecurity Maturity Model Certification (CMMC). 

 

CyberSheath’s Defense Contractor Cybersecurity Compliance Training is the Answer

The primary goal of DFARS and the CMMC is to ensure the protection of controlled unclassified information (CUI) stored in your environment. Your team can learn the skills necessary to tackle cybersecurity requirements, specifically those dealing with the identification of CUI and the steps you need to take to protect it. 

By the end of the training module, attendees will be able to:

  • Assess compliance
  • Compose an SPRS submittal
  • Create an SSP and POAM
  • Efficiently implement fixes to address compliance gaps

Course Details

Learn how to employ the necessary resources, tools, and policies for compliance. This training curriculum is comprised of five courses covering today’s DoD contractor laws. Each session is designed to teach the skills required for meeting DFARS and CMMC requirements.

 

Session       Level                  Topic
1White BeltHow to identify CUI
2Orange BeltHow to conduct an assessment
3Blue BeltStep-by-step guide for Supplier Performance Risk System (SPRS) submittal
4Brown BeltHow to draft an audit-ready system security plan (SSP) and plan of action and milestones (POAM)
5Black BeltHow to strategically address implementation and managed compliance

 

At the conclusion of each session, there will be a quiz. Successful completion of this 10-minute exam will earn a belt recognizing the acquired skill level. 

Sign Up Today for Your Free Training

If you are a prime or sub-contractor bidding for DoD contacts, take advantage of this training to prepare for the complexities and challenges of meeting the DoD’s regulatory requirements. Registration is only open May 26, 2021 until June 9, 2021. Get started today.

Cyber Compliance Training - Register Now

RESTON, Va. — May 12, 2021 — The nation’s largest CMMC conference is back by popular demand! CMMC Con 2021 picks up where last year’s conference left off, featuring expert speakers from across the government and Defense Industrial Base offering actionable strategies for CMMC compliance. Hosted by leading Managed CMMC Compliance provider CyberSheath, the one-day CMMC Con 2021 kicks off at 9 a.m. EDT on Wednesday, September 29, 2021. This no cost conference is now open for registration.

 

CMMC Con 2021 will focus on the evolving compliance landscape that small and medium-sized contractors face, with sessions focused on:

 

  • Evolving threats, including the escalation in nation-state cyberattacks like SolarWinds.
  • Evolving law, including SPRS submittal of NIST 800-171 assessment, third-party validation of CMMC compliance prior to contract award, the False Claims Act, and the potential loss of DoD revenue.
  • Evolving scope, examining the CMMC-AB roadmap and adoption of CMMC in other federal organizations beyond the DoD.

 

The conference will welcome back popular speakers as well as introduce new ones, including:

 

  • Robert Spalding, retired Brigadier General, USAF, to address the threat from nation states.
  • Keith K. Nakasone, Federal Strategist, VMware formally the Deputy Assistant Commissioner, IT Acquisition Operations, FAS/GSA, in a Q&A on CMMC beyond the DoD.
  • Jeff Dalton, sharing his perspective as CMMC-AB vice chairman on the progression of CMMC and the path forward.
  • Expert panel discussion with senior executives from primes and sub-contractors, including foreign-owned, large, and small contractors, who will share their experience managing CMMC compliance.

 

“Last year, we had more than 1,000 attendees at CMMC Con — before the law had even changed to make CMMC a reality for the Defense Industrial Base,” said Eric Noonan, CyberSheath CEO. “A year later, the conference could not come at a more critical time, as compliance stands in the way of revenue for every defense contractor in the supply chain. By attending CMMC Con 2021, defense contractors will better understand the nation state threats that made the CMMC necessary, the impact of compliance law, and most importantly, the how-to of compliance to stay eligible for future DoD contracts.”

 

Learn more about CMMC Con 2021 and register now.

 

About CyberSheath Services International, LLC

 

Established in 2008, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at www.cybersheath.com.

 

Contacts

CyberSheath Services International, LLC

Kristen Morales at Kristen.Morales@cybersheath.com

 

 

The enclave approach to CMMC compliance is one of the most cost effective and least disruptive ways to safeguard CUI. You can maintain high-value custodial security of CUI without upending your existing processes, procedures, and people. That way, you can maintain the proper level of CMMC compliance and remain eligible to win DoD contracts.

Remember that CMMC compliance is all or nothing — you’re either compliant or not. And if you’re not, you won’t be eligible to win any business from the DoD. So how you protect CUI is critical.

Depending on how you handle CUI and the CMMC level you must abide by, your enclave is going to need different functionality. Which is why you need a CMMC enclave with multiple use case commitment levels and a way to manage multiple levels of CMMC.

This kind of versatility can be found in CyberSheath’s CMMCEnclave, part of its CMMC Managed Services.

How CMMCEnclave Expands Your Versatility

Based on Microsoft Azure, CMMCEnclave limits organizational CUI data sprawl and drives role-based allowances to CUI. It delivers CMMC ML3 of 130 controls. It also establishes a technical program on how to deal with other CUI-custodial suppliers to your organization.

And it’s the first CMMC enclave with optional management of multiple levels of CMMC. Those options include:

ML1:  Within weeks, become compliant with CMMC ML1 over your entire infrastructure, using Azure SIEM Sentinel continuous security monitoring and aggregation, managed endpoint detection and response (EDR) and malware protection, and detection and incident response of managed devices.

ML2: At this level, CyberSheath provides an overall virtual security officer and an ongoing compliance program oversight and routine reporting. It includes Tenable vulnerability and secure configuration management, Windows Active Directory identity protection, and multi-factor authentication.

ML3: Quickly gain an ability to bid on CMMC ML3 contracts with our Cloud-Based Hosted Compliance offerings, which include virtual security officer compliance oversight and reporting. Maintain compliance with Azure Information Protection against data leakage, Microsoft Mobility and Device Security Management, secure VPN services, Azure CMMC workbooks, Azure CMMC and NIST blueprints, and Azure Security Center for secure workloads, role-based access control, and configuration and posture management.

ML4 and ML5: We maintain the rigorous program, technology, engineering, and implementation required for the most robust security standards. Get in touch to talk through our offerings at CMMC levels 4 and 5.

A CMMC Enclave that Meets You Where You Are

CyberSheath’s CMMCEnclave includes four different use-case commitment levels based on contractors’ functionality and business needs, including:

External CUI communication: In this case, a secure SharePoint enclave is sufficient. This option can be hosted in GCC high or commercial cloud, depending on whether data is subject to exit controls.

CyberCloud — Shared Service: For users who only access Office applications, SharePoint Online, and OneDrive, this option uses Active Directory Partitions and Windows Virtual Desktop to share desktops in line with CMMC data security standards.

CyberCloud — Hybrid Cloud: Designed for organizations that need an affordable cloud platform and use custom applications or file servers, this option segregates customers on private network segments with network security boundaries on top of Active Directory partitioning. It keeps desktops private and only accessible by a single company, with options for private application servers on a customer network segment.

CyberCloud — Private Cloud: Keep all components, including Active Directory, completely private, with all servers and desktops residing in your Microsoft Azure tenant. You can host any applications or files in your environment and can optionally connect the enclave to your corporate infrastructure.

A New Level of Versatility in CMMC Compliance

CyberSheath’s CMMCEnclave reduces complexity, future-proofs compliance, and lowers costs, both immediate and ongoing.

Learn more about CMMCEnclave and how CyberSheath’s CMMC Managed Services can help you quickly reach compliance with these complex new requirements.  Contact us to meet with a CyberSheath expert today to learn how we can help bring order to the chaos of achieving CMMC compliance.

CMMC is not a compliance framework. It’s a maturity model. That has big implications for how you approach compliance, but also how you keep track of all the elements that make up compliance.

And yet, visibility has been one of the most difficult challenges facing DIB contractors. It used to be that you would have to buy a service from a separate vendor to have any visibility at all into your compliance status, inventory of DFARS compliance artifacts and evidence, and your documented System Security Plan (SSP).

Even with those services, the best many contractors could do was to get a static report around a specific snapshot in time. The value of a report quickly fades in the face of an ever-changing threat landscape, not to mention a dynamic compliance environment. As POAMs evolve and you meet milestones, that report from the past can no longer tell you where you stand.

The dashboards that have existed to date all come with some assembly required. They would act more like containers with placeholders for asset management and other controls, leaving customers to cobble together a dashboard themselves.

It’s time for a real dashboard. This is why CyberSheath has added the first-ever CMMC Compliance-as-a-Service dashboard to its CMMC Managed Services.

A True CMMC Compliance Dashboard for Unparalleled Visibility

Available to customers regardless of previous or future technology selections, CyberSheath’s CMMC dashboard gives comprehensive visibility into every aspect of compliance and is continually updated so you can see at a glance, at any time, where you stand.

The dashboard offers up-to-the-minute visibility into your:

  • Current compliance status
  • Inventory of DFARS compliance artifacts and evidence
  • Security threat landscape and incident levels
  • Current version and documentation of your SSP
  • Supply chain assessment
  • Performance of your CMMC enclaves or regimes

It not only confirms your compliance status, but evolves and expands with your business as you need to meet new maturity levels. It also holds us accountable against the SLA we’re on contract for by showing you exactly where you stand with respect to CMMC requirements so there’s never a question of whether you’re eligible for DoD contracts. The dashboard gives you everything you need to know about your CMMC compliance status.

CyberSheath CMMC Compliance Dashboard

CyberSheath built the CMMC Compliance Dashboard leveraging the technology of the world’s leading companies including:

  • Microsoft Azure NIST & CMMC Blueprints
  • Microsoft Azure CMMC Workbooks
  • SIEMPLIFY
  • Microsoft Sentinel SOAR & Correlation engines

It also benefits from unique integrations such as compliance landscape updates.

It’s not enough to simply achieve compliance. As a maturity model, CMMC requires a new level of visibility. Learn more about CyberSheath’s CMMC Managed Services and how our dashboard helps contractors stay up to date on their CMMC compliance status, the current threat landscape, and their CMMCEnclave performance.

Need Help?

As your organization moves to become compliant with any level of CMMC, challenges can arise. CMMC compliance requires documented, integrated and evidence-based Cybersecurity, IT, and Governance – all of which is addressed in our recently enhanced CMMC Managed ServicesContact us to meet with a CyberSheath expert today to learn how we can help bring order to the chaos of achieving CMMC compliance.

For any of a variety of reasons including lack of communication, slow response times, or prolonged downtime, your organization has decided to change your managed service provider (MSP). Whether you have already signed an agreement with a new MSP or you are actively looking for a replacement, now is the time to take important steps to ensure that the transition to your new provider is a smooth one.

Tips on Getting Offboarding Started

  • Maintain communication – In terms of your outgoing MSP, one adage rings true–don’t burn bridges. The company you are letting go is a key to your success moving forward. Severing all ties prematurely could leave your company stranded, unsupportable, and looking at a larger bill to recover data, admin credentials, and backups, as well as negatively impact your overall business.
  • Transfer knowledge – While CyberSheath or another onboarding MSP has no authority to require the outbound MSP supply the needed information to manage the infrastructure effectively, performing knowledge transfer with your outgoing MSP can assist with all entities involved working as a team.
  • Include key details in release letter – Note that it is essential to have these expectations listed in your release letter. It is also a great idea to have the leaving MSP sign off and agree to participate in this process. Without these items, your new MSP will have the daunting task of figuring out your infrastructure and credentials.
  • Don’t delete a Global Admin account – Have you ever not had the global admin account for your domain controller or active directory? You will not do much without it. Deleting one of these accounts could have down-stream effects on your infrastructure and access that could require significant recovery efforts, which means considerable expense.
  • Ensure outgoing MSP participation in process – It is also a great idea to have the leaving MSP signoff and agree to participate in the offboarding process. Without this input, your incoming MSP will have a daunting task of figuring out your infrastructure and credentials, which not an easy task without certain information.

Key Information to Document

Remember that the outgoing service provider was a partner in your network and infrastructure, and therefore possesses information that is vital in supporting the success of your new service provider.

Below is an initial list of important information to record as you prepare to offboard your exiting MSP. Keep in mind that your company may have unique situations requiring additional information be turned over.

  1. All admin credentials for all in-scope devices used in the course of business. These include but not limited to servers, routers, firewalls, storage devices, and applications used by your company. It is a good idea to maintain a list of these even if you are not transitioning to a new MSP. MSPs often create accounts for themselves within your infrastructure. These are now keys to your environment, so it is a good practice to keep a list of who has access.
  2. All intellectual property (IP) needed to maintain current business practices and processes. MSPs often acquire a lot of knowledge about your company in their day-to-day operations of supporting your company. While it may be impractical to truly download everything your outgoing MSP knows about your company, it is a good idea to have a non-disclosure agreement (NDA) in place to ensure that information stays confidential.
  3. Complete list of all assets currently managed. This will help your new MSP understand your environment.
  4. Network topology diagram to include current IP mappings and ports used for day-to-day operations. CyberSheath recommends that you review this diagram on a quarterly basis or as you change components within your infrastructure. For example, if you moved on-premise servers to the cloud, be sure to ask for an updated diagram.
  5. Knowledge base information specific to or used in the support of your company’s infrastructure. The importance of this cannot be overstated. All companies have IT skeletons in their closets. Moving to a new MSP and not helping them with understanding the unexpected, sets the stage for failure.
  6. Backup schedules and access to the location where backup data is stored. Also be sure to have access to credentials to retrieve those backups and applications used to perform these tasks, as well as the most recent full backup.
  7. Licenses schedule and account information associated with those licenses so that the licenses can be transferred to your onboarding MSP. Companies should always document and maintain this information. You cannot renew or transfer software licenses without a company’s account number and approval. It is also recommended to have a quarterly review of your licensing footprint as unused licenses incur unnoticed expenses.
  8. Technical Point of Contact (TPOC) that can be available for the dates of the transition (usually 30 to 60 days). It is important that the person in this role understands technical issues to ensure the onboarding company has access to the client’s IT dependencies.

If you are still searching for your new MSP, CyberSheath offers a unique managed service combining security and IT services, which bring our customers a complete, protected service solution. Our MSP offering is secure, contains no ransomware, and allows our customers to keep their data.

We keep our customers up and running. Learn more about our managed services to help you with CMMC compliance, DFARS/NIST 800-171 compliance, or managed IT for defense contractors.

I’m a DoD contractor; what do I need to do for CMMC?

To start or continue working with the DoD, all contractors must achieve and maintain the appropriate level of cybersecurity compliance. But what do you need to do, and when does it need to be done? Simple questions deserve simple answers. The truth is that what you need to do is straightforward and can be done in a way that enables you to pay as you go, doing what is required now while laying the foundation for the future.

At a minimum, defense contractors must understand what DFARS 252.204-7012, NIST SP 800-171, and CMMC are and how non-compliance will impact their business. By now, you have probably heard of the Cybersecurity Maturity Model Certification or CMMC; in fact, you are probably tired of hearing about it.  

While everything has seemingly changed with CMMC becoming law in November 2020, in reality nothing has changed other than DoD now enforcing the regulations. The enforcement comes in the form of “no compliance, no contract,” so it’s the ultimate incentive for any business reliant on DoD revenue. The good news is that long-term compliance steps are very much the same as they have been since 2015. Everything is grounded in compliance with NIST 800-171 as an initial step. So let us look at what needs to happen and in what order:

  • Compliance with DFARS 252.204-7012 mandates NIST 800-171 compliance. 
  • Contractors are required to assess their compliance against NIST 800-171 using the DoD scoring methodology.
  • Contractor assessment scores must be submitted to Supplier Performance Risk System (SPRS) (More detail on that process here, Supplier Performance Risk System (SPRS) )
  • If you do nothing else, assess yourself against NIST 800-171 compliance, submit your score via SPRS and then start closing the gaps.
  • New DoD contract awards after November 2020 require complete and accurate SPRS submission. In other words, no assessment, no revenue.
  • CMMC at its foundation is based on NIST 800-171, so all the work you have done up to this point for NIST 800-171 will speed your CMMC compliance efforts.

If you were required to comply with DFARS 252.204-7012 and implement NIST 800-171, it’s a reasonable assumption that ultimately you will need to achieve CMMC Maturity Level 3. But again, first thing first, let us understand the basis of everything and then build from there.

Understanding DFARS 252.204-7012 and NIST SP 800-171

The Defense Federal Acquisition Regulation Supplement, or DFARS, has been updated to enforce DoD contractor compliance with specific regulatory requirements to protect America’s defense industrial base. Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, dates back to 2015 and was intended to protect Controlled Unclassified Information (CUI) on defense contractor networks.  

Under the Clause, all contractors must comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), a framework that lays out how contractors must protect sensitive defense information and report cybersecurity incidents.

The NIST framework requires you, as a defense contractor, to document how you have met the following requirements in particular:

  • Security requirement 3.12.4 requires the contractor to develop, document, and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
  • Security Requirement 3.12.2 requires the contractor to develop and implement Plans of Action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

Under the Clause, DoD contractors are obliged to submit evidence of their compliance with NIST SP 800-171 to the U.S. Government. However, the Clause goes beyond NIST compliance and sets out additional rules to protect Covered Defense Information (CDI).

Supply Chain Management

DFARS Clause 252.204-7012 aims to encourage you, as a contractor, to take a proactive role in the protection of CDI. Not only are you required to demonstrate compliance within your own business, but to strengthen the entire supply chain, you must take steps to ensure that your subcontractors comply, too.

It is the responsibility of your subcontractors to inform you if their practices deviate in any way from the DFARS and NIST 800-171 guidelines, and it is your responsibility to demonstrate that an equally safe alternative approach is in place before you share CDI with that subcontractor.

Reporting Cybersecurity Incidents

A cybersecurity incident is defined as a breach of security protocols that negatively impacts, compromises, or endangers CDI held on your systems or networks or those of your subcontractors.

In the event of a cybersecurity incident, your responsibility under DFARS Clause 252.204-7012 is to report the incident to the DoD within 72 hours. You must present the affected data and all related data covering 90 days prior to the report’s date, along with any infected software. You must also conduct a thorough systems review and identify ways in which you will prevent future breaches.

If a subcontractor experiences a cybersecurity incident, they must report it to you or the next highest tier of subcontractor and present the evidence as required. As the prime contractor, you are required to report the incident to the DoD and submit the evidence, as detailed above.

The above set of requirements summarizes DFARS 252.204-7012 and NIST SP 800-171, and if you have met these requirements, you are well over half of the way to CMMC ML 3 compliance. 

Why CMMC  Maturity Level (ML) 3 Compliance?

If your current contracts call for DFARS 252.204-7012 compliance, the government believes that you have Controlled Unclassified Information (CUI), which means you should aim for CMMC ML 3 as your next step.  

CMMC ML 3 includes all 110 NIST 800-171 controls as well as 20 additional practices for a total of 130 controls. One of the most significant differences between NIST 800-171 and CMMC is that NIST 800-171 allows you to be in compliance without implementing all 110 practices, provided you have a Plan of Action and the Milestones (POAM) in place. This is a revenue-limiting difference that deserves your full attention. You either comply with all of CMMC, or you are non-compliant with CMMC.

As you look at getting to full compliance with CMMC ML 3, your company’s specific needs will vary in addressing the remaining 20 practices. Contact CyberSheath to see how we can help you achieve and maintain compliance with DFARS 252.204-7012, NIST SP 800-171, and CMMC ML3. Often, an enclave is the fastest path to CMMC ML 3 compliance, but each situation is different.  CMMC compliance requires documented, integrated and evidence-based Cybersecurity, IT, and Governance. Register now for a live webinar on April 21, 2021, at 9:00 am PST | 12:00 pm EST, to learn how you can bring order to the chaos of achieving NIST 800-171 and CMMC compliance.

 

Webinar CMMC - How It Started. How It's Going.

 

 

As your organization works to determine the meaning and application of the various levels of the newly enacted Cybersecurity Maturity Model Certification (CMMC), questions arise. One particular issue surrounds the issue of SIEM as it pertains to the first level of CMMC. The short answer to whether it is required or not is: it’s complicated.

A Closer Look at Level 1 SIEM Requirements

The key word in the assessment guide and in the CMMC practice for Systems and Communication Protection (SC) found at SC.1.175 is ‘Monitor.’ This practice requirement is heavily focused on perimeter and boundary defense, meaning that your cyber boundaries must be controlled, protected, and monitored.

What it means to your company – Chances are, you already have a firewall. Consequently, the most common compliance issue the CyberSheath team sees with this particular requirement is a lack of proactive monitoring. In CMMC level 1, you only need to address the one SC requirement–boundary protection and control services, such as firewall, intrusion detection system (IDS), intrusion prevention system (IPS), and web proxy if it exists.

How CyberSheath can help – At CyberSheath, we monitor your IT infrastructure with Azure Sentinel. Level 1 monitoring is cost-effective as there is less activity required, with less log integration, less log consumption, and less Azure Sentinel cost.

For Level 1, the monitoring cost is mostly based on storage, and excludes licensing, deployment, and management of Microsoft Defender or the Log Analytics Agent, since only the boundary and perimeter devices need to be monitored. Also, typically Level 1 does include government community cloud (GCC) requirements, as there is no controlled unclassified information (CUI) to contend with, only federal contact information (FCI). The result is commercial Microsoft services are appropriate for the SIEM requirements of Level 1.

Requirements Shift as You Advance to Level 3

As your organization moves to higher levels of CMMC, more controls need to be enacted around monitoring users including detecting unauthorized use of accounts, responding to support incidents, tracking log correlation requirements, and more.

At Level 3, your organization needs the right log sources to support the investigative process, such as endpoint protection, perimeter monitoring, authentication logs, and other security tools. As you can see, the resources needed to achieve Level 3 are more advanced, and also carry higher Azure Sentinel data costs.

Another Consideration for SIEM Requirements

The System and Information Integrity control family requires the ability to detect malware, and update signatures, at appropriate locations. The assessment guide specifies items like the ability to detect malware on the network (IDS/IPS) and on endpoints (Anti-Virus/endpoint detection and response (EDR)).

If your company wants to use basic, built-in Windows Defender, this can meet a Level 1 requirement. However, if your organization wants to license Microsoft Endpoint Defender to solve for this, you have the opportunity to easily integrate with Sentinel for monitoring on Commercial licensing at a fairly low cost. While not a necessity for CMMC level 1, this solution is good to have and also better prepares you should you seek CMMC Level 3 in the future.

Need Help?

As your organization moves to become compliant with any level of CMMC, challenges can arise.  Join Eric Noonan and Carl Herberger, VP of Security Services, on Wednesday, April 21st, 2021 at 9:00am (PST) | 12:00pm (EST), for “CMMC – How It Started. How It’s Going,” when they will talk through five common pain points experienced by organizations tackling DoD regulations.

No matter where you are on your path to compliance – calculating your assessment scores, navigating SPRS, implementing the controls, or writing you SSP – this webinar will accelerate your journey. Register Now.

 

Webinar CMMC - How It Started. How It's Going.

Many defense contractors outsource their IT to a Managed Service Provider (MSP), who generally deliver the IT required and allows a business to focus on their core competency. IT managed services through MSP’s have been around for a long time now and rarely include service or commitments to meet compliance requirements like the Cybersecurity Maturity Model Certification (CMMC). It has only been in the last several years that MSPs have moved into the cybersecurity space to expand on their IT service offerings. At best, the MSP market for defense contractors offers IT and cybersecurity in one provider but completely ignores CMMC compliance requirements. This is a big problem, and Department of Defense (DoD) contractors, as their future revenue opportunities are dependent upon achieving compliance.

Most MSP’s are brand new to CMMC but unfortunately for their customers’ asset management, patching, and media sanitization stand in the way of CMMC compliance and DoD revenue opportunities. Defense contractors who have an MSP, or are looking at an MSP, are putting their revenue opportunities in the hands of a third party. It is time to rethink your MSP relationship and possibly start searching for alternatives.

The Role of IT in achieving CMMC

Much of the thinking to date around MSP’s and CMMC gets into nuanced legal issues around the MSP’s access to Controlled Unclassified Information (CUI). Still, the real problem is much more fundamental and easy to understand. Your MSP is responsible for many of the requirements tied to your eventual CMMC objective. If your MSP is not delivering their services in a way that produces evidence of compliance with CMMC you won’t achieve certification; it is truly that simple. Many of the requirements of CMMC fall into the information technology category when it comes to delivering them on a day-to-day basis. All of the attention so far has been focused on the cybersecurity requirements of CMMC. Still, as anybody in an operational role knows, much of CMMC falls to the IT delivery organization. If your IT delivery organization is an MSP, are you comfortable trusting them with your future revenue opportunities? Will they learn about the CMMC on your dime? Do they even mention CMMC services on their current website?    

You need an MSP that can marry the delivery of IT, cybersecurity, and governance in one comprehensive, measurable package to ensure compliance. CMMC stands in the way of all future revenue opportunities with the DoD; it is too important to be an add-on to your existing MSP services. 

A potentially worse scenario is having one vendor do your IT services delivery as an MSP, and another vendor responsible for cybersecurity as your MSSP, with you, stuck in the middle playing referee. There is no way around it; achieving CMMC is difficult, costs money, and requires the coordination of IT, cybersecurity, and governance activities. Most small to medium businesses don’t have the resources to coordinate or even know how to evaluate vendor claims around CMMC. Asking an MSP to unpack the nuances and complexities of NIST 800-171, SPRS submission, and CMMC is generally a bridge too far for any MSP that wasn’t created exclusively to service the defense industrial base and their unique regulatory requirements.

So, what should small and mid-sized defense contractors do?

At our upcoming webinar, we will talk about bringing order to the chaos of achieving NIST 800-171 and CMMC compliance. We discuss strategies through the lens of working with an MSP because few are equipped to meet all NIST 800-171 and CMMC requirements on their own. We will detail solutions to key pain points felt by defense contractors contractually obligated to meet DoD requirements giving you insights into implementing these solutions with internal resources or through your MSP.

No matter where you are on your path to compliance – calculating your assessment scores, navigating SPRS, implementing the controls, or shopping for an MSP – this webinar will accelerate your journey. Register Now.

 

Webinar CMMC - How It Started. How It's Going.

On the heels of Solarigate and Hafnium, companies are once again evaluating their overall IT and security posture. While ransomware has grabbed much of the attention over the past three years, it’s increasingly obvious nation state-related attacks infiltrating organizations and exfiltrating their data have not faded away. In fact, these efforts have just become more sophisticated and targeted.

Companies that are part of the Defense Industrial Base are being pushed due to requirements around NIST and CMMC, but the details to become compliant often do not give a clear path to being secure. As such, these companies should re-evaluate these two critical things:

  • Cloud Strategy
  • Security Toolset

 

Cloud Strategy

For many smaller companies, it should be clear that the speed that technology changes and the continued exploits of zero-day attacks that on-premise architecture puts IT teams at a considerable disadvantage.  Even with known vulnerabilities, the discipline and effort to consistently apply a patch management strategy has been challenging to apply among a sprawling patchwork of different vendor operating systems and tools. And, ironically, the Solarigate attack targeted the same software that was meant to assist with on-premise monitoring and management.

Increasingly there are other reasons for companies to manage on-premise infrastructure and services. Especially in the post-COVID world, where companies have now had a crash course in managing and granting access to a remote workforce, a cloud-first strategy becomes increasingly realistic. Leveraging services continually monitored and patched by the vendors, especially with Government Community Clouds now available, should be the primary go-forward strategy for small and medium-sized businesses.

 

Security Toolset

The security vendor landscape is still a jumbled mass of products offered by multiple vendors, many of which overlap. Purchasing strategies have swung back and forth like a pendulum in approaches from ‘best of breed’ to a single vendor approach.  Wherever your organization is hanging at this point, you must be implementing these essential technologies:

 

Endpoint Detection and Response

Traditional endpoint anti-virus is no longer sufficient for security teams to leverage in their environment. Endpoints are now distributed throughout many geographic locations, and the ‘hard and crunchy outside’ provided by legacy IT infrastructure designs no longer exist as employees work from home en-mass.  Security analysts must have the capability not only to see alerts from signatures but also to investigate anomalous activity while potentially needing to isolate the host to prevent the threat actor from doing additional damage or exfiltrating damage.

 

Security Information and Event Management (SIEM)

Data is critical to determining what is happening in your environment. The purpose of the SIEM is to collect, correlate, and assist with analyzing the massive amounts of data generated by endpoints, network devices, and security tools.  As threats emerge, the SIEM becomes one of the primary tools to determine if those threat indicators exist in your environment. However, the effort that goes into tuning and normalizing the data to be useful, not to mention analyzing the data even after data correlation, is a large lift for many organizations.  Not utilizing a SIEM capability can make it very difficult to understand the full scope of attacks you are facing.

 

CMMC: Understand How It Fits into the Overall IT and Security Strategy

To conclude, companies subject to CMMC should take this time to understand how it fits into the overall IT and Security strategy and not have a myopic focus on just achieving compliance. Recent coordinated hacks are having a significant impact on the operations of many companies.  Organizations must leverage new ways of approaching traditional IT challenges that also reduce their overall security exposure.

CyberSheath has long recognized that a large part of IT delivery, things like patching and asset management, are foundational to NIST 800-171 and CMMC compliance, which is why we are offering a force-multiplying solution for Managed IT services. This offering is only available to defense contractors and can be paired with our Security solution to make CMMC and NIST 800-171 compliance a natural outcome of day-to-day operations.

Yesterday, Richard Wakeman, Senior Director – Aerospace and Defense at Microsoft, provided a terrific update to his 2019 blog post, Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings, providing a lot of additional detail, and answering many of the questions we at CyberSheath come across on the regular from our Defense Industrial Base (DIB) customers. Today, I’d like to cover the three most interesting and impactful assertions from the article and discuss what the changes and clarifications mean for current and future customers of Microsoft’s cloud services who have defense regulatory requirements. But let’s start with the compliance matrices:

 

Microsoft-2019

 

Microsoft-2021

As you can see when looking between the year 2019 and 2021 of these compliance matrices, a lot of the ambiguity in the 2019 version is removed. There are no longer “Maybes” or fine print in the cells of the table, and there is an overlay highlighting the importance of data sovereignty – more on that in a minute. You can also see the introduction of CMMC Maturity Levels and the more frequently referenced term of Federal Contract Information (FCI). Let’s talk more about these three interesting bits of information.

 

Microsoft 365 Government Community Cloud (GCC) High

Observation 1: Still suggested (but…is it required?)

GCC High – A common buzz word in the world of DFARS 7012 and CMMC. There’s been a lot of speculation as to whether or not Microsoft 365 services on GCC High are required if you are doing defense work, and I think Microsoft’s update makes the answer much clearer. The short answer is still maybe, as it was in 2019, but the information provided is much more prescriptive in leading DIB contractors to ask the right questions about the data they are protecting.

  • Do you have the DFARS 7012 Clause in any of your Defense-related contracts?
  • Do you have Controlled Unclassified Information (CUI)?
  • Do you have Federal Contract Information (FCI)?
  • And, with added emphasis, do you have ITAR/EAR data?

This is a simplification of the thought process, and for the sake of keeping this somewhat short, I’m avoiding the thoughtfulness and consideration that should happen around where these data sets exist, how they are stored, received, shared, but depending on how these questions are answered, it becomes clear as to which Microsoft 365 services you should be using or considering. The trouble though is, are you, as a contractor, looking through the right compliance lens? There are vendors, solutions and service providers out there that attempt to solve for a control or set of controls, attempt to deliver compliance for a particular standard (NIST 800-171, CMMC), but the fact of the matter is, all the other questions must be considered to select the right product for your business.

Much of the CyberSheath team has been born and raised in the Defense Industrial Base – we understand the challenges with interpreting these requirements and the importance of all of them, which is why I was happy to see Microsoft’s emphasis on Data Sovereignty and ITAR/EAR in their update. And, like Mr. Wakeman alluded to, security and compliance practitioners are not (usually) legal counsel, but as CyberSheath’s business is focused on delivering security and compliance for the Defense Industrial Base, we have been having these discussions with our customers for years, helping them navigate the decision-making process around their data protection requirements.

If you only receive well-defined non-ITAR/EAR CUI through a secure file transfer portal, and you keep that data on on-prem file services, do you need GCC, or GCC High? Probably not. On the other hand, if you are exchanging ITAR/EAR via cloud email services, collaborating with Defense customers on Microsoft 365 – Teams, SharePoint, OneDrive – You’re going to want to strongly consider GCC High because of the US sovereignty for all the supporting Azure infrastructure and services to meet your ITAR/EAR requirements.

 

Microsoft 365 GCC (Not High)

Observation 2: Now with Flow Downs!

“If I can’t flow down the DFARS 7012 requirement to Microsoft, how can I ensure that I can comply with sub-paragraphs (c)-(g) on incident reporting?” This was a deal breaker for many of those considering GCC vs. GCC High for quite some time, but it appears that Microsoft is now accepting flow down of the DFARS 7012 clause for GCC proper with the publishing of this compliance update.

This means that, if it’s important for you as a DIB contractor to contractually obligate Microsoft to meet the DFARS 7012 clause, including those pesky incident reporting requirements, you can now do so, Microsoft will accept that contractual obligation, and you will remain compliant with sub-paragraphs (c)-(g), which is just as important if not more so.

But again, as I mentioned above, please ensure that GCC is the right set of services for your circumstances. If you intend to store or transmit ITAR/EAR data with Microsoft 365, it’s likely best to keep the data in the US to meet your regulatory obligations. If you don’t plan to comingle your sensitive data with Microsoft 365, it would be prudent to have the administrative and/or technical means to manage incidents for if and when these types of regulated data end up on services that are not authorized to store-process-transmit those data types. Your accreditation boundaries in your System Security Plan should be pretty clear on this.

 

Microsoft 365 Commercial

Observation 3: Acceptable for Federal Contract Information!

Federal Contract Information (FCI) has a wider industry footprint than it’s CUI/CDI/ITAR cousins and has a much smaller set of protection requirements.

Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

My interpretation of this is, if you have information provided by or generated for the government in your work, and it’s not marked or identified as being publicly releasable, it’s safe to assume you have FCI.

With that said, if you are confident that you don’t have the more sensitive subsets of FCI that I mentioned earlier – No DFARS 7012 Clause, No ITAR/EAR requirements – but you still do business with the DoD, the security controls of Microsoft 365 commercial should be adequate to meet the 15 basic protection requirements listed in FAR 52.204-21 for FCI. This is now clearly illustrated in Microsoft’s compliance update.

 

In Conclusion

Moving to Microsoft 365, GCC, GCC High is not inexpensive or without effort. Many of CyberSheath’s customers are taking an approach to minimize the use of these services by establishing enclaves of GCC or GCC High services, accessible only to users who need to work on sensitive data sets – sometimes even establishing these enclaves as an insurance policy for if and when they need to work on CUI or ITAR controlled information. These are viable options for those in the DIB where defense work is only a small fraction of their business, and CUI can easily be identified and controlled. Alternatively, some customers are establishing controls to keep CUI away from their cloud services and owning the compliance burden with on-premises resources and services. Both can be done.

The fact of the matter is the industry is operating under overlapping regulatory guidelines, some of which are interim guidelines, many of which are unfolding before us. It’s great to see Microsoft’s stance on this moving target and providing substantial and informative guidance to assist in decision making related to their services.

Check out the complete 2021 compliance update from Microsoft, here.

 


CyberSheath is a Microsoft CSP, Microsoft Silver Partner and Microsoft Intelligent Security Association (MISA) member and CMMC AB Registered Provider Organization. Our team has been working with the DoD on DFARS related issues since 2008, initially as a part of the Defense Industrial Base Cyber Security Initiative (DIBCSI).

With hundreds of NIST SP 800-171 assessments and implementations successfully performed for DoD contractors, we can help you cut through the confusion and deliver measurable, ongoing compliance as the Cybersecurity Maturity Model Certification (CMMC) is implemented.  For more information, contact a CyberSheath expert today.

 

 

The US government, through the lead agency, the Department of Defense (DoD) is implementing a new Cybersecurity Maturity Model Certification (CMMC) requirement for all private-sector businesses that work with the DoD, and now we understand that the standard will be integrated into the GSA and DHS agencies too.  However, the standard isn’t exclusive to the US government, and is largely being rolled out through a private-public partnership and can be extended to any company, country, independent of the requirements to use the standard for specific US agencies.

In addition to these agencies, on May 15, 2019, then President Trump issued Executive Order on Securing the Information and Communications Technology and Services Supply Chain (E.O. 13873) to strengthen efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services.

The E.O. sets out the procedures the Department of Commerce will use to prohibit the use or transaction of “information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”, and that pose risk of sabotage or subversion; 2) catastrophic effects on the Nation’s critical infrastructure or digital economy; or 3) adverse consequences to national security and public safety.

These new research efforts and the new CMMC requirements will directly affect the roughly 350,000 businesses that are part of the DoD supply chain and now 11 million businesses as part of the GSA and likely spread throughout the entire US government. This new standard’s ripple effect is expected to be even larger, potentially replacing almost all other broadly recognized cybersecurity standards.

The CMMC is a set of security controls being developed under the DoD’s guidance in coordination with industry and academia, building on previous standards including NIST 800-171, 800-53, CSF, ISO 27002, CIS v7, Secure Controls Framework, and others.

Five Reasons ISO 27001/27002 Will Not Last Against CMMC Dominance

Reason One: CMMC is required for contracts with the US government and, the CMMC standard is US law/regulation (e.g. compulsory requirement for covered entities).

  1. By law, all DoD suppliers must comply with CMMC and increasingly most GSA and DHS suppliers as of this article’s writing.  This is a sweeping change. It doesn’t matter if you handle classified information or Controlled Unclassified Information (CUI).  If you work with the DoD, supply a DoD prime contractor, or are a supplier to a DoD sub-contractor, this applies to you.
  2. The federal government is the single largest buyer globally, with annual spending on goods and services close to $450 billion a year. In addition, as estimated US military spending is $934 billion and the Department of Homeland Security (DHS) is $60 billion.   Said simply, most of this nearly $1.5 trillion spending will require oversight or CMMC certification by Oct 1st, 2025.    How does this compare?  There is no other cybersecurity standard globally, which requires certification before their resident business can earn revenue. In other words, CMMC is a VERY different standard in that it directly impacts the underlying revenue of a company.

Reason Two: CMMC is a standard above all standards.

This new standard, driven by the US government’s regulatory might, is likely to become the de facto cybersecurity framework for all businesses—regardless of whether they work with the DoD.  The resulting simplification in approach and achievement supply-chain risk will render nearly all other cybersecurity benchmark standards obsolete.

Organizations choose to comply with an information security standard for only one reason: it makes good business sense. Sometimes there are external drivers, such as a key client’s demand, and sometimes the driver is internal, such as a clearly articulated enterprise risk management program.

However, organizations loathe complying with more than one security standard as inefficient and unnecessary.

Some of the factors that go into picking a standard to adopt include:

  • Comprehensive. Ability to be applied across a large swath of business types, sizes, geographies, and needs.
  • Legal & Reputable. National standards (like NIST) and international (like ISO) organizations have strong reputations and are well-recognized. Virtually all reputable standards address the same topics in their unique way. All businesses do the mapping of one standard to another, so a company that worked on becoming ISO 27001 compliant can explain how it is also NIST 800-53 compliant.
  • Applicable. For instance, PCI is relevant to organizations handling payment-card information, and HIPAA is relevant to US Healthcare organizations.  The NIST 800-171 is intended for organizations doing business with the US DoD.
  • Cost-effective. The organization must be able to achieve and maintain compliance without wrecking the business.

The CMMC ticks all these boxes for about +/- 350,000 DoD companies and a growing list of companies outside of those directly in coverage. Since the CMMC is based on the best of all the current reputable standards, there is no particular need to show how it maps back to them; for most of these companies, there is no compelling business reason to comply with any other standard. Because companies must be certified by an impartial, external third party, the CMMC also provides a much stronger assurance to non-DoD business partners than unsubstantiated claims of being compliant with any other standard. The cost of gaining and retaining compliance is minimal to ensure that the supply chain is secured rather than disrupted.

Also, as organizations earn certification, their CMMC level will drive out other claims about cybersecurity. The CMMC level will also simplify the interactions between businesses regarding how information is protected. Currently, mature organizations include some level of cyber due diligence in their contracting processes. With this new standard, instead of subjecting business partners to long questionnaires about their internal cybersecurity, even non-DoD organizations will only have to ask each other a straightforward question: What is your CMMC level?

Reason Three: Programmatically, CMMC auditors are better than any other auditors in the security space.

Auditors must endure and certify both knowledge, competency, ethics, and security background checks and have the quality of their reviews checked and evaluated.  Until now, only the PCI-Standard, the ISO 27001/27002, and HITRUST frameworks offered the option to be certified by a third party. Organizations could say they were compliant, satisfying most who had an interest in security but glossing over that they were not certified. CMMC will require certification by a third party. However, these auditors are very different than ISO in that ethical guidelines bind them, security background checks, knowledge qualification reviews, and qualification checks. The PCI standard is similar in this approach; however, PCI is self-governance from industry versus a legal requirement for all gaining certification.  Moreover, CMMC will police the marketing, attestations, and behavior of those participating in a way that should vet frequent offenders.

Reason Four: CMMC is revenue-focused, not policing-focused.

Up until now, NO cybersecurity standard stood in front of a contract et large.  CMMC is the only standard in which you may not move forward for fulfillment if you do not certify to the level called for by the desirable contract award.  Said another way, you must FIRST become certified not claim ignorance and deny knowledge of one’s responsibility when faced with a policing action afterward.

Reason Five: Most companies will need to be CMMC certified; ISO offers nothing more comprehensive.

Review these considerations below:

Say Hello to CMMC and Goodbye to ISO 27001

Overall, the CMMC process only became law in September 2020 and set in motion a five-year transition plan. It’s hard to determine the full impact of this new compliance approach now; however, CMMC will be the de facto standard to build around for a generation or two at the least.  Also, the DoD is willing and able to enforce these standards as 2021 has ushered in a whole new class of contract award refusals and business-process changes built around cybersecurity compliance certifications.

It also means that DoD contractors should start taking proactive steps to strengthen their security measures and consider migrating from old standards such as ISO 27001/27002 to CMMC. Consider the maturity level you’ll need to earn to continue to justify your security program’s performance (or your DoD contracts) or make the types of contracts you want to hold in the future.

NIST and CMMC will work hand in hand to make for a safer and more structurally sound data security landscape and supply chain and in its place will be a legion of old standards whose usefulness has sunsetted.

The Department of Defense (DoD) suppliers were notified at the end of September about the new DFARS Interim Rule designed to collect NIST 800-171 assessment scores from all DoD contractors through submittal to the Supplier Performance Risk System (SPRS). As mentioned in a previous blog post, starting in mid-October, Northrop Grumman, Lockheed Martin, General Dynamics, BAE, and other prime contractors sent letters to suppliers asking them to determine their current DoD assessment score and upload it to the SPRS by November 30th. As of December 1st, the DFARS Interim Rule has become law reinforcing suppliers need to submit their NIST 800-171 assessment score to the government to avoid lost DoD revenue.

The Rush to Submit to SPRS

SPRS submission is being enforced and contractors are being told “no submission, no contract.” In just these first few weeks of 2021 CyberSheath has taken on several customers with incredibly short timelines on SPRS submission either because they didn’t believe that the requirement would be enforced or did not know it existed. The result has been a mad scramble of resources (both on their side and ours) to ensure that DoD revenue was not denied due to failure to conduct, score and submit the required NIST 800-171 gap assessment and related details. These contact us submissions are coming in regularly and with varying degrees of urgency, but the common thread is that “our contracting officer is refusing to take action without an SPRS submission.” 

For the remaining thousands upon thousands of defense contractors who have yet to move positively towards SPRS submission, NIST 800-171 compliance or CMMC at any level, rest assured it will be more cost-effective and sustainable to get started now. Having a contract award delayed because of SPRS assessment scoring submission is entirely avoidable. Correctly addressing compliance, with the endgame of CMMC in mind, rather than a one-off SPRS contracting hurdle, proves to be the better business decision. 

Even before the SPRS requirement, Cybersecurity Maturity Model Certification (CMMC) loomed large for defense contractors. In fact, when we recently surveyed more than 200 senior executives, our results revealed that 82% of contractors believed they had Controlled Unclassified Information (CUI), necessitating CMMC Maturity Level 3. Contrasting the requirement to be CMMC ML3 with what we have found to be an average score of -115, on the scale that ranges from -203 to 110 for SPRS scoring, and you can see that what executives believe to be true is in no way aligned with how they are resourcing the problem. CyberSheath will be opening the vault on our data across the hundreds of Prime and Sub-contractor assessments we’ve completed and scored, sharing trends and benchmarks at our free webinar on February 3, 2021, but said succinctly; the DIB is failing at cybersecurity.

So, How Can You Meet Both Short-term (SPRS) and Long-term (CMMC) Objectives?

Recognize that despite all of the potentially confusing acronyms and jargon, the requirements in 2020, and the steps to long-term compliance, are very much the same as they have been since 2015. 

Everything is grounded in compliance with NIST 800-171 as an initial step. 

  • Compliance with DFARS 252.204-7012 mandates NIST 800-171 compliance. 
  • Your SPRS submission is based on compliance with NIST 800-171.
  • CMMC at its foundation is based on NIST 800-171.

All journeys to near- and long-term compliance start with NIST 800-171 and everything else, as of this writing, is a distraction. Start with NIST 800-171, and you will end up at CMMC ML3 if you follow our proven path to success, which includes these five steps:

5 Steps to CMMC ML3 Compliance

1. Assess current operations for compliance with NIST 800-171. Requirement 3.12.1 of NIST 800-171 mandates that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.” The assessment should cover all 14 families and 110 security requirements. It can be an internally led effort or executed by a third party and you can kill two birds with one stone by using this opportunity to do your required SPRS scoring as well. 

2. Write a System Security Plan (SSP).

Requirement 3.12.4 (System Security Plan, added by NIST 800-171, Revision 1), requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. Your SSP is likely the first thing you will be asked for in an audit. It should accurately reflect your actual implementation of the controls. A common mistake is to write an SSP that doesn’t reflect the reality of control implementation.

3. Document Plans of Action & Milestones (POAMs).

Requirement 3.12.2 (Plans of Action), requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems. It’s likely that a number of the 110 security requirements will not be fully implemented in your environment. This should be exposed during your assessment and POAMs should be documented, ideally during the assessment.

4. Implement the required controls.

Execute your POAM’s and achieve full compliance with NIST 800-171. This is probably going to be a full-time effort and if you are using only internal resources remember they all already have day jobs, so set your expectations accordingly. If you work with a third party to implement the controls look for the following expertise:

  • Have they implemented the NIST 800-171 controls for similar sized businesses?
  • Have they solved the unique challenges that come with implementing NIST 800-171 controls in manufacturing, lab and engineering environments?

Ask for and check references. Implementation can be complex in manufacturing, lab and engineering environments and your SSP should reflect these complexities.

5. Maintain Compliance

Document and implement a plan to leverage internal or external resources to maintain compliance. Compliance has a long operations and maintenance tail and should be a repeatable outcome of daily operations, not an annual fire drill. Key questions to answer include:

  • How will you detect, respond and report incidents within the required 72-hour reporting period? 
  • What is your plan to manage your subcontractors and suppliers to meet your compliance requirements?
  • How will you update SSP’s and POAM’s as your business and IT infrastructure changes?

Maintaining compliance is an often-overlooked aspect of achieving compliance. With the significantly evolving regulatory landscape counting on a vendor who can help navigate these landmines is critical. Don’t make the expensive mistake of ignoring the ongoing need to demonstrate compliance and automate and document your efforts for sustained success.

Kickstart Your Compliance Efforts

Don’t forget, we will be opening the vault on our data across the hundreds of Prime and Sub-contractor assessments we’ve completed and scored, sharing trends and benchmarks at our free webinar on February 3, 2021.

How Secure is the DIB Supply Chain?

Scrutiny of defense industrial base (DIB) cybersecurity has never been higher. The costs and impacts of security lapses are on full display in the wake of the SolarWinds breach, as federal agencies continue to investigate the full scale of the intrusion, likely the work of Russia.

Even before recent events, Cybersecurity Maturity Model Certification (CMMC) loomed large among the DIB. We took a snapshot this fall of where DoD contractors stand, surveying more than 200 senior executives to find out what work still needs to be done, the risks and challenges they face, and how to ensure long-term security and compliance.

The results reveal new opportunities, including mitigation and investment strategies, and highlight some of the biggest remaining unknowns that the DIB must quickly address.

This report is designed to help the DIB, the US DoD, and the general security community better understand the level of compliance, the acceptance of new rules, the level of understanding of the cyberattack threat landscape, and current levels of preparedness and business impacts.

Once you learn what DoD suppliers are thinking, find out what they’ve been doing for the past five years. We’re opening the vault on data from the hundreds of Prime and Sub-contractor assessments we’ve completed and scored, sharing trends and benchmarks to help contractors better navigate the road to CMMC compliance. Join our free webinar on February 3, 2021 for all the findings.

 

Among the key findings of the Fall 2020 executive survey:

 

Finding 1: 21% of DIB companies surveyed have experienced a cybersecurity incident

 A little over one-fifth of DIB companies indicated that they have been a victim of a cyberattack, highlighting the risk that CMMC aims to curb. But as the demand for security professionals outpaces supply, executives are increasingly looking to public cloud and key DIB partners to assist in managing security.

Public cloud infrastructure offers some of the best bets, and allows DIB companies to compete effectively in today’s digital world and stay secure. Moreover, as cyberattacks become more rampant, DIB C-Suite professionals are looking for active management and continuous monitoring of all infrastructures.

 

Finding 2: 82% of DIB contractors are handling CUI, a Critical Element in DFARS Compliance (CMMC / NIST 800-171)

Of DIB companies surveyed, 82% understand that they process Controlled Unclassified Information (CUI) as first defined by a ruleset under the Obama administration. As a result, they inherit the most onerous requirements of CMMC and NIST 800-171 security standards, which are critical to ensuring future DoD revenue.

Executives are concerned about the impact security threats can have on business performance, pointing to the potential loss of customers, brand reputation, and operational productivity. Many report adjusting budget priorities to better secure networks and prevent attacks.

The impacts of attacks on DIB corporate networks can vary depending on the industry in which companies compete. Manufacturers that have long embraced automation to boost production efficiencies now plan to integrate artificial intelligence in security measures with a corresponding shift in their IT budgets.

Events that most influence how executives view their companies’ security vulnerabilities include high-profile data breaches and nation-state attacks on peer companies, cyber-attacks on their organizations, and government regulations.

 

Finding 3: 93% of DIB companies are aware of CMMC

The DIB C-Suite research reveals that nearly all companies in the sector – 93% – are aware of the new CMMC rules and the important sector trends. DIB companies are attempting to educate themselves about the effects of recent rule changes on security requirements. Suppliers of all sorts need to consider documentation, adherence, and, in some cases, transformation of their security practices to protect and comply with the requirements of the new DoD rules.

Fortunately, only 13 of 201 respondents cited that they were unaware of the CMMC rules. Unfortunately, many in the DIB are ill prepared to actually implement them.

 

Finding 4: A third of DIB companies don’t know which CMMC level to focus on

 The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” The intent is to incorporate CMMC as a requirement for contract award.

While 56% of respondents said they’re focused on Levels 1-3, with 42% focused on Level 3 alone, a large portion of respondents still don’t know which level to focus on. Some 33% of respondents said the level they would focus on is “uncertain.” That will limit their speed in adopting and certifying their compliance with the level they eventually must meet.

 

Finding 5:  More than half of DIB companies outsource IT and security functions

DIB C-suite executives face tough choices when deciding where to invest resources to propel their businesses forward. At least 4 in 10 respondents identify increasing infrastructure complexity, digital transformation plans, integrations of artificial intelligence, and migration to the cloud as putting pressure on security planning and budget allocation.

Executives understand that compliance to DFARS, NIST 800-171, and CMMC is paramount and to transform their businesses, they must embrace the integration of new technologies.

At the same time, they’re facing an internal skills gap. One-third of respondents report dependence on their internal IT talent, promoted from within, which can create a knowledge gap in security strategy.

The internal skills gap is not easily solved because the demand for security professionals outpaces supply. As a result, more executives report the need to look to outside security vendors for assistance.

In fact, more than 54% of executives report outsourcing both IT and IT Security to gain traction on competent and quick compliance. They’ve decidedly moved toward public and private cloud environments, and the survey data also reveals a shift of network security budgets toward technologies that employ more automation, more technology integration, and the ability to operate from a sovereign US environment on government-certified FedRAMP environments.

 

Finding 6: China and Russia aren’t the only risks on DIB companies’ minds

DIB C-Suite executives face tough choices when deciding where to invest resources to propel their businesses forward. As the threat of network attacks becomes a question of when, not if, chief executive officers and chief security officers must carefully evaluate the risks associated with security vulnerabilities and the costs of implementing effective security solutions.

At least 4 in 10 respondents identify these factors as putting pressure on their organizations’ security planning and investment:

  • Increasing infrastructure complexity
  • Threat from China, Russia, and Iran
  • Compliance to new regulations
  • Migration to the cloud

 

Finding 7: 40% of DIB companies estimate the cost of an attack at more than $1 million

Data breaches are expensive. They rack up monetary costs that directly affect companies’ bottom lines, but more troubling is the damage inflicted to intangibles such as brand reputation and customer trust.

Almost 40% of respondents estimated the hard cost of every attack to be more than 1 million USD/EUR/GBP, with cost estimates surging to more than 25 million USD/EUR/GBP for 5% of respondents. While soft costs are difficult to quantify, it is likely their impact is much higher over the long run than hard costs.

Hard and Soft Costs

Executive-Ranked-Top-3

 

About the Research

On behalf of CyberSheath, BAO surveyed 201 Executives from July to September 2020. To participate in the 2020 DIB C-Suite Compliance Security Survey, respondents were required to be a company who contracts with the US DoD and by design, the survey required at least half respondents to be C-level executives, though this year’s research attracted far more C-level corporate leaders. About 2/3rds of the companies in the survey have less than 500 employees.

 

Don’t forget: Sign up for our free webinar on February 3, 2021 to learn what high- and low-scoring organizations have in common, variables that negatively affect most businesses, and characteristics of companies attaining compliance. Don’t miss it!

How Secure is the DIB Supply Chain?

SolarWinds, with more than 300,000 global clients, including many federal agencies in the United States and mostly Fortune 500 companies, unknowingly released a software update that included malware providing hackers unobstructed remote access to victim networks. The magnitude of this breach requires impacted customers to conduct forensics if they have the means, immediately remove the compromised SolarWinds Orion products from their network, execute an incident response action plan and rebuild the network previously monitored by SolarWinds products. 

This level of breach is catastrophic, and impacted businesses should assume total compromise. The work to recover from this event on a meaningful size network is inconceivable for those who have not been through this before.

As a Microsoft Partner and leading provider of Managed CMMC Compliance to Defense Industrial Base (DIB) contractors, CyberSheath has fielded many inquiries related to the extensive investigation into the SolarWinds breach. As nearly every business of any size has some level of Microsoft deployed in their environment, we wanted to share several items we felt would be of interest to those with Microsoft, SolarWinds, or both currently deployed.

  • Microsoft Source Code Repository Access: Microsoft detected malicious SolarWinds applications in their environment, isolated and removed. During the investigation, Microsoft detected unusual activity with a small number of accounts, which was used to view source code repositories. The accounts could not modify code, and the affected accounts were investigated and remediated. There has been no identified risk to services or customer data due to this activity. Access the full Microsoft post SolarWinds Impact and InvestigationMicrosoft provided security tools to investigate and mitigate any known SolarWinds related malicious activity. Microsoft has published several resources that can be used in response to this attack.
  • Microsoft 365 Defender: Businesses with Microsoft Defender 365 should leverage the Indicators of Compromise (IOC’s) provided by Microsoft 365 Defender to look for vulnerabilities and potentially malicious activities related to the SolarWinds attack. 
  • Microsoft Azure Sentinel: Microsoft has published recommended content to Azure Sentinel that should be used to monitor for indicators of compromise. 

Finally, the Solorigate Resource Center, which Microsoft keeps updated with their latest information, can be found here.

Regulatory Compliance Impact on SolarWinds Incident

Aside from what businesses can and should be doing to respond to and recover from this widescale attack, one of the questions heard frequently is, “Could CMMC have prevented any of this?”. We think this is the wrong question to ask and represents “silver bullet thinking”. For example, we do not use this type of thinking in regards to vehicle seatbelts. Seatbelts are required in vehicles here in the United States despite their inability to prevent 100% of injuries, because we still recognize their overall value in injury prevention. 

The fact is had DFARS clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting been enforced and compliance verified since 2017, rather than then selectively implemented through self-certification, the SolarWinds attack might have looked very different. The clause mandates rapid reporting of cyber incidents to DoD. Specifically, the clause requires:

Cyber Requirements under NIST 800-171 Since 2017

(c) Cyber incident reporting requirement.

(1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall—

(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and

(ii) Rapidly report cyber incidents to DoD at https://dibnet.dod.mil.

(2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at https://dibnet.dod.mil.

(3) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see https://public.cyber.mil/eca/.

(d) Malicious software. When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer.

(e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.

(f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.

(g) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause.

Benefit of NIST 800-171 Information-Sharing Mechanism

While looking at this list of reporting requirements, it is impossible to believe that the defense industrial base would not have been better served having implemented NIST 800-171 and being part of the robust information-sharing mechanisms between DoD and industry. IOC’s Would have reached a wider audience, faster and likely with greater precision. 

It is not a leap of faith to believe that our national security and the Department of Defense supply chain will be materially strengthened because of regulatory requirements like CMMC. 

How Secure is the Defense Industrial Base Supply Chain?

We invite you to an interactive review of our analysis detailing hundreds of DoD contractors’ cybersecurity posture to discover the concerning findings and best practices that lead to compliance. During this webinar, you will learn:

  • Top 3-5 failing controls; what are they, and why are they so challenging to implement?
  • Outcomes by business profile, from professional services to the manufacturing floor.
  • Top 3 characteristics of organizations who successfully achieve compliance.

How Secure is the DIB Supply Chain?

Over 14+ years working with the Department of Defense (DoD) contractor cybersecurity compliance requirements have evolved from voluntary to self-certification to now mandatory minimums validated by independent third parties via the Cybersecurity Maturity Model Certification (CMMC); the question of cost underpins almost every discussion. 

The CyberSheath team gets asked two questions every day, all day long. How much and how long? Contractors asking the question prefer a exact answer and ideally one that fits in their existing budget. The DoD and NIST have tried to provide some level of analysis around the cost impacts of cybersecurity compliance but when released these estimates are immediately questioned by industry. In our experience these government provided estimates are interesting but irrelevant to your specific situation. Applying the analysis done by the government is like trying to calculate your tax situation based on what you think your neighbors tax bill might be. It’s a waste of your time and guaranteed to be inaccurate. So how do you get a cost of compliance for NIST 800-171 and CMMC that is relevant and specific to your organization? It’s not actually that difficult, and I will share our process here and welcome you to contact us for your evaluation.

CyberSheath has been providing firm fixed price managed cybersecurity compliance for more than six years exposing us to tremendous amount of data around cost. We also understand the differences between cost of compliance in a manufacturing environment, software development organization, research and development and just about everything in between. A significant part of our customer base includes foreign owned US based defense contractors, so we understand those unique aspects as well. Our methodology is audit approved in the sense that our customers have successfully passed third party audits repeatedly.

Our Approach to Understanding the Cost of Compliance.

Don’t ask for a “ballpark”.

With the passage of the new law that went into effect on November 30, 2020, NIST 800-171 and CMMC compliance are being enforced, and it is time to get serious about actually implementing the controls. Ballparks on CMMC cost are not serious inquiries. I understand human nature and desire to “get a ballpark,” but it is a waste of your time, and it is impossible to get an actionable and accurate “ballpark”. There are simply too many variables specific to your situation that ballparks cannot account for. Cloud-based? On-premise? Windows networked domain environment? Cloud services? Hybrid Cloud? These are just some of the questions that drive cost and prevent a ballpark answer to the cost question. It is a bit like calling a personal trainer, having never met them or provided any information, and asking them how quickly you can get into shape. Don’t fret; there is a relatively painless way to understand what your cost might be. Please skip the ballpark conversation and instead put an hour or less into getting something accurate and actionable.   

Fill out a scoping document and have a conversation.

One of the things that we don’t ask potential customers is what their budget is. Candidly your budget is independent of the cost to become compliant. It’s our job to make your budget and the costs align as closely as possible. Still, ultimately, the cost of getting your specific environment compliant is a finite number independent of your actual budget. You probably didn’t account for the 110 security requirements of NIST 800-171 when you created your budget and CMMC likely wasn’t law, so your budget is not really part of the conversation. 

Your environment, the existing people, processes, and technologies you leverage to conduct your business, hold the answers to determining your cost of compliance. At CyberSheath we have developed a relatively simple process that generally takes less than an hour to complete. 

It starts with a facilitated conversation where we walk you through and fill out for you a comprehensive scoping document. The scoping document was developed through nearly a decade of experience delivering managed compliance services and the questions are geared towards the things we have seen in our experience drive the cost of compliance. You bring the appropriate person from your organization who can answer the questions, typically the “IT guy” and we do the rest. This takes anywhere from 30 to 45 minutes and the outcome is an accurate and actionable understanding of the cost and timelines for your organization to become compliant. In our experience, this is time well spent regardless of if you decide to move forward with CyberSheath as your managed compliance partner or not.

What You Get In Exchange For Your Time

A facilitated conversation that outputs a firm fixed price statement of work tailored to your organization’s people, processes, and technologies. It includes cost, schedule, and deliverables to understand how long and what it will take to get you fully compliant. Of course, we’d love to have you as another one of our satisfied customers, but it also allows you to understand what a comprehensive solution looks like if you’re talking to other vendors. 

Next Steps

Unsure of the cost and time for you organization to become compliant with NIST 800-171 and CMMC?  Schedule a meeting with a CyberSheath expert today.  To further your knowledge on how your organization compares with the cybersecurity posture of the DIB, please join our webinar, “How Secure if the Defense Industrial Base Supply Chain?” on February 3, 2021 at 9:00 am (PST) | 12:00 pm (EST) to access our data collected from hundreds of assessments to discover the concerning findings and best practices that lead to compliance.  Register Now.

 

How Secure is the DIB Supply Chain?

 

As 2020 ends, and if you missed them, we have rounded up five of our most popular blog posts. 

This past year was filled with discussion and updates regarding CMMC and NIST 800-171, so not surprisingly, these top posts cover NIST controls, the DFARS Interim Rule, as well as the steps required to ensure new Department of Defense (DoD) regulations are met.

 

Let’s get started.

 

The first two blog posts touch on NIST 800-171 and CMMC control compliance.

1. Top Five Most Difficult Controls to Implement Under NIST 800-171

As Prime and Sub-contractors begin to learn more about the regulations required to maintain or win new DoD revenue, you may wonder if your competitors share the issues you are running up against as you work to become compliant. Questions around the topmost complicated controls to implement, the why behind their complexity, and how you can overcome the obstacles they create are covered in this post. 

 

2. What is the CMMC Shared Security Model and Why is it Needed?

For commercial firms providing services to the U.S. defense industry, the challenge that is cybersecurity has been growing for years but mainly without any oversight from the DoD. Specifically, the collection of Controlled Unclassified Information (CUI) on unregulated and often under secured contractor networks across the DoD supply chain has become a risk that requires addressing for the DoD. This post explains how a CMMC shared security model assures coverage of all areas of the security environment to meet compliance.  

 

The next two blogs posts cover the DFARS Interim Rule before becoming law on December 1st. Though each post was designed to examine the interim rule, the guidance offered still applies since the rule’s transition into law.

3. DFARS Interim Rule: What You Must Do Immediately

The post goes through what is required of you today to be compliant with the updated DFARS clause that is now law.

 

4. DFARS Interim Rule and Emergency Justification FAQ: Everything You Need to Know

A robust, frequently asked question post with the answers necessary to understand the law’s impact on your business and what actions you must take to maintain competitiveness.

 

Lastly, our final post provides a step-by-step guide assuring the latest DoD regulation is met.

5. Step-by-Step Guide to SPRS NIST 800-171 Assessment Submittal

As of December 1st, the DFARS Interim Rule has become law; reinforcing suppliers need to submit their NIST 800-171 assessment score to the government to avoid lost DoD revenue.

The CyberSheath team works with our clients to ensure they meet all DoD cybersecurity requirements, and to that end, have assisted in the submittal of their assessment to the SPRS. This post contains a step-by-step guide walking through successfully creating an account and submitting your assessment score to the government.

In short, yes; however, with caveats.

In 2019, the Department of Defense (DoD) announced the development of the Cybersecurity Maturity Model Certification (CMMC). The CMMC is a maturity model based foundationally on the NIST 800-171 framework with some key evolutionary elements and integrations from NIST 800-53 and ISO 27001 among others, respectively. The change also incorporates the addition of third-party accreditation by cybersecurity assessors.

In January of this year, the Department of Defense (DoD) released the CMMC. This new maturity model defines five levels of increasing maturity and will require all defense contractors, both Primes and Subs, to comply with one of the five levels and attain independent verification of compliance prior to contract award. In an ongoing effort to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), CMMC is a significant change for DoD acquisition, cybersecurity, and policy. For small businesses in the defense industrial base, the challenge is potentially insurmountable.

CMMC mandates minimum cybersecurity standards for 300,000 plus commercial defense contractors around the globe and makes compliance part of the acquisition process, preventing contract award until an independent third-party has verified compliance. Given the magnitude of this change and the revenue impacting consequences of non-compliance, we choose Microsoft for our CMMC Managed Services Customers.

So now that the mandate is in place, how does this effect the cost of doing business with the US DoD?

In short, this mandate is supposed to be a ‘pass through.’

Katie Arrington Quote on CMMC

So, where is the source government verbiage documenting that a 7012 (NIST) or 7021 (CMMC) assessment or implementation is a reimbursable cost?

See below:

NIST

Regarding DFARS 252.204-7012 in 2013, DOD stated (see attached) that costs related to complying with DFARS 252.204-7012 are likely allowable and chargeable to indirect cost pools. (See page 69274). Since complying with CMMC level 3 is the equivalent to complying with DFARS 252.204-7012, it should follow that, at a minimum, the cost of Level 3 accreditation should be an allowable cost.  The exact verbiage from the law is provided here and the full section of the law is (attached):

  1. Allowable Costs Under Cost Accounting Standards (CAS) Comment: One respondent asked if the cost associated with compliance to the DFARS changes is allowable under CAS.

Response: Cost Accounting Standards address measurement, allocation and assignment of costs. FAR 31 and DFARS 231, specifically FAR 31.201–2, address the allowability of costs. There is nothing in FAR 31 or DFARS 231 that would make costs of compliance with DFARS unallowable if the costs are incurred in accordance with FAR 31.201–2. While we cannot know in advance if a company will incur costs in accordance with FAR 31.201–2, there is nothing included in the final rule that would cause or compel a company to incur costs that would be in violation of FAR 31.201–2.

Comment: Several respondents stated that DoD needs to account for/provide funding for the additional costs of implementation.

Response: Implementation of this rule may increase contractor costs that would be accounted for through the normal course of business.

CMMC

Regarding CMMC, “The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.”

“The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.”

Clearly the government isn’t expecting to receive the benefits of CMMC and the new accreditation without paying for it but it will not be a layup to get your costs covered. You still have to win first, there is not prize for losing bids.

FAQ for CMMC ( https://www.acq.osd.mil/cmmc/faq.html )

The Department of Defense (DoD) suppliers were notified at the end of September about the new DFARS Interim Rule designed to collect NIST 800-171 assessment scores from all DoD contractors through submittal to the Supplier Performance Risk System (SPRS). As mentioned in a previous blog post, starting in mid-October, Northrop Grumman, Lockheed Martin, General Dynamics, BAE, and other prime contractors sent letters to suppliers asking them to determine their current DoD assessment score and upload it to the SPRS by November 30th. As of December 1st, the DFARS Interim Rule has become law reinforcing suppliers need to submit their NIST 800-171 assessment score to the government to avoid lost DoD revenue.

The CyberSheath team works with our clients to ensure they meet all DoD cybersecurity requirements, and to that end, have assisted our clients in the submittal of their assessment to the SPRS.  To help suppliers navigate a potentially overwhelming process, we have created a step-by-step guide to showing how to successfully create an account and submit your assessment score to the government.

 

Step-by-Step Guide to SPRS Assessment Submittal

Step 1: Set up Your Account

First, you will want to visit the PIEE website. Click on REGISTER button on the top right of the screen.

PIEE Account Set Up

Next, accept the Privacy Act Statement and Terms and Conditions.

Select VENDOR from the options.

PIEE Vendor Options

If your company has a Common Access Card or Certificate, you can choose this option from the drop down. However, you can choose User ID\Password if you do not have the other information readily available.

PIEE Captacha

Enter in your security questions.

PIEE Security Questions

Provide your name and contact information.

PIEE User Profile

Enter supervisor (not required) and company contact information.

PIEE Supervisor Contacts

STEP 2: Access the Supplier Performance Risk System (SPRS)

Select SPRS (Supplier Performance Risk System) from the drop-down menu.

PIEE SPRS Drop Down Menu

STEP 3: Select SPRS Cyber Vendor User

PIEE SPRS Cyber Vendor

STEP 4: Add Roles

Next, click ADD ROLES. You will see a line at the bottom with a LOCATION CODE field. This is where you will enter the CAGE code for your company.

PIEE Add Roles

Enter in your CAGE code. If you have multiple CAGE codes, you will need to repeat Step 3 to add those additional lines.

PIEE Add Cage Code

Enter the justification for your account. Attachments would be used for justification and/or identification. However, do not attach your self-assessment here.

Step 5: Complete the Agreement

From here you will need complete the Agreement portion of the application. You should receive approval for your account promptly after completion. If you do not have a CAGE code or if the CAGE code, you have not been registered with an in-use DoD contract you may not be able to successfully create an account. If you run into this issue or your company has never won a contract, you can submit your self-assessment to webptsmh@navy.mil. *NOTE* Remember to submit your self-assessment via encrypted email.

Step 6: Admin Approval of Cage Code

Once you register you will have to have the admin who is linked to the cage code approve your account.

PIEE Log In Credentials

If you are not the Contract Administrator of the cage code and are unsure who that person is, you can look it up by going to the PIEE homepage and selecting FIND MY ACCOUNT ADMINISTRATOR from the NEED HELP WITH YOUR ACCOUNT? menu.

On the next screen you will need to input your cage code under the LOCATION CODE. You do NOT select any options from the APPLICATION or ROLE options. After the cage code has been inputted type in the numbers from the CAPTCHA Image and click SUBMIT.

PIEE Location Code

The next screen will populate who the Administrator of the cage code is and who you will need to contact for account approval. If there has not been an Administrator linked to the cage code you will need to contact PIEE support (1-866-618-5988) to get that provisioned.

You have successfully created your account. Once the account registration is approved by the cage code administrator you are ready to submit your score.

Step 7: Submit Your Assessment Score

Now that you have an account you will need to go to the PIEE website and click LOG IN.

Login Btn

Select the SPRS Icon. Then select NIST SP 800-171 Assessment from the options.

SPRS Icon

You will need to select the company name at the desired level (BASIC will be the most common unless your company went through an audit consisting of Government personnel). Once selected click ADD NEW ASSESSMENT from the menu.

PIEE Attach Assessment

Enter assessment details and click SAVE.

PIEE Enter Assessment Details

Next Steps

You have successfully submitted your assessment meeting the requirements under the DFARS rule and can now begin working toward your Plans of Actions and Milestones (POAM).

If you have not done an NIST 800-171 assessment and do not know your score, we are here to help. Please do not hesitate to reach out with any questions or talk through a project plan to avoid penalties and remain competitive in the DoD acquisition process.

At CMMC Con 2020, we heard about the threat from China, next steps for CMMC, and how no one in the Defense Industrial Base (DIB) has all the answers. After an immersion in why the CMMC is essential and what the requirements are, the one question remaining is: What now?

We wrote a book about how to get started — get your free copy here. It’s a plain-English guide to everything you need to know about achieving NIST 800-171 and CMMC compliance as a contractor in the DIB.

But next steps were a focus of the sessions at CMMC Con. The biggest takeaway: Get your self-attestation recorded or risk lost business.

One of the clearest wake-up calls came from Katie Arrington, who noted that “every vendor, every contractor as they are going to contract award will have to do a self-attestation and record it on the SPRS platform .… It’s the dawn of a new day.” She later emphasized: “All new awards as of November 30, 2020 have to have this self-assessment.”

This was a stark reminder of what the DIB has been hearing with increasing urgency for a couple months. We got the DFARS Interim Rule at the end of September. Starting in mid-October, Northrop Grumman, Lockheed Martin, General Dynamics, BAE, and other prime contractors sent letters to suppliers asking them to determine their current DoD assessment score and upload it to the SPRS by November 30th.

While everyone was supposed to be doing this for the past five years, a lot of this is new, like submitting self-attestations to the SPRS. Everyone is playing catch up. But that doesn’t mean everyone is taking it seriously just yet. And they might not until it hits their wallets.

Arrington said in her keynote there are signs of improvement in compliance, but in the assessments, we perform for our clients, we haven’t seen that. Reviewing our data, it’s clear contractors and suppliers have a way to go.

There are many reasons why. In part, the five NAICs codes cited in the DFARS interim rule are so broad they’re pulling in contractors that weren’t aware they had to comply: Research and Development in the Physical, Engineering, and Life Sciences; Engineering Services, Commercial and Institutional Building Construction, Other Computer Related Services, and Facilities Support Services. As a result, we have been working with construction and architecture firms that don’t understand why the rule applies to them.

Several other suppliers are stuck between a rock and a hard place. Organizations that are supposed to have met the standards for the last five years have been taking contracts, thereby certifying they are 100% compliant. But it was self-certification, and no one was checking. Now, do they score themselves honestly and open themselves up to False Claims Act liability for contracts they have taken? Or do they score themselves aspirationally and try to make up ground before anyone comes knocking on their door?

The answer is to get the process started as soon as possible. Read our book for more background. We’ve been performing assessments for years and understand what’s required and where and how most contractors need to improve.

The one silver lining from Arrington’s keynote is that the DoD recognizes the cost of security. She noted: “We are willing to pay for it, we are willing to say security is an allowable cost … build it into your rates.”

The challenge now, as we heard all day at CMMC Con, is to get it done on deadline.

RESTON, Va.—December 1, 2020—CyberSheath Services International today announced it has earned Cybersecurity Maturity Model Certification (CMMC) Registered Provider Organization (RPO) certification. This new achievement fortifies the company’s position as the leader in CMMC compliance solutions and services meant to eliminate theft of intellectual property and sensitive information across the Defense Industrial Base (DIB) and Department of Defense (DoD) supply chain.

This news comes on the heels of CyberSheath hosting some 1,000 registrants for an incredibly successful CMMC Con 2020 virtual conference in November. CyberSheath also wrote a book on CMMC – the CMMC Companion 2020/2021 Edition, which is widely seen as a defense contractor’s playbook.

“By staying current on certifications and changes in compliance requirements, we’re positioned as the partner of choice for CMMC compliance,” says Eric Noonan, CEO of CyberSheath. “The RPO credential formally recognizes what our existing customers already know, that DoD contractors can trust in CyberSheath’s ability to deliver turnkey solutions for cybersecurity compliance requirements. Our managed services approach to CMMC and NIST 800-171 compliance meets suppliers where they are, significantly reducing cost and complexity for their business.”

The CMMC model is a set of mandatory cybersecurity requirements that all 300,000-plus DoD contractors must implement and then validate by an independent third party before contract award. The CMMC Accreditation Body, which is managing the CMMC rollout on behalf of the DoD, announced requirements and opened applications for multiple credentialed roles, including RPO, this summer.

CyberSheath’s staff have been working with the DoD since 2008 from the inception of voluntary cybersecurity requirements all the way through the current mandatory CMMC requirements, and the RPO credential is the next logical step in this journey.

According to the CMMC-AB, RPOs are authorized to represent the organization as familiar with basic constructs of the CMMC Standard, and are qualified as:

  • Aware — Employs staff trained in basic CMMC methodology.
  • Registered Practitioner Staffed — Offers non-certified consultative services.
  • Targeted — CMMC Assessment preparation.
  • Trusted — Bound by a professional code of conduct.

RPO status means CyberSheath has agreed to the CMMC-AB Code of Professional Conduct, can deliver non-certified CMMC consulting services, and is listed on the CMMC-AB Marketplace.

For more information or details, please contact info@cybersheath.com.

 

About CyberSheath Services International, LLC

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at www.cybersheath.com.

 

 

CMMC CompanionRESTON, Va.—November 24, 2020—CyberSheath Services International has published the 2020 / 2021 CMMC Companion guide to help defense contractors navigate and comply with new rules from the Department of Defense (DoD) to secure the Defense Industrial Base from cyberthreats. This new resource for defense contractors provides a clear, concise primer that summarizes the CMMC, discusses why the rule has been created, and proposes useful tips for its mandatory implementation.

“The defense industry has been clamoring for help as new rules emerge and the risk of losing out on defense contracts and revenue becomes more real,” says Eric Noonan, CEO of CyberSheath. “CyberSheath has been supporting compliance initiatives for defense contractors and other companies since 2012, and they’ve channeled that experience into this new resource. Anyone dealing with CMMC will gain enormous benefits in terms of understanding the history, terminology, approach, and future direction.”

Though the industry has been charged with meeting stringent requirements for years, recent updates with real deadlines have created urgency and angst among prime and subprime contractors. Not only are the prime contractors ensuring their own compliance, but they are also putting pressure on their suppliers to verify compliance. If defense contractors do not comply, they risk the security of the supply chain, national security, the ability to secure DoD contracts, and, thus, their revenue.

New rules under the recent DFARS interim law rule, coupled with requests from prime contractor demands mean suppliers must confirm their NIST 800-171 Assessment Score, provide a Plan of Action and Milestones (POAM) estimated completion date (ECD) for any unimplemented requirements, their status and ECD for an additional 20 CMMC practices, and their status and ECD for the CMMC Level 2 and 3 maturity processes. On top of that, suppliers have to provide updates on their progress until all practices and progress are implemented, as well as their “estimated date for closure of all NIST SP 800-171 POAM items, and the expected closure date for the additional controls.”

The new CMMC Companion guide comes on the heels of the first-ever CMMC Con, a virtual gathering hosted by CyberSheath attended by some 1,000 CMMC partners, including government stakeholders, services providers, and contractors.

For more information or details, please contact info@cybersheath.com.

 

About CyberSheath Services International, LLC
Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at www.cybersheath.com.

CyberSheath is pleased to introduce our distinguished CMMC Con 2020 guest and powerful industry and national resource Richard Wakeman.  Richard Wakeman is the Senior Director of Aerospace & Defense for Azure Global Engineering and is the commercial industry lead for Azure Government, Microsoft’s cloud solution specifically engineered to meet US government compliance and security requirements. He specializes in the Defense Industrial Base adopting cloud services from Microsoft and is the Program Manager for the Microsoft Cybersecurity Maturity Model Certification (CMMC) Acceleration Program. Richard engages with Microsoft partners and customers end-to-end from engineering to drive adoption of Azure Government, Microsoft 365 GCC High and Dynamics 365 GCC High as solutions within the Microsoft US Sovereign Cloud.

Richard joined Microsoft in 2007 as a developer, identity and messaging expert at the dawn of Microsoft Online Services. Shortly after joining, he was engaged by the Exchange Product Group to lead cloud deployments worldwide for Live@edu as part of the Exchange Labs program, the predecessor of Office 365. He led the charge for the integration of MCS and Premier services with cloud offerings, becoming a Senior Architect for the Microsoft Enterprise Services Business Productivity Global Domain Solution Architecture Office. During the decade of tenure in professional services, Richard had an impact on deploying over 100 million seats into the Microsoft cloud.  He deployed the first Microsoft cloud customers, to include the first million seat organization in the public multi-tenant cloud to the first Government Community Cloud customer.

Among Richard’s main roles is to overview what Microsoft is doing with CMMC concepts.

Microsoft and CMMC

Microsoft has a deep and long history of supporting government customers and their unique mission requirements; in fact, about a year ago, Richard Wakeman wrote this blog specific to the Microsoft Cloud Service Offerings. Suffice it to say Microsoft uniquely understands the U.S. Government’s mission in a way that only decades of experience working alongside one another will allow. Microsoft understands the required people, processes, and technologies to support the DoD mission from both a compliance and operational perspective so well that it can often be difficult for anyone to lay it all out in one succinct communication. Microsoft has done more for the United States Government than any other cloud provider. Their decades of successful partnership with DoD have enabled them to provide resources that will enable your journey to CMMC compliance.

Here are three resources to get you started on your journey to CMMC compliance:

1. Shared Responsibility Model

CMMC compliance for many, if not most, companies will undoubtedly rely on the cloud at some point in the journey. When in the cloud, and frankly, on-premises, it is important to understand the concept of shared responsibility. When relying on cloud services, understanding the shared responsibility model is foundational to meeting and maintaining compliance. For an excellent blog on shared responsibility in the cloud start here and as you read think about which CMMC security tasks are handled by your cloud provider and which tasks are handled by you. Now for the many companies that rely on Managed Service Providers, Managed Security Service Providers, or otherwise defined Third-Party Providers, how are you extending the shared responsibility to those entities?

Almost no MSSPs understand CMMC in the context of the shared responsibility model. To my knowledge, CyberSheath is the only one that has built our entire CMMC management platform around Microsoft Azure technology, which is detailed here along with a detailed breakdown of how CMMC has been 13 years in the making.

CMMC compliance isn’t a “go it alone” model and requires an understanding of the shared responsibility model, regardless of your CMMC compliance level. Rare is the company that does everything in-house without exception.

2. Azure Blueprints

Azure blueprints enable customers to easily create, deploy, and update compliant environments and leverage the enormous Microsoft investment in data security and privacy. Microsoft invests more than USD 1 billion annually on cybersecurity research and development, employs more than 3,500 security experts entirely dedicated to your data security and privacy and Azure has more certifications than any other cloud provider. View the comprehensive list.

Blueprints simplify largescale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, role-based access controls, and policies, in a single blueprint definition. Customers can easily apply the blueprint to new subscriptions and environments and fine-tune control and management through versioning. Specific to CMMC, blueprints present a tremendous advantage for customers who want to quickly address the majority of the CMMC Maturity Level 3 requirements.

The NIST SP 800-171 R2 blueprint sample provides governance guard-rails using Azure Policy that help you assess specific NIST SP 800-171 R2 requirements or controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement NIST SP 800-171 R2 requirements or controls. As many readers know, approximately 85% of the CMMC Maturity Level 3 requirements are essentially the NIST 800-171 security requirements, so this blueprint can be a force for progress in your CMMC compliance efforts.

3. Office 365 GCC High and DoD

As many defense contractors already know, CMMC was, in part, created to address the security of CUI, and Microsoft has long been a partner with DoD working to protect this information.

To meet the unique and evolving requirements of DoD and contractors holding or processing DoD controlled CUI or subject to International Traffic in Arms Regulations (ITAR), Microsoft offers GCC High and DoD environments. Microsoft GCC High and DoD meet the compliance requirements for the following certifications and accreditations:

  • The Federal Risk and Authorization Management Program at FedRAMP High, including those security controls and control enhancements as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53.
  • The security controls and control enhancements for the United States Department of Defense Cloud Computing Security Requirements Guide (SRG) for information up to Impact Level 5 (L5).

DoD Office 365 subscribers will receive services provided from the DoD exclusive environment that meets DoD SRG L5. Non-DoD subscribers will receive services from the U.S. Government Defense environment, which is assessed at L5, but uses L4 segmentation.

There is much debate and often confusion on whether CMMC requires GCC high, and it is one of many issues that highlight the need for a Managed Compliance Partner, but the point is that Microsoft has long been the partner of choice for the DoD in addressing this challenge.

For additional information join us at CMMC Con 2020

For additional information on Microsoft’s CMMC acceleration, join Microsoft’s Richard Wakeman, Senior Director of Aerospace & Defense for Azure Global, on November 18th at CMMC Con 2020.  Mr. Wakeman will host a Technology Spotlight session dedicated to discovering how Microsoft solutions are assisting the DIB in government compliance.   Register Now.

The CyberSheath team has been a part of what today is known as the Cybersecurity Maturity Model Certification (CMMC) since it was an entirely voluntary initiative in 2008, consisting of eight and then sixteen of the largest prime contractors in the DoD supply chain. At the time progress was slow because this kind of cooperation between DoD and industry was new and breaching unchartered legal ground. Progress was sluggish, participation was voluntary, and we literally shared “threat” information via FedEx as the best we could do until we had the infrastructure in place to do better. So having been in partnership with the DoD for twelve years, first as the global CISO for BAE Systems and now as one of the largest managed CMMC Compliance MSSP’s working with small and mid-sized businesses, I know from experience that the progress made in the last eighteen months is extraordinary. The foundation of partnership between DoD and industry built up over the last decade-plus was crucial. Still, the ultimate accelerant to our collective progress is Ms. Arrington’s unwavering drive to get this done.

When I first heard Ms. Arrington speak at the Professional Services Council in early 2019. She was promoting the idea of independent third-party audits of defense contractors to enforce accountability of supply chain security. I thought it was an idea that would be quickly killed off by the bureaucracy, industry associations, and lobbyists. I stand here eighteen-plus months later in awe of what has been accomplished. As the driving force behind CMMC, Ms. Arrington will be featured as the keynote speaker at CMMC Con 2020 in an extended interview format answering many questions that have yet to be asked in the countless webinars we have all had too much of.

Ms. Katherine “Katie” Arrington is a member of the Senior Executive Serves and serves as the Chief Information Security Officer for Acquisition and Sustainment (CISO(A&S)) to the Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)). In this position, she serves as the central hub and integrator within the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) to align acquisition and sustainment cyber strategy and efforts to enhance cybersecurity within the Defense Industrial Base.

As the CISO(A&S), Ms. Arrington is responsible to ensure the incorporation of integrated security/cyber efforts within USD(A&S) with the purpose of providing a focused and streamlined governance approach, provide a central coordination point and common compliance standard that serves to synchronize the various existing disparate cybersecurity efforts and standards across the Department and Industry as it relates to Department of Defense acquisition and sustainment efforts.

Ms. Arrington is leading efforts that help ensure a secure Defense Supply Chain through the implementation of Trusted Capital vendors and Supply Chain Risk Management principles, enhance Defense Industrial Base security and resilience, and establish a common cybersecurity standard within Departmental acquisition efforts. She also synchronizes these efforts across the Department, other federal agencies, and works with legislators to ensure Departmental authorities and actions align and support the nation’s security goals.

Before assuming her position as CISO(A&S), Ms. Arrington has an extensive career as a legislator and senior cyber executive in the private industry. Ms. Arrington was a 2018 candidate for the US House of Representatives for South Carolina and served for 2 terms as a South Carolina State Representative. She has extensive experience in cyber strategy, policy, enablement, and implementation across a wide range of business sectors and governmental levels. She has over 15 years of cyber experience acquired through positions at Booz Allen Hamilton, Centuria Corporation, and Dispersive Networks. These positions have given her a unique experience of supporting and work with the government at large, small, and non-traditional contracting firms. Ms. Arrington is married to Robert and resides in Summerville, South Carolina, and a proud parent of three children and grandparent to four grandbabies.

Please join us on November 18th for Ms. Arrington’s keynote and our expert line-up as they engage in conversations focused on DFARS compliance, the threat from China, how cybersecurity impacts the future of doing business with the DoD, and a “how-to” session for small and medium-sized businesses struggling with NIST 800-171 and CMMC. Register Now.

RESTON, Va.—October 29, 2020—CyberSheath Services International today announced that it has been selected to join the Microsoft Intelligent Security Association (MISA) as one of the association’s first CMMC-focused managed security service providers.

“MISA members are cybersecurity industry leaders,” said Eric Noonan, CEO at CyberSheath. “They’re unified by the common goal of helping secure our customers by offering unique and valuable customized expertise and making the association more effective as it becomes more diverse.”

CyberSheath has extensive Microsoft expertise, including professional and managed security services for a wide array of U.S. defense contractors, and was nominated for MISA for their managed security service offerings for Azure Sentinel and Microsoft Defender for Endpoint. CyberSheath uses a Microsoft technology stack fueled by Microsoft Azure Sentinel, the cloud-native Security Information and Event Management (SIEM) solution that quickly identifies security threats across hybrid enterprises.

MISA began as an ecosystem of independent software vendors (ISVs) that integrated their security products with Microsoft’s to better defend against a world of increasing threats. Due to increased demand for a closely interwoven security ecosystem, the association is growing and launching an invitation-only pilot program for select managed security service providers.

MISA plays a vital role in reducing the cost and complexity of integrating disparate security tools. Adding managed security service providers promises to increase the ecosystem’s value even more by offering an extra layer of threat protection without requiring day-to-day involvement of in-house security teams,” said Andy Shooman, COO at CyberSheath. “It’s another important step in both strengthening and simplifying security at a time when risk mitigation is one of IT’s highest priorities.”

“The Microsoft Intelligent Security Association has grown into a vibrant ecosystem comprised of the most reliable and trusted security software vendors across the globe,” said Rani Lofstrom, Senior Product Marketing Manager, Microsoft Security. “Our members, like CyberSheath, share Microsoft’s commitment to collaboration within the cybersecurity community to improve our customers’ ability to predict, detect, and respond to security threats faster.”

About CyberSheath Services International, LLC

Established in 2008, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at www.cybersheath.com.

 

 

Press Contact:

Kristen Morales

Kristen.Morales@cybersheath.com

CyberSheath is pleased to introduce CMMC Con 2020 attendees to one of our keynote speakers and CMMC discussion panelists, retired Brigadier General Dr. Robert Spalding. As emphasized by his experience, Dr. Spalding is an expert on national security and highly-qualified to speak on China’s role in the theft of intellectual property across the defense industrial base. Far too often, the conversation on CMMC is mired in legislative workings, never addressing the “why” behind the need for CMMC in the first place. We felt the “why” is an often-overlooked agenda item and could think of no better speaker to address this topic than Dr. Spalding.

Dr. Spalding has served in senior positions of strategy and diplomacy within the Defense and State Departments for more than 26 years, retiring as a brigadier general. The chief architect for the Trump Administration’s widely praised National Security Strategy (NSS), and the Senior Director for Strategy to the President at the National Security Council, Dr. Spalding, is a national security expert, patriot, and entrepreneur. We are thrilled to have him at CMMC Con 2020 as our honored guest.

His work has been published in The Washington Post, The Washington Times, Foreign Affairs, The American Interest, War on the Rocks, FedTech Magazine, Defense One, The Diplomat, and other edited volumes. His Air Power Journal article on America’s Two Air Forces is frequently used in the West Point curriculum.

Dr. Spalding is a Life Member of the Council on Foreign Relations. He has lectured globally, including engagements at the Naval War College, National Defense University, Air War College, Columbia University, S. Rajaratnam School of International Studies in Singapore, Johns Hopkins Applied Physics Laboratory, and other Professional Military Educational institutions. Spalding received his Bachelor of Science and Master of Science degrees in Agricultural Business from California State University, Fresno, and holds a doctorate in economics and mathematics from the University of Missouri, Kansas City. He was a distinguished graduate of the Defense Language Institute in Monterey and is fluent in Chinese Mandarin.

Please join us on November 18th for the LIVE session(s) with Dr. Spalding. Through the liberal use of vignettes and examples, he will eloquently detail the modern threat posed by China to the US Defense Industrial Base. Register Now

Dr. Spalding is the author of an authoritative book on the same topic called “Stealth War,” which is available here.

Lockheed Martin and other prime contractors are contacting their suppliers and requesting a security status update; in many cases requesting a demonstration of compliance before the DoD November 30th deadline.  If you’ve received this request, you’re not alone. We’re helping many of our clients demonstrate that they’re achieving the requirements and submit the requested documentation before the deadline set by primes.

When the new DFARS Interim Rule and Cybersecurity Maturity Model Certification (CMMC) requirements were released at the end of September, we knew it would start to trickle down the supply chain. The primes heard the message loud and clear, and now suppliers do too. Lockheed Martin, for example, is requiring suppliers to complete a survey by November 5th so it can assess risk before the new rules take effect on November 30.

What is Required of Suppliers?

Suppliers must confirm their NIST 800-171 Assessment Score, provide a Plan of Action and Milestones (POA&M) estimated completion date (ECD) for any unimplemented requirements, their status and ECD for an additional 20 CMMC practices, and their status and ECD for the CMMC Level 2 and 3 maturity processes. On top of that, suppliers have to provide updates on their progress until all practices and progress are implemented, as well as their “estimated date for closure of all NIST SP 800-171 POA&M items, and the expected closure date for the additional controls.”

The primes are hard at work getting a sense of where their supply chain stands before the interim rule takes effect and the CMMC requirements start showing up in RFIs, RFPs, and contracts.

Where Should You Go from Here?

Start with this overview of the DFARS interim rule, an FAQ on everything we do, and don’t know at this point, and steps you should take immediately to meet the requirements. We’re here to help and explain the rules in plain English. Don’t hesitate to reach out with any questions or to talk through a project plan or schedule for responding to these requests by the deadline.

Join Us at CMMC Con 2020.  A Virtual Event Designed to Support Stakeholders in the DIB.

If you are a prime or subcontractor looking to better understand how to navigate the rapidly shifting future of cybersecurity compliance – CMMC Con 2020 is the event for you. Join us on November 18th for this one-day event where you will hear an expert line-up engage in conversations focused on DFARS compliance, the threat from China, and a “how-to” session for small & medium-sized businesses struggling with NIST 800-171 and CMMC.

Register Now

 

 

On September 29, 2020, the Department of Defense (DoD) issued an interim rule (Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)) implementing two separate requirements for defense contractors related to cybersecurity that change acquisition. The two requirements give contractors much-needed clarity around how to prioritize their efforts to improve cybersecurity in alignment with DoD acquisition. The DFARS interim rule provides timelines and scoping information related to the Cybersecurity Maturity Model Certification (CMMC) implementation, enabling contractors to plan and implement against those requirements accordingly. In priority order and plain English here are both the new requirements and what your company should be doing now; for a deeper look at the 89-page rule please read our FAQ.

What You Should Do Immediately to Address the DFARS Interim Rule

Let’s start with the answer; get compliant with NIST 800-171 by implementing all the security requirements defined within that publication. Immediately actionable is the requirement to submit your NIST 800-171 assessment, using the DoD approved scoring methodology, through the Supplier Performance Risk System (SPRS).

First, understand that this interim rule immediately impacts all of your future DoD awards if they include DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. This includes contracts, task orders, options, etc. Below is the language directly from the DFARS Interim Rule as to scope and impact for anyone who thinks this does not apply to them:

“The contracting officer shall verify that the summary level score of a current NIST SP 800-171 DoD Assessment (i.e., not more than three years old, unless a lesser time is specified in the solicitation) (see 252.204-7019) for each covered contractor information system that is relevant to an offer, contract, task order, or delivery order are posted in Supplier Performance Risk System (SPRS), prior to:

(1) Awarding a contract, task order, or delivery order to an offeror or contractor that is required to implement NIST SP 800-171 in accordance with the clause at 252.204-7012; or

(2) Exercising an option period or extending the period of performance on a contract, task order, or delivery order with a contractor that is required to implement the NIST SP 800-171 in accordance with the clause at 252.204-7012.”

Ideally, you will submit your scored assessment within the next 60 days but at a minimum, it is required before your next expected DoD contract award so timing is unique to each company. Information that you are required to share and enter with the results of your Basic NIST SP 800-171 DoD Assessment into SPRS includes:

  • Date of the assessment
  • Summary level score (e.g., 95 out of 110, NOT the individual value for each requirement)
  • Scope of the Basic Assessment – identify each system security plan (security requirement 3.12.4) supporting the performance of this contract. All company CAGE codes must be mapped to the appropriate system security plan(s). Additionally, a brief description of the planned architecture may be required, if more than one plan exists
  • Plan of Action Completion Date – a date that a score of 110 is expected to be achieved for each system security plan assessed (i.e., all requirements implemented) based on information gathered from the associated plan(s) of action developed in accordance with NIST SP 800-171 (security requirement 3.12.2)

Why You Should Immediately Address these Aspects of the Interim Rule

Given the level of information that you are required to expose to the government contractors should have a sense of urgency around getting started with NIST 800-171 compliance if they have not already. If you score poorly it’s doubtful that your general counsel, contracts, or other business partners will want a substandard assessment sitting in a government database potentially putting you at a competitive disadvantage. Scoring can range from +110 (Perfect) to -203 (Failure), so you will want to use these next 60 days to make improvements and produce the best score possible before you submit your assessment.

Scoring for Basic, Medium, and High NIST SP 800-171 DoD Assessments is the same. The scoring methodology security requirements are weighted so just looking at some of the highest weighted requirements can give you a sense of how much work you might have ahead of you. If you are responsible for NIST 800-171 compliance at your company it’s easy to quickly determine how bad, or good, you might fare by looking at the scoring methodology and comparing that to what you are, or are not, doing today. Of the hundreds of assessments CyberSheath has done over the last eight years we have observed, on average, 70% non-compliance. Take a quick look at these requirements and associated values and compare them against what you know to be true for your organization, did you just lose 35 points before you even started your assessment?

DFARS Interim Rule - Security Requirements

These are just 7 of the 110 security requirements but they all require hard work and dedicated resources to become compliant. Again, this represents only 35 of 110 possible points so hopefully, our point is clear, implementing these security requirements takes time.  The DFARS Interim rule represents an emergency for non-compliant DoD contractors.

For almost two years now, we’ve been telling clients that their focus is and should always have been on NIST 800-171 compliance, as mandated in DFARS clause 252.204-7012. Now the DoD is clamping down on non-compliance.

Next Steps

Sprint to compliance in less than 60 days with CyberSheath’s proven methodology based on three core disciplines: Assess, Implement, Manage (AIM™)

DFARS Interim Rule 60 Day Sprint Timeline

It’s been quite a week.

The DoD released an interim rule to “amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.”

The DoD requested, and OMB authorized, emergency processing of the collection of information tied to this rule. The emergency justification impacts all DoD contractors in the long term and short term as they will now be required to prove and submit evidence of compliance with DFARS clause 252.204-7012 and NIST 800-171. Additionally, the rule creates the following new solicitation provision and contract clauses:

  • DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements;
  • DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements; and
  • DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements.

The interim rule, effective 60 days from publication, has triggered a number of questions from contractors. Here are the answers we believe we know, the answers that we aren’t certain about, and the answers that are unclear, but we can surmise based on past experience.

 

DFARS Interim Rule and Emergency Justification FAQ

 

DFARS Interim Rule and Emergency Action: What We Believe We Know

What is the nature of the emergency justification?

The government is finally asking the defense industrial base to submit evidence of compliance with DFARS clause 252.204-7012 and NIST 800-171. In the past, the DoD trusted, with almost no verification, contractors to adhere to the rules and there was no compulsory submission required to prove compliance. The nature of the emergency is “The aggregate loss of sensitive controlled unclassified information and intellectual property from the DIB sector could undermine U.S. technological advantages and increase risk to DoD missions.”

Why did the change occur?

Explicitly, to make sure two things are happening:

  • The supply chain is making strong improvements to security and meeting current contractual commitments
  • To motivate contractors who have ignored the current requirements by forcing information collection

But the interim rule also codifies into the CMMC. The onboarding of the CMMC structure will ramp up over the course of the next five years. The DoD can’t afford to wait that long to ensure American IP is protected so they will move to collect evidence of compliance with DFARS clause 252.204-7012 in parallel to CMMC ramp up.

What immediate steps should a covered entity take after this rule change?

First, reconcile how long it’s been since you’ve self-attested in line with the 2017 DFARS rule and more specifically NIST 800-171. A company that has fully implemented all 110 NIST SP 800-171 security requirements, would have a score of 110 to report in Supplier Performance Risk System (SPRS) for their Basic Assessment. A company that has unimplemented requirements will use the scoring methodology to assign a value to each unimplemented requirement, add up those values, and subcontract the total value from 110 to determine their score. The  NIST SP 800-171 DoD Assessment Methodology is available here.

Your properly scored Basic Assessment and self-attestation should show you have made a habit of improving your environment over the last three years. If you have not shown improvement on your Plan of Actions and Milestones (POA&Ms), you need to take steps to demonstrate what you are doing to make progress. Ideally, you should have at least three self-assessments from the past three years against DFARS 252.204-7012, and more if you’ve made major changes to your environment that would trigger another self-assessment.

Check out our article on the five steps every organization should take to meet the NIST 800-171 requirements.

What role do my Third-Party Providers (TPPs) have in my attestation?

A major role. You have to attest that your TPPs who handle CUI meet the same or higher security standards as you do.

The biggest stumbling block for many contractors is their TPP contract language. Any organization with a DoD contract that’s handling controlled unclassified information (CUI) must have specific contract language for any of their TPPs that handle CUI, requiring them to meet or exceed the same security standards you do. How many MSPs or MSSPs are doing that today…very few.

In fact, the interim DFARs rule has this verbatim clause buried within the latest 89-page update:

2) The Contractor shall not award a subcontract or other contractual instrument, that is subject to the implementation of NIST SP 800-171 security requirements, in accordance with DFARS clause 252.204-7012 of this contract, unless the subcontractor has completed, within the last 3 years, at least a Basic NIST SP 800- 171 DoD Assessment, as described here, for all covered contractor information systems relevant to its offer that are not part of an information technology service or system operated on behalf of the Government. (3) If a subcontractor does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the subcontractor may conduct and submit a Basic Assessment, in accordance with the NIST SP 800-171 DoD Assessment Methodology, to webptsmh@navy.mil for posting to SPRS along with the information required by paragraph (d) of this clause.

Can the government ask for my managed services contracts to demonstrate compliance with the DFARS verbiage inclusion?

Not only can they — they almost definitely will.

Is this rule retroactive? E.g. does this cover time periods of the previous self-attestation?

The truth is that this behavior and level of compliance were supposed to be in place all along and this action simply asks you to prove you’ve been doing it. This is where some contractors will find themselves between a rock and a hard place if they have self-attested but never really implemented NIST 800-171.

DFARS Interim Rule and Emergency Action: What’s Unclear

Does everyone who previously self-attested now submit documentation?

No, you don’t have to submit documentation today to the government but moving forward all DoD awards will require the submission of, at a minimum, a Basic Assessment.

It’s unclear why documentation has not been required before now. Maybe the government didn’t want to have access to the information or didn’t have a program to evaluate the information, or maybe the risk level wasn’t the same as it is today. It is also possible that lobbyists and industry trade associations fought off this requirement.

What needs to be submitted when to the government and when?

At a minimum, contractors will need to produce their assessment using the standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented. There are three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.

Contractor assessments results are documented in the Supplier Performance Risk System (SPRS) to provide DoD Components with visibility into the scores of Assessments already completed; and verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.

The presumption is that the DoD wants what’s typically asked for in an audit or what prime contractors are asked to provide when they get a subcontractor: A System Security Plan (SSP), any POA&Ms, and attestation for where the program stands against NIST 800-171.

What does Basic / Medium / High mean in the release verbiage?

There are three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.

How does the interim rule affect CMMC roadmap and compliance?

The rule builds upon the NIST SP 800-171 and DoD Assessment Methodology mandating the CMMC framework which adds a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.

DoD is implementing a phased rollout of CMMC. Until September 30, 2025, the clause at  52.204-7021, Cybersecurity Maturity Model Certification Requirements, is prescribed for use in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, excluding acquisitions exclusively for COTS items, if the required document or statement of work requires a contractor to have a specific CMMC level. In order to implement the phased rollout of CMMC, the inclusion of a CMMC requirement in a solicitation during this time period must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.

CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items) valued at greater than the micro-purchase threshold, starting on or after October 1, 2025.

If the government finds fault with your self-attestation documentation, what are the ramifications?

Contractors who are not accurate in their assessment reporting could be subject to the False Claims Act (FCA) which imposes civil and potentially criminal liability on anyone who knowingly presents a false or fraudulent claim for payment to the federal government, or knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim. This is not theoretical, read more on the most visible DoD FCA case for cybersecurity.

Can an outside provider or third-party submit my documentation on my behalf?

This is unclear, but probably not. The government doesn’t want you to have the ability to say your service provider submitted it incorrectly or made material errors.  An outside provider can prepare the materials you can send along yourself, much like a CPA might prepare your taxes, but you sign them.  The exception would likely be the Medium or High Assessments that are completed by the Government in which they would submit the results.

What is the process if you want to dispute your compliance rating under the pre-CMMC assessment process?

We don’t know the answer to this one. There needs to be some sort of arbitration or dispute process to go through judgments against you and revisions to documents, as you might do with taxes, but the process is not obvious right now.

Is there any arbitration or a process of procedural review of negative findings?

Same answer as above — as of right now there is not an obvious process, but there should be one.

 

DFARS Interim Rule and Emergency Action: What We Know

What is the difference between DFARS 252.204-7012 and the new DFARS 252.204-7021?

7012 is universally applied and 7021 requires a demonstration of maturity based on the risk level of the contract.

7012 involves self-attesting and self-submitting documentation, and 7021 requires third-party assessments, but also self-submitting.

7012 is based on policing and enforcement and 7021 is based on the winning of revenue and contracts.

7012 allows tolerance for not having certain controls in place at the moment so long as you’ve identified those and you have a plan to rectify them, and 7021 is intolerant — you must not only have evident practices in place but also show they’re habitually deployed.

In five years, 7012 will be sunsetting, and 7021 will be sunrising. DFARS 252.204-7021 is the new law of the land.

How many CMMC driven contracts are expected in FY2021? 

 The rule says:

“Based on information from the Federal Procurement Data System (FPDS), the number of unique prime contractors is 212,657 and the number of known unique subcontractors is 8,309. Therefore, the total number of known unique prime contractors and subcontractors is 220,966, of which approximately 163,391 (74 percent) are estimated to be unique small businesses. According to FPDS, the average number of new contracts for unique contractors is 47,905 for any given year.”

The document also includes a chart showing how many contracts to expect at each CMMC level each year:Proposed-CMMC-Contracts-by-Levels+Year

Will my self-disclosures be made public? Is it disclosable in a FOIA request?

 There is no mention of that in DFARS 252.204-7021, but the feeling is that the information will not be generally available to the public, but it might be subject to a FOIA request.

When you are self-attesting and going on record about what you do and don’t do from a security perspective, that invites hackers to open up the database and see where organizations are vulnerable. This information could also materially affect the way companies and investors view mergers and acquisitions, due diligence, and so forth. So, it is unlikely that the self-disclosures will be truly public.

 

The Bottom Line

Time’s up to get compliant or forgo DoD revenue, it is that simple.  The government is getting more aggressive in cracking down on cybersecurity to protect American assets throughout the defense industrial base and has been very specific as to their expectations.

The DoD means business. The time to take action is now.

The experts at CyberSheath understand your challenges – and we can help. Contact us to make sure your assessment gets – and stays – on track.

 

Next Steps

Sprint to compliance in less than 60 days with CyberSheath’s proven methodology based on three core disciplines: Assess, Implement, Manage (AIM™)

DFARS Interim Rule 60 Day Sprint Timeline

Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) is here. Often referred to as CMMC this long-awaited and hotly debated Interim Rule harmonizes legacy (DFARS clause 252.204-7012) and future (CMMC) requirements with the following statement:

“DoD has developed the following assessment methodology and framework to assess contractor implementation of cybersecurity requirements, both of which are being implemented by this rule: the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology and the Cybersecurity Maturity Model Certification (CMMC) Framework.”

Specifically, the rule creates the following new solicitation provision and contract clauses:

  • DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements;
  • DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements; and
  • DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements.

Assessment Methodology to ensure NIST 800-171 Compliance

DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, included in all solicitations and contracts, requires contractors to apply the security requirements of NIST SP 800-171 to “covered contractor information systems” or those that “are not part of an IT service or system operated on behalf of the Government”, i.e your contractor networks, labs, cloud environments, etc.  This clause has long existed but rarely been enforced by DoD or adhered to by contractors. Rare contractors who have been audited for compliance have been evaluated against the NIST SP 800-171 DoD Assessment Methodology for assessment of a contractor’s implementation of NIST SP 800-171 security requirements. The NIST SP 800-171 DoD Assessment Methodology is available, here.

If you are not familiar with the assessment methodology it is probably because you have not been audited or have done a quick internal assessment that did not adhere to the scoring defined within the methodology. Time to get familiar with it. Again, directly from the interim rule:

“The Assessment uses a standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor, and three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.”

The results of Assessments are documented in the Supplier Performance Risk System (SPRS) giving DoD visibility into completed assessment scores and an ability to verify that a contractor has a current (i.e., not more than three years old) assessment on record prior to contract award. This is something that contractors should pay careful attention to. Because of the widely unenforced existing compliance requirements, most contractors have already self-attested to compliance without ever having submitted an assessment or having been audited. This silent majority is now in the position of being required to, at a minimum, submit a self-assessment that will go into SPRS. How will contractors address the fact they have already attested to compliance and now have an assessment that shows, in our experience, on average 70% non-compliance? Squaring this conflict will require some thoughtful planning and time with your general counsel.

New Interim Rule Outlines the Purpose of CMMC

Nearly everyone expected the new rule to force CMMC implementation (it does with a new DFARS subpart (Subpart 204.75, Cybersecurity Maturity Model Certification CMMC) and mandating DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, for use in all solicitations and contracts or task orders or delivery orders) it also thoughtfully describes a long transition from NIST 800-171 to CMMC.

The purpose of this blog is not to describe CMMC in detail but for those interested in an overview please look here. What contractors really need to know right now about CMMC is that DoD is implementing a phased rollout of CMMC, essentially making it an October 1, 2025 requirement. Up until September 30, 2025 inclusion of a CMMC requirement in a DoD solicitation must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment. On October 1, 2025, and thereafter CMMC will apply to all DoD solicitations and contracts, except those exclusively COTS items.  After this date, DoD contracting officers will not award, or exercise an option on a contract without a current (i.e. not older than three years) certification for the required CMMC level. Additionally, and as expected, CMMC certification requirements are required to be flowed down to subcontractors at all tiers.

The new CMMC has always been about assurance, giving DoD a way to ensure all of their suppliers are adequately protecting sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk and accounting for information flow down to its subcontractors in a multi-tier supply chain. Assurance, essentially third party validation, was and is required because DoD has proven that contractors self-attestation of compliance was optimistic to be generous. Few contractors actually implemented NIST 800-171 and the DoD is no longer going to accept that risk for its supply chain. As the new rule describes the purpose of CMMC:

“CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain. A DIB contractor can achieve a specific CMMC level for its entire enterprise network or particular segment(s) or enclave(s), depending upon where the information to be protected is processed, stored, or transmitted.”

Key Takeaway

DoD has previously accepted a contractor’s self-attestation and contractors have had a statistically low risk of an audit, but now they have to produce evidence of what they’ve been saying all along.  DoD acquisition just changed and they are deadly serious about securing the supply chain, this is a call to action.

Contractors may find themselves between a rock and hard place with this new requirement as they balance previous attestation claims and best intentions against minimal compliance efforts.

Taking steps now, in response to this emergency action, will not only bring you into compliance with existing requirements but prepare you for CMMC as well. By focusing on compliance with NIST 800-171, you’ll be 85% of the way to CMMC ML 3 compliance when it arrives.

So where do you start? We’ve developed a proven, audited tested methodology over hundreds of assessments to enable contractors to meet NIST 800-171 compliance. Download our 5 Step Guide to CMMC preparation that assures compliance with NIST 800-171.

5 Steps to CMMC Preparation

The Department of Defense (DoD) has instituted an emergency action, possibly to confirm what is widely already known on cybersecurity compliance among the defense industrial base (DIB). Self-certification for defense contractors has enabled “barely there” cybersecurity unless you are one of the small number of contractors who took it seriously.

The action, approved by the Office of Information and Regulatory Affairs (OIRA), requires offerors and contractors to assess their compliance with DFARS clause 252.204-7012 and NIST 800-171. All offerors and contractors must submit a basic self-assessment, or a medium or high assessment conducted by DoD assessors. Details are scarce and connection to the Cybersecurity Maturity Model Certification (CMMC) is anyone’s guess, but for contractors who have previously self-certified as compliant but not actually implemented the controls, this could be problematic, to say the least.

The DoD has previously accepted a contractor’s self-attestation and contractors have had a statistically low risk of an audit, but now they have to produce evidence of what they’ve been saying all along.  This emergency rule isn’t just a call to action. It’s the DoD calling the DIB’s bluff. If anyone doubted the seriousness of the DoD’s efforts to avert data loss, this emergency action should be evidence enough that they want the data to confirm or refute claims of compliance.

Contractors may find themselves between a rock and hard place with this new requirement as they balance previous attestation claims and best intentions against minimal compliance efforts. Many contractors kept waiting for the “cyber police” to show up and when they never came it was largely business as usual. The cyber police are here and it’s time to get your house in order.

Taking steps now, in response to this emergency action, will not only bring you into compliance with existing requirements but prepare you for CMMC as well. By focusing on compliance with NIST 800-171, you’ll be 85% of the way to CMMC ML 3 compliance if/when that it arrives. If it never arrives, an unlikely outcome, you will at least have met your current contractual obligations.

 

So where do you start? We’ve developed a proven, audited tested methodology over hundreds of assessments to enable contractors to meet NIST 800-171 compliance.

 

Follow our five-step process for success:

1. Assess current operations for compliance with NIST 800-171.

Start with a gap assessment of your current people, processes, and technology against compliance with NIST 800-171. This assessment will:

  • Directly link to Control 3.12.1 of NIST 800-171, which requires that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.”
  • Give you a clear view of your current compliance with the remaining controls.
  • Generate a System Security Plan (SSP) and associated Plan of Actions & Milestones (POA&Ms), both of which are NIST SP 800-171 requirements.

 

2. Write your SSP.

NIST 800-171, Revision 1, requires contractors to develop, document, and periodically update SSPs that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Initially, your SSP will be an aspirational document. You’ll find that many of the 110 required NIST SP 800-171 controls are not fully implemented in your environment. A common mistake is to write an SSP that doesn’t reflect the reality of control implementation.

 

3. Document your POA&Ms.

Also a requirement of NIST 800-171, Revision 1, your POA&Ms will detail your plans to correct deficiencies, reduce or eliminate vulnerabilities, and achieve compliance.

These plans can be documented in a variety of formats, but at a minimum, they should detail:

  • The deficiency identified
  • The plan to correct the deficiency (people, processes, and/or technology)
  • Dates by which you intend to be compliant against the specific deficiency

Well-documented POA&Ms will enable eventual mapping to CMMC maturity levels.

Note that SSPs and POA&Ms can be documented as separate or combined documents. You should choose a format that integrates with existing business processes and can be easily maintained.

 

4. Implement the required controls.

Execute your POA&Ms and achieve full compliance with NIST 800-171. This is probably going to be a full-time effort and depending on your resources, you can benefit from working with a third party to implement the controls.

If you’re looking for an effective partner, make sure to ask the following questions:

  • Have they implemented the NIST 800-171 controls for similar-sized businesses?
  • Have they solved the unique challenges that come with implementing NIST 800-171 controls in manufacturing, lab, and engineering environments?
  • Can they provide several references?

 

5. Maintain Compliance.

Once you’ve made it this far, it’s time to plan for ongoing compliance. You’ll need to achieve the following:

  • Documented and automated compliance reporting
  • Support Request for Proposal (RFP) and other acquisition-related business development activities
  • Ongoing operational expense related to maintaining compliance

 

For almost two years now, we’ve been telling clients that their focus is and should always have been on NIST 800-171 compliance, as mandated in DFARS clause 252.204-7012. Now the DoD is clamping down on noncompliance. As we look ahead to CMMC, taking action now will put you in a better position when the next action arrives.

Background

In 2019, the Department of Defense (DoD) officially announced the introduction of a Cybersecurity Maturity Model Certification (CMMC). This unique maturity model is designed to improve the cybersecurity regarding Controlled Unclassified Information (CUI) within supply chains, especially as it applies to the Defense Industrial Base (DIB).

Version 1.0 of the CMMC framework was released in January 2020. By June 2020, CMMC requirements have started to be included in DoD and later GSA Stars Contracts Request for Information (RFIs) and Requests for Proposals (RFPs). Think about that for a second, within six months of creating a new model to assess the cybersecurity of defense contractor networks the language has started appearing in official acquisition documents. The CMMC train has left the station, in a hurry.

CMMC is the latest entry in regulations from a decade long process of public/private partnership between the DoD and DIB. Critically, the DoD is moving away from contractor led self-assessment and reporting to compulsory third-party certification pre-contract award. You will need certification, from an independent third party for future DoD contracts. (See graphic below.)

DFARS NIST CMMC Timeline

Who Must Comply?

As of this post, CMMC was still working its way through the rulemaking process for DFARS (Defense Federal Acquisition Regulation Supplement), which is expected to be released in November 2020. That said if your company provides products being sold to the Department of Defense (DoD) you are required to comply with the minimum cybersecurity standards set by the current DFARS clause 252.204-7012. All DoD contractors that process, store, or transmit Controlled Unclassified Information (CUI) must meet DFARS minimum security standards or risk losing their DoD contracts. DFARS provides a set of adequate security controls to safeguard information systems where contractor data resides. Based on NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations,” manufacturers must implement these security controls through all levels of their supply chain. The silver lining is that CMMC builds on NIST 800-171 so when in doubt that is where you should start as it’s the current legal requirement.

If your DoD contracts do not require you to process, store, or transmit CUI, you must still protect Federal Contract Information (FCI) under Federal Acquisition Regulation (FAR) 52.204-21. Examples of FCI include contract documents, schedules, billing information, etc. The new DFARS clause is expected to combine the cybersecurity requirements from DFARS 25.204-7012 and FAR 52.204-21 into a common framework based on the CMMC model.

Government contractors are now being asked to effectively police their supply chains to address, among other risks, cybersecurity.  Supply chain management is now a key element to ensuring a company’s compliance with laws, regulations, and its internal policies, and to identify risks that could impact a company’s ability to perform, as well as its reputation. The fact that supply chains are global, increases the risks and demands on companies.

In fact, they must not simply police their supply chain, but they are legally bound to use specific contract verbiage with providers who may interface with CUI information which is as follows:

DFARS 252.204-7012(m):  “Include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information,…”

Keypoints to this law:

  1. All third-party providers (TPPs) and Managed Security Service Providers (MSSPs) must be obligated to DFARS if they house, control, process, or maintain CUI.
  2. You are not in compliance with CMMC if your downstream MSSPs / TPPs are not compliant.
  3. You are not compliant if you don’t have contractually compliant language between you and the TPPs / MSSPs.

Navigating the dizzying world of different CMMC solutions can be a daunting task.  The recommended solutions and vendor mix can be very hard to understand.  Now let’s investigate these key points made above in more detail:

Pivotal question: Does my TPP or MSSP need to be compliant?

All TPPs and MSSPs must be obligated to DFARS if they house, control, process, or maintain CUI.   What exactly is CUI?  Let’s read on:

I want to repost an excerpt from our key business partner Microsoft in which Richard Wakeman provides a blog on CUI as follows:

What is Controlled Unclassified Information?
If you have not read the CUI History from the National Archives and Records Administration (NARA), I highly recommend it.  It’s a short read, and helpful for context. To summarize, before the advent of CUI, there was a myriad of autonomous Federal agencies and departments that had each developed its own practices for protecting sensitive information.  This non-conformity made it extremely difficult to share information with transparency throughout the Federal government and its stakeholders, such as the Defense Industrial Base (DIB). The CUI program is an ever-evolving initiative to standardize the markings and data protection practices across Federal agencies to facilitate sharing of sensitive information, transcending individual agencies.  Ultimately, NARA oversees the CUI Program and is primarily scoped to the Federal executive branch agencies.  Major contributors to the program include the DoD, the Department of Energy (DoE), the Department of Homeland Security (DHS), the Department of State (DoS), etc. NARA defines CUI as: “Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”Presidential executive orders evolved to a rule published in 2016 called “32 CFR Part 2002 Controlled Unclassified Information”.  You can read about it here in the Federal Register. 32 CFR Part 2002 prescribes the CUI Program markings that span many categories and groupings.  The groupings consist of everything from Financial and Privacy data, all the way up to Export Controlled and Intelligence data.  You can find the list here.
Microsoft Summary CUI Registry

3 Key Questions for your MSSP to indicate CMMC Compliance

Question 1: Is the CUI housed in USA Sovereignty? –  Or – Where are the location of all operations?  Perhaps another way to ask this question is by querying if the vendor has any operations located outside of the US?

A key attribute to the US DoD supply chain is understanding where their supply chain is located, and whether the location may provide some risk to the DoD supply chain.  U.S. companies that do business abroad or handle overseas data will now have to comply with a host of new cybersecurity rules after China became the latest country to impose regulations on firms operating there.

This follows hot on the heels of the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which came into force in the U.S. in March 2018, and the European Union’s (EU) General Data Protection Regulation (GDPR), introduced two months later.

The implementation of these new protocols is driven by the recent surge in cyberattacks and, in the case of China, greater protectionism, exacerbated by the U.S. trade war, as the world becomes more divided.   Regardless, there are many cybersecurity firms that maintain global operations and software maintenance stations in unassuming regions of the world and this must be understood before you select your vendor.

 

Question 2:  Like Amazon Web Services, Microsoft and Google, do you separate out your government CUI customers from the infrastructure of all of your other customers? Does your provider know how to make the infrastructure comply with the various forms of CUI?

Here is the issue with mixed tenants of cloud environments and the protection of CUI which was quoted by Microsoft’s blog:

“Microsoft has prescribed the US Sovereign Cloud with Azure Government and Microsoft 365 GCC High to protect CUI and CDI consistently.  Our rationale is that CUI does include ITAR regulated data, and the DoD requires DFARS 7012 to protect it.  We only accommodate that contractually across Azure, Office 365, and Dynamics 365 in the US Sovereign Cloud.  It’s that simple.  It’s true that you may demonstrate compliance for CUI in our Commercial or GCC cloud offerings, but you will not get a contractual obligation from Microsoft to protect an aggregate of CUI anywhere else other than in the US Sovereign Cloud.  It will be your sole responsibility to prove and maintain compliance for it in other clouds.”

 

Question 3: Have you placed the DFARs compliant verbiage on CUI into the contract with the MSSP / TPP?   Was this a standard offering in verbiage in their contracts or non-standard?

I believe this is self-explanatory however to make this point very poignant let’s look at the prescribing law:

DAU Related Policies Cloud Computing

For many organizations, their technology, and the corresponding data are among their most valued assets. An organization’s CMMC / CUI Cybersecurity Program is an ever-evolving initiative that attempts to standardize the security data protection practices across supply chains including third-party providers and managed security service providers.  If your TPP or MSSP cannot meet the full requirements of CMMC certification, it is unlikely that you will be able to successfully complete a CMMC certification assessment. When choosing TPP’s or MSSP’s, choose wisely, your DoD revenue may depend on it.

Looking for an MSSP to partner with on your journey to CMMC preparation?

Join CyberSheath’s Eric Noonan, CEO, and Carl Herberger, VP of Security Services, dive into CyberSheath’s CMMC Managed Services for Defense Contractors using Microsoft Technology Stack during our upcoming webinar September 30, 2020, at 9:00 am | 12:00 pm EST > Save Your Spot

CMMC Compliance Managed Service Launch - Register Now

The U.S. has to up-level its cybersecurity. That’s the gist of what we’ve been hearing from multiple sources, including congressional commissions and the Department of Defense (DoD). The alarm bells — and the calls for more stringent security practices — will only grow louder.

The Cyberspace Solarium Commission used the U.S. COVID-19 response as an opportunity to assess the nation’s preparedness for a major, debilitating cyberattack. It highlighted the need to implement more than 30 recommendations from a previous report, as well as five more based on its findings around the pandemic.

Eric Noonan, CyberSheath’s CEO, will be speaking about those kinds of preparations for a national cyberattack against the U.S. on a panel at Cybersecurity Forum 2020. He will be joined by Paul Anderson of Port Tampa Bay, and Michael Wee of Northrop Grumman to talk about lessons learned from the pandemic, the state of cybersecurity planning and organization, and where to focus efforts to better prepare for a major attack. Register for the event here and tune in on Wednesday, September 16 at 2:15 pm ET, if you’d like to learn more.

Another ongoing effort to shore up security is the Cybersecurity Maturity Model Certification (CMMC). This is the DoD’s effort to ensure all defense contractors are practicing and maintaining the proper level of security to better protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

As founder and CEO of CyberSheath, the Title Sponsor of Cybersecurity Forum 2020, Eric is well versed in the goals and efforts behind the CMMC. CyberSheath has been delivering audit-ready, compliance-focused managed services for NIST 800-171 requirements for 8+ years, and the CMMC is the next evolution of those standards.

It’s one of the most comprehensive and impactful moves by the DoD to better secure sensitive data that resides on defense contractors’ systems and networks. As a new set of requirements, many defense contractors are still working to understand the complexities and nuances of the standards, what they’re responsible for, and how to implement those changes.

CyberSheath launched our compliance managed services for CMMC to assist DoD contractors through the process. Through our managed services, we’re able to meet contractors where they are, identify gaps in CMMC compliance, implement the changes, and maintain and assure their compliance at the proper level.

We wanted to be the Title Sponsor of Cybersecurity Forum 2020 because it’s advancing important conversations around the state of security and where we can go from here. In particular, we are looking forward to keynote speakers Senator Marco Rubio, who will give an overview of the risks of national cyber breaches; and Katie Arrington, CISO for the Office of the Secretary of Defense for Acquisition and Sustainment, who will speak on what’s needed for CMMC compliance.

While the U.S. faces cyber threats from around the world, we have plenty of lessons to learn from other disaster responses and a new bar for effective cybersecurity. We don’t know what attacks might be coming, but we do know how to prepare. We hope this year’s conference will spur all in attendance to advance the cybersecurity goals that will defend American innovation and infrastructure.

Recently, the National Institute of Standards and Technology (NIST) re-released the Draft Special Publication (SP) 800-171B as Draft SP 800-172. This document is in final draft review with all comments due August 21, 2020.

What is new in NIST 800-172?

The new NIST 800-172 is intended as a supplement to NIST 800-171, the cybersecurity framework required by DFARS 252.204-7012 on all DoD contracts to protect Controlled Unclassified Information (CUI). While NIST 800-171 provides the basic cybersecurity controls required to protect CUI on a majority of DoD programs and suppliers, NIST 800-172 defines enhanced cybersecurity controls intended to protect CUI subject to enhanced threats. In particular, NIST 800-172 aims to protect programs and contractors that might be the target of one or more Advanced Persistent Threats (APT). An APT is a stealthy threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. As such, it requires enhanced cybersecurity activities to prevent an APT from accessing a contractor’s network, or even identifying that an APT has already gained unauthorized access to a contractor’s systems or networks.

How will NIST SP 800-172 Affect My Contracts?

One question that comes up is, “How will NIST 800-172 affect my contracts?” Currently, the answer is that it does not directly. Unlike NIST 800-171, the required cybersecurity framework imposed on all DoD contracts that handle CUI through DFARS 252.204-7012, no DFARS clause requires NIST 800-172. Once NIST 800-172 has completed the NIST Draft comment phase and been formally released, an individual contract that is considered high risk from an APT may call out part or all of the NIST 800-172 cybersecurity controls as requirements, but this is likely to be very rare. The more likely scenario for these contracts will be adopting the Cybersecurity Maturity Model Certification (CMMC) framework at Maturity Levels 4 or 5. But even this is expected to be a rare situation. Katie Arrington, CISO for Assistant Secretary for Defense Acquisition, estimates that .06% of all contractors will require CMMC Level 4 or 5 certification.

CMMC’s Incorporation of NIST 800-172

The CMMC framework was formally released in January 2020 and is currently positioned as a replacement for NIST 800-171. CMMC defines five (5) cybersecurity maturity levels. Maturity Level 3 corresponds roughly to NIST 800-171, incorporating all 110 security controls from NIST 800-171 plus 20 new controls drawn from other frameworks. CMMC Maturity Levels 4 and 5 provide 41 additional cybersecurity controls specifically targeted at contracts and contractors considered subject to an APT. CMMC Levels 4 and 5 include 15 of the NIST 800-172 (formerly NIST 800-171B) controls.

The DoD is working now to publish a new DFARS clause and contract language to allow DoD agencies to include the new CMMC framework in future requests for proposals (RFPs). Once this has completed the public comment and final release phases, the DoD plans to roll out the CMMC over the next five years, starting with approximately 15 “Pathfinder” programs in FY2021.

How to Prepare for Cybersecurity Maturity Model Certification

Compliance with ever-evolving DoD cybersecurity mandates like DFARS 252.204-7012, NIST 800-171, and CMMC is complicated and confusing. It can be hard to understand the outcomes that you should focus on and how to measure success. What does success even look like? How can I partner with a Managed Services provider to deliver measurable outcomes that ensure compliance?

Access our latest webinar, NIST 800-171 Case Study: Surviving a DoD Audit, to prepare your organization for CMMC. Go behind the scenes through a defense contractor’s journey from 35% compliance to a successful audit and “low-risk rating” by the DoD.

Access Webinar Now.

Current Compliance Landscape

Deputy Defense Secretary Patrick Shanahan spoke at the Armed Forces Communications and Electronics Association (AFCEA) on Feb 6, 2018, and said, “The culture we need to get to [around IT security] is that we’re going to defend ourselves and that we want the bar to be so high that it becomes a condition of doing business.” Fast forward two years later and we are on the cusp of one of the largest changes to DoD acquisition ever with mandatory minimums for cybersecurity across all DoD contracts.

For commercial firms providing services to the U.S. defense industry, the challenge that is cybersecurity has been growing for years but largely without any oversight from the DoD. Defense budgets and the use of contractors have grown in parallel to the storing of important, yet unclassified information on commercial defense contractor networks. This exposure, Controlled Unclassified Information (CUI) resident on unregulated and often under secured contractor networks across the DoD supply chain has become a risk that requires addressing for the DoD.

The Defense Industry has always worried about security around products and services.  However, the business systems and IT infrastructure that supported those defense contractors were not monitored or significantly regulated by the US Government although vulnerable to attack.  The Pentagon has acknowledged an urgent need to tighten cybersecurity across its vast contracting operations and hold contractors accountable for minimum standards of care around cybersecurity.  Indeed, the requirements to protect data have been expanding for more than a decade and the Federal Acquisition Regulation (FAR) and the General Services Acquisition Regulation (GSAR) are expected to add data protection requirements in 2020.  In truth, the new Cybersecurity Maturity Model Certification (CMMC) and the ambitious effort to secure the DoD supply chain has been underway for many years now (see chart below).

DFARS-NIST-CMMC-Timeline-11Aug2020

Overview of CMMC

The Cybersecurity Maturity Model Certification (CMMC) program will serve as a method of verifying that appropriate levels of cybersecurity controls and processes meet a specific standard and are in place to protect controlled unclassified information that may be held on the DoD’s industry partners’ networks.

The CMMC program builds on another US government acquisition regulation called DFARS Clause 252.204-7012 which requires the implementation of NIST SP 800-171, Protecting Unclassified Information in Nonfederal Information Systems, and Organizations, as the standard for defense contractors handling CUI data.  As such, compliance with NIST 800-171 has been essential for winning and sustaining contracts since 2017 but the lack of oversight and auditing has led to many self-certified contractors that might not stand up to the scrutiny of a 3rd party audit. Because CMMC is at its foundation based on DFARS Clause 252.204-7012 and NIST SP 800-171 it’s important to understand these two separate but related requirements.

Understanding DFARS Clause

 

CMMC, when finalized and fully mature, will require independent validation of compliance by a CMMC Third-Party Assessor Organization (C3PAO). This is a significant change from DFARS Clause 252.204-7012 which allowed for self-certification and could upend a largely unprepared supply chain that has taken advantage of lax oversight and enforcement.

CMMC is broken down into five compliance levels which a company will need to be certified to be able to be awarded a DoD contract.  The levels break down (see below) into demonstrable levels of cybersecurity maturity from which a defense contractor can acquire more and more abilities to conduct services with the DoD.

CMMC Level Requirements

Your Current Managed Security Service Provider (MSSP) Probably Isn’t Doing Enough For CMMC

Most small business defense contractors do not separate IT from cybersecurity and often the IT work takes priority, not cybersecurity or compliance. Small businesses with one or two IT staff members who are already oversubscribed have no chance of ingesting CMMC and achieving compliance without the help of a Managed CMMC Service. Maintaining the security and compliance programs required by the government is now a full-time job and failure to do so will prevent your company from doing business with the DoD.  No matter how qualified or knowledgeable, a small team simply does not have time or the breadth of skills to architect, administer, and manage their environments in alignment with CMMC requirements. You cannot do it alone.

Over the last decade, many businesses have outsourced their security and/or compliance requirements through a Managed Security Service Provider (MSSP).  Effectively MSSPs take care of the security requirements and allow a business to focus on their core competencies. Few if any MSSPs have any real skin in the game when it comes to compliance. Read their statement of work and it is lightly mentioned if at all and there are caveats galore around why they are not responsible or accountable in any meaningful way. In many cases, MSSPs introduce their own set of issues, vulnerabilities, and compliance headaches because the MSSP is not properly equipped to manage data and processes in a manner aligned with CMMC requirements.  With the MSSP handling most every piece of security and monitoring but never documenting and attesting compliance with CMMC, the current MSSP model falls short of CMMC requirements.

Investing in CMMC compliance (which includes compliance with DFARS 7012 and NIST 800-171) is a big effort because it now includes line of business systems including finance, personnel, and IT vulnerability information.  While MSSPs are valuable partners who reduce overhead costs and enable businesses to stay focused on their core mission, it is important to remember that MSSPs will have access to documents, CUI, and data including passwords, access codes, and vulnerability information about their IT environment.  Because MSSPs have this kind of sensitive data in their possession, it is critical that they make the same investment in NIST 800-171 to ensure that you stay compliant and properly manage CUI information and the security of your IT environment. Again, most MSSPs have very little if anything in their statements of work regarding compliance so small businesses are left with a false sense of security around achieving CMMC compliance.

Without clear lines of responsibilities between the owner of compliance and the business and IT operations of the host company, the failure of a compliance audit is inevitable.

That is the bad news, now for the good news.

CyberSheath’s Managed CMMC Service

In response to the new federal requirements and an ever-changing landscape, CyberSheath has created a whole new set of Managed Services to allow for any business to achieve any CMMC compliance level they desire. Unlike every other MSSP in the market today our CMMC service offerings are an evolution of our successful legacy NIST 800-171 Managed Services. Said another way, we aren’t new to this space and we have been through dozens of successful third-party audits over the past five-plus years.

We offer 5 different levels of assured compliance for you to choose from based on your business requirements. To date, 100% of our customers are focused on CMMC Maturity Level (ML) 3 as it so closely aligns with the NIST 800-171 requirements.

First Step:

  • We meet your business where it is today. We will gain visibility of your desired CMMC ML and any gaps in processes, documentation, practices, or technology.
  • Gain current and ongoing visibility into NIST 800-171 / CMMC via professional certified assessments and remediation plans.

Second Step – Select Hosted Compliance Level(s):

  • Level 1: Become compliant with CMMC ML1 over your entire infrastructure within weeks.
  • Level 2: Work with a virtual security officer and get assistance with ongoing compliance program oversight and routine reporting.
  • Level 3: Quickly gain the ability to achieve compliance and bid on CMMC ML3 contracts with our cloud-based guaranteed compliance offering.
  • Level 4 or Level 5: Leverage our expertise as we maintain the rigorous program, technology, engineering, and implementation required for the most robust security standards.
  • Beyond:
    • Future-proof your compliance to changes in CMMC policy or implementation approaches by assigning ongoing program maintenance to CyberSheath.
    • High Cloud infrastructure in a hosted compliant process.

Third Step:   We manage your compliance as an outsourced compliance program inclusive of an MSSP

CyberSheath’s CMMC Shared Security Model is the Answer to CMMC Compliance for Small Businesses

Whether it be a public, private, or hybrid architecture, businesses must take responsibility for ensuring that their data is secure. With limited resources and no time to become a CMMC expert, the solution to the problem is clearly a shared responsibility model. CyberSheath has successfully implemented and been audited against our shared responsibility model many times over the last five-plus years so our solution is tested and audit-ready. Our tailored responsibility matrix eliminates single points of failure and ensures that all required security requirements have an owner and produce the required documentation and evidence. The shared responsibility model reduces the day-to-day operational demands on your business and ensures documented, repeatable, and audit-ready compliance.

With government revenues on the line, it is crucial to determine who controls the various components of the CMMC compliant infrastructure and operations. CyberSheath defines where and how security measures should be applied, with a special focus on CUI and other sensitive government data.

CyberSheath differentiates itself by taking ownership of assured CMMC compliance and it is a contractual requirement that we put right into our statements of work. This cannot be done in isolation and requires shared and distinct responsibilities on both sides of the partnership which tend to be specific to each company.  CyberSheath offers a ‘single-pane-of-glass’ to gain visibility into CMMC compliance, continuous security monitoring, and various important datasets, analytics, and user interfaces in one place. Our CMMC management platform is built around Microsoft Azure’s FedRAMP GCC High environment which ensures infrastructure capabilities that can detect and remedy security misconfigurations, leveraging services to ensure near-real-time compliance features.

Why CyberSheath?

Cybersheath has leveraged and lived this Shared Responsibility Model for NIST 800-171 successfully for many years now, and expect that it will be a fundamental part of CMMC attestation and MSSP partnerships going forward.  The experts at CyberSheath understand your challenges – and we can help. Contact us to make sure your CMMC readiness gets – and stays – on track.

The US Department of Defense (DoD) has one of the largest supply chains in the world, scaling to hundreds of thousands of different vendors and partners. While valuable, these vital partners in our nation’s defense infrastructure pose a huge cyber risk. Today that risk is largely unchecked and unregulated as contractors can “self-attest” to their ability to protect Controlled Unclassified Information (CUI).

Commercial companies are the lifeblood of any economy and the circulatory system of modern day societies.  They provide needed innovation, new discoveries, critical high-value support as well as materials and quick solutions to a myriad of problems. From the most arcane to the most mundane, the US Defense Department has needs in nearly every aspect of procuring commercial services, but this lifeblood paradoxically may imperil the entire system by leveraging companies with little respect for cybersecurity controls. In fact, in this connected world, no government or company can perfectly protect all its data from hackers and rival states. Even so, it is astonishing that, from January 2016 to February 2018, nearly 6 percent of U.S. military and aerospace contractors reported data breaches (according to Stars & Stripes).

And experts feel this is just the tip of the iceberg – the vast majority of security incidents are never uncovered. The Pentagon needs to tighten cybersecurity across its vast contracting operations and hold contractors accountable for minimum standards of care around cybersecurity. Essentially that is the goal behind the Cybersecurity Maturity Model Certification (CMMC) and the ambitious effort to secure the DoD supply chain. The CMMC effort is not without its critics but who can argue that real change wasn’t urgently needed?  Learn More about CMMC

Let us review some major breaches of national security that hopefully can be prevented in a post CMMC world so that you might be the judge:

Example One – Jan-Feb, 2018:  Comprise of US Navy “Operation SEA DRAGON” – Chinese hackers stole sensitive U.S. Navy submarine plans from Rhode Island DoD contractor

Citing unnamed U.S. officials, the Washington Post reported in June of 2018 about a very disturbing cyberattack of a US DoD contractor.  Evidently Chinese government hackers compromised the computers of a U.S. Navy contractor and stole a large amount (approximately 600+ Gigabits) of highly sensitive data on undersea warfare, including plans for a supersonic anti-ship missile for use on U.S. submarines.

The breaches took place in January and February, the officials told the Post, speaking on condition of anonymity about an ongoing investigation led by the Navy and assisted by the Federal Bureau of Investigation.

The U.S. Navy and an unnamed defense contractor are/were working on a new missile which the Navy says will give its submarines a new, “disruptive offensive capability” to take on enemy ships. The previously unknown weapon, known as Sea Dragon, supposedly combines an existing U.S. Navy platform with an existing capability, is likely a new version of a versatile air defense missile capable of pinch-hitting as an anti-ship missile.

Example Two – March 2019:  US Navy Review Concludes it is “Under Siege” by Chinese Hackers & Attackers

An internal U.S. Navy review concluded that the service and its various industry partners are “under cyber siege” from Chinese hackers who are building Beijing’s military capabilities while eroding the U.S.’s advantage, The Wall Street Journal reported Dec 2018 – Mar 2019. Chinese hackers have repeatedly hit the Navy, defense contractors, and even universities that partner with the service. “We are under siege,” a senior Navy official told The Journal. “People think it’s much like a deadly virus — if we don’t do anything, we could die.”

Three particularly worrisome recent incidents (2018-2020) were the theft by China of highly sensitive information on naval projects left on an unclassified network (2019), last year’s breach of private information on 30,000 Pentagon employees(2018), and the exposure of 60,000 files on a publicly accessible server involving a subcontractor to Booz Allen Hamilton (2018), the firm that employed Edward Snowden. And perhaps most embarrassing was the 2016 theft of sensitive plans for the F-35 fighter — a plane that will cost taxpayers $1.5 trillion over its lifespan. A small Australian subcontractor on the project had reportedly never changed its Windows passwords from the defaults “admin” and “guest.”

Example Three – Sept-Dec 2019:  Compromise of Emails and LinkedIn Accounts of military defense companies

In a report released in June 2020 by Slovakia-headquartered ESET cybersecurity company who said the cyberattacks of mainly European aerospace and military defense firms were launched between September and December 2019. A collaborative investigation with two of the affected European companies allowed them to gain insight into the operation and uncover previously undocumented malware.

To compromise their targets, the attackers used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers. Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools. Besides malware, the adversaries made use of living off the land tactics, abusing legitimate tools and OS functions. Several techniques were used to avoid detection, including code signing, regular malware recompilation, and impersonating legitimate software and companies.

According to their investigation, the primary goal of the operation was espionage. However, in one of the cases we investigated, the attackers attempted to monetize access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation.

As part of the initial compromise phase, the Operation In(ter)ception attackers had created fake LinkedIn accounts posing as HR representative of well-known companies in the aerospace and defense industries. In our investigation, we’ve seen profiles impersonating Collins Aerospace (formerly Rockwell Collins) and General Dynamics, both major US corporations in the field.

Fake-LinkedIn-Account

With the profiles set up, the attackers sought out employees of the targeted companies and messaged them with fictitious job offers using LinkedIn’s messaging feature, as seen in Figure 1. (Note: The fake LinkedIn accounts no longer exist.)

Once the attackers had the targets’ attention, they snuck malicious files into the conversation, disguised as documents related to the job offer in question.

Example Four – 2017-2020:  The Chinese APT Threat to Cleared Defense Contractors

In a report published in June of 2020, cyber-security firm Lookout said it found evidence connecting Android malware (APT 15) that was used to spy on minorities in China to a large government defense contractor from the city of Xi’an.

Lookout’s 52-page report details a years-long hacking campaign that has primarily targeted the Uyghur ethnic minority, living in western China, but also the Tibetan community, to a lesser degree.

The campaign infected individuals in these communities with malware, allowing government hackers to keep an eye on the activities of minority communities in China’s border regions but also living abroad in at least 14 other countries.

“Activity of these surveillance campaigns has been observed as far back as 2013,” Lookout researchers said. The company attributed this secret surveillance to a hacking group they believe operates on behalf of the Chinese government.

The fact that Lookout linked an APT15 malware sample to a Chinese defense contractor is not a novel discovery. From 2017 to 2019, four other Chinese state-sponsored hacking groups have been linked to contractors hired by Chinese intelligence agencies operating in various regional offices.

This includes:

APT3 – linked to a company named Boyusec operating on behalf of Chinese state security officials in the province of Guangdong

APT10 – linked to several companies operating on behalf of Chinese state security officials in the province of Tianjin

NEW!  APT 10 – Xi’an Tianhe Defense Technology, a large defense contractor in the city of Xi’an, in central China.

APT17 – linked to several companies operating on behalf of Chinese state security officials in the province of Jinan

APT40 – linked to several shell companies operating on behalf of Chinese state security officials in the province of Hainan

Operators behind APT3 and APT10 have eventually been charged by the US Department of Justice in November 2017 and December 2018, respectively.

Based on previous threat intelligence reports published by cyber-security firms Recorded Future and CrowdStrike, the Chinese Ministry of State Security outsources hacking operations to outside contractors, who report directly to, and take orders from intelligence officials.

In an FBI warning in 2018, https://publicintelligence.net/fbi-defense-contractors-apt/, specifically cites examples against “Cleared Defense Contractors” and here is an excerpt of the alert:

“APT actors in the near future likely intend to target US Cleared Defense Contractors (CDC) via spear phishing campaigns or network infrastructure compromises, according to recent intelligence. Common spear phish targets may include individuals featured on internet-facing CDC Web sites and high-ranking CDC executives.

FBI has observed APT actors over the past two years precede spear phishing campaigns with open source research of targeted US company websites, particularly sections containing contact information for company officials which include names, titles, telephone numbers, and email addresses. In one case, an APT actor sent spear phishing emails within one-to-two weeks after researching the targeted US company.

Historically, APT actors have a strong desire to collect US defense and scientific intelligence to further their interests and advance strategic goals. As a result, US CDCs and research facilities may likely be targets for cyber adversaries due to their involvement in national security and their close relationship with the US Government.”

Example Five – Feb-June 2020:  DCSA Bulletin – US Defense Focused

In a report published recently by politico, they suggest they obtained a Defense Counterintelligence and Security Agency (DCSA) bulletin marked “unclassified/for official use only” and warns that DCSA’s cyber division detected nearly 600 “inbound and outbound connections” from “highly likely Electric Panda cyber threat actors” targeting 38 cleared contractor facilities, including those specializing in health care technology.   Moreover, the bulletin goes on to say, “Nearly 40 U.S. contracting facilities with access to classified information have been targeted by a hacking group with suspected ties to the Chinese government since Feb. 1”, according to a bulletin disseminated to contractors by the Defense Counterintelligence and Security Agency.

The so-called Electric Panda group is not new and appears to have been operating since at least 2016, according to one of the indicators listed by DCSA. The bulletin goes on to say that this group has been targeting contractors that specialize in cybersecurity, aerospace, naval, health care, power generation, IT systems, telecommunications, risk analysis, and space systems.

Conclusions: How to Solve the Problem?

Given this, how safe is the US DoD Supply chain from cyberattacks?  From casual, publicly available information, there is strong evidence that the supply chain base of the US DoD system is under dedicated and constant attack, most probably needs dramatic investments in order to stay safe and sound from cyberattacks and to keep the US military safe.

The key to understanding the solution is to understand that the threat is immeasurably more serious as we must concern ourselves with the great possibility of a loss of life scenarios.

Let us hope that the new CMMC regulation is a very important step in accelerating the awareness of the real possibilities of these dangers, then to assemble a well-orchestrated cybersecurity risk and mitigation strategy for each attribute of DoD Supply chain may be placed in harm’s way.

Next Steps

If you have any questions or would like support as you ready your organization for CMMC, contact us.  We also invite you to listen to Eric Noonan, CyberSheath CEO, in a recorded webinar to learn how to start preparing your organization for CMMC by leveraging the steps you have taken to be compliant under DFARS.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC

 

According to a Department of Defense (DoD) official as confirmed to Inside Cybersecurity, DoD is planning to publish the proposed acquisition rule required for the implementation of the Cybersecurity Maturity Model Certification (CMMC) program in the next few weeks.

The proposed rule change, titled “Strategic Assessment and Cybersecurity Certification Requirements” under Defense Federal Acquisition Regulation Supplement (DFARS), is required for the Pentagon to award contracts containing CMMC language. Final timing is a decision for the White House Office of Management and Budget’s Office of Information and Regulatory Affairs, but the proposed timing aligns with the tremendous push forward for CMMC across the DoD.

This news should continue to melt away any doubts that the train has left the station and getting compliant with DFARS 252.204-7012 and NIST 800-171 for current contracts and planning for CMMC implementation for future contracts is a major priority for all DoD suppliers.

How to Prepare for Cybersecurity Maturity Model Certification

Compliance with ever-evolving DoD cybersecurity mandates like DFARS 252.204-7012, NIST 800-171, and CMMC is complicated and confusing. It can be hard to understand the outcomes that you should focus on and how to measure success. What does success even look like? How can I partner with a Managed Services provider to deliver measurable outcomes that ensure compliance?

Access our latest webinar, NIST 800-171 Case Study: Surviving a DoD Audit, to prepare your organization for CMMC. Go behind the scenes through a defense contractor’s journey from 35% compliance to a successful audit and “low-risk rating” by the DoD.

Access Webinar Now.

 

Compliance with ever-evolving DoD cybersecurity mandates like DFARS 252.204-7012, NIST 800-171, and Cybersecurity Maturity Model Certification (CMMC) is complicated and confusing. It can be hard to understand the outcomes that you should focus on and how to measure success. Discover what outcome-based Managed Services look like from start to finish, including a successful DoD audit, with a New England based defense contractor.

The contractor recognized the need for compliance with DFARS 252.204-7012, NIST 800-171, and eventually CMMC.  With processes largely informal and undocumented, insufficient staffing, and key technologies not deployed, partnership with a Managed Services provider who truly understood the requirements of a DoD contractor was the only way forward.

Our MSSP team quickly propelled the organization to 90% compliance with the DFARS controls, and with POA&Ms in place to close the remaining gaps. The CyberSheath team’s work resulted in a satisfactory DoD assessment and specific recognition by the DoD officials of the unique role that CyberSheath played as a managed services partner, enabling compliance.


Learn more about this real-world client success story at our webinar on July 8

Gain insight from behind the scenes through a defense contractor’s journey from 35% compliance to a successful audit and low-risk rating by the DoD.

Sign up today

 

DFARS Compliance with CyberSheath

As a defense contractor, it is imperative to your organization’s survival that you stay competitive in the Department of Defense (DoD) acquisition process and implements the required security requirements including DFARS Clause 252.204-7012 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 1.  And soon, the Cybersecurity Maturity Model Certification (CMMC).

CMMC requires mandated minimum levels of cybersecurity, validated by a third party, for 100% of DoD contracts.

How do you ensure that you achieve compliance while thriving at your core competency and growing your business – and how do you right-size the security requirements? Internal IT and security staff are already stretched thin and have no time to learn the complexities of DFARS, NIST, and CMMC. So how can you possibly be successful with so many things working against you?

Leverage CyberSheath Managed Security Services for DFARS compliance.

How CyberSheath Managed Services Enable Compliance

Working with CyberSheath will have a profound impact on your business. With clear direction and measurable outcomes to support DFARS, NIST, and CMMC requirements, your company can confidently move forward and:

  • Pass your DoD customer assessment.
  • Achieve a low cybersecurity risk rating by a DoD third-party assessor.
  • Stay compliant as risks and requirements evolve.

CyberSheath Managed Security Services include:

  • Assessment – By providing documented, actionable annual compliance assessments against all necessary security requirements, you will know where to focus efforts to improve your security posture. To help you address vulnerabilities, CyberSheath tailors a master System Security Plan (SSP) specific to your environment.
  • Remediation – Specific remediation tasks are aligned with Plan of Actions and Milestones (POA&Ms) and often include creating cyber incident response processes, vulnerability management programs, launching multi-actor authentication (MFA), and implementing mobile device management (MDM).
  • Compliance – CyberSheath documents, automates, and assess compliance that can be easily validated during a third-party audit. Implementing the NIST/DFARS and CMMC requirements across your infrastructure, formalizing security policies and procedures, and making key processes repeatable. The end result is a centralized 24x7x365 Security Operations Center (SOC) capabilities and continuous evidence of regulatory compliance.

Why CyberSheath DFARS Managed Services?

CyberSheath delivers turnkey compliance from assessment through your mandatory third-party audit. We also take accountability for compliance every step of the way and cut through the confusion of NIST 800-171 and CMMC to ensure measurable, ongoing compliance.

You need an MSSP that has seen it all. When you are vetting providers, be sure you partner with a skilled, knowledgeable security expert with years of experience helping organizations and securing infrastructures like your own. Look for a company with extensive DoD experience and with professionals who have seen every iteration of DFARS from voluntary to the current mandatory state.

 

Learn how CyberSheath’s partnership as a Managed Service led to a successful DoD audit at our webinar on July 8

Get details on how to become compliant and go beyond templates and policy documents to get a glimpse of what total success and compliance looks like as measured by a successful customer audit.

Sign up today

 

The theft of intellectual property and sensitive information across the Defense Industrial Base (DIB) and the supply chain of the Department of Defense (DoD) threatens economic security and national security. Malicious cyber actors have persistently targeted the DIB sector and the DoD supply chain resulting in loss of intellectual property and unclassified information, which threatens U.S. technical advantages and significantly increase risks to national security.

The DoD is taking action to combat these threats. CMMC maturity levels will soon be used to determine whether a company will or will not be awarded a contract. To state that a different way: There are new regulatory cybersecurity minimums that must be validated by an independent third party prior to contract award on Defense Contractor networks.

What is CMMC?

CMMC encompasses multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The evolving certification is focused on the protection of unclassified information across the supply chain categorized as:

  • Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract and not intended for public release.
  • Controlled Unclassified Information (CUI): CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954 as amended.

The CMMC model consists of five maturity levels and 171 cybersecurity practices mapped across these maturity levels. This structure helps to institutionalize cybersecurity activities, ensuring that they are consistent, repeatable, and of high quality. The CMMC practices provide a range of mitigation across the levels, starting with basic safeguarding at Level 1, moving to the broad protection of Controlled Unclassified Information (CUI) at Level 3, and culminating with reducing the risk from Advanced Persistent Threats (APTs) at Levels 4 and 5.

 

DoD CMMC 1-5 Maturity Levels

 

The CMMC framework is coupled with a certification program to verify the implementation of these important cybersecurity processes and practices.

Is CMMC different from DFARS Clause 252.204-7012 and NIST 800-171?

Yes. While the requirement for DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting has been mandatory for several years, enforcement has been inconsistent and self-certification has been allowed, until now. CMMC changes that. Defense Contractors must now implement mandatory minimum levels of cybersecurity prior to contract award. They must also have their implementation of cybersecurity controls validated by a third party. Self-certification is no longer allowable.

The majority of CMMC practices (110 of 171) originate from the safeguarding and security requirements specified in FAR Clause 52.204-21 and DFARS Clause 252.204-7012. It is expected that the vast majority of defense contractors will need to be certified at CMMC Maturity Level 1 or 3.

  • Level 1 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21.
  • Level 3, building on Levels 1 and 2, includes all of the security requirements in NIST 800-171 plus other practices.

While the actual CMMC certification process is still a work in progress, defense contractors that implement the 110 security requirements of NIST 800-171 will have a head start towards achieving compliance with the new certification once it takes effect. In fact, CMMC Maturity Level 3 includes all 110 NIST 800-171 security requirements, making 85% of Maturity Level 3 compliance based on NIST 800-171 compliance.

The DoD is building on and strengthening, not abandoning, NIST 800-171. While specific maturity levels for individual contracts have not yet been determined, it is understood that implementing NIST 800-171 security requirements is the best way to prepare for CMMC. Get to work implementing NIST 800-171 to put yourself in a position to succeed.

How will CMMC affect the Acquisition Process?

CMMC will have a dramatic impact. Self-certification is being replaced with third party validation prior to the contract award. Checkbox compliance with nothing more than the documentation of a System Security Plan (SSP) and Plans of Action & Milestones (POA&Ms) is no longer sufficient. Doing business with the DoD now means a commitment to cybersecurity that is based on trust but verify DoD process for all 300,000 plus DoD suppliers.

How can I get ready for CMMC?

Given that the DoD has made NIST 800-171 the foundation for certification, preparing for CMMC is a relatively straightforward process. While not easy or free, it is uncomplicated to determine the steps necessary, timing, and priority. Here are measures to take to get started.

  • Step 1. Assess your current operations for compliance with NIST 800-171.
  • Step 2. Document your System Security Plan (SSP).
  • Step 3. Document your Plan of Actions & Milestones (POAMs).
  • Step 4. Implement the required controls.
  • Step 5. Maintain compliance.

For an easy-to-follow guide on how and in what order you should start getting ready for your mandatory third party CMMC audit, download our guide.

Why CyberSheath

There is no better company to help you in doing the actual work required to achieve CMMC compliance. CyberSheath has been working with the DoD and its suppliers for nearly a decade as CMMC has evolved from voluntary to self-certification, and now mandatory third party certification. Our CEO is a former Chief Information Security Officer for one of the largest defense companies in the world, and our employees are all practitioners, not consultants. What is the difference? Consultants just tell you what to do in presentation slides; we know what action to take and we do it.

We are in unprecedented times. As we all work to maintain as much normalcy in our personal and professional lives as possible, important projects such as those involving your organization’s cybersecurity might not be top of mind.

You’ve worked hard to secure your company’s valuable information technology resources to guard it against all sorts of cyberattacks. Neglecting IT security now would be a misstep. Here’s why.

Three Reasons Quarantine Shouldn’t Stall Your Cybersecurity Plans

1 – CMMC is moving forward in spite of the current crisis.

In an interview with Government Matters on March 29, Katie Arrington, the chief information security officer in the Office of the Undersecretary for Acquisition and Sustainment, announced the DoD is still moving forward with the newly launched Cybersecurity Maturity Model Certification (CMMC), even with the current challenges companies are facing due to COVID-19.

2 – Protecting controlled unclassified information (CUI) remains important.

It’s worth considering if the scope of your CUI environment has changed now that many or all of your employees are working from home. With that in mind as well as an increase in cyberattacks, including phishing and hacking, it’s possible that your dispersed and remote workforce could be more at risk – potentially exposing your company to nefarious threats.  And, unchanged is the regulatory requirement of protecting CUI under NIST 800-171. Now is not the time to be lax on IT security.

3 – Assessments can be done remotely.

While the present environment might alter some aspects of your approach, it shouldn’t change your CMMC timeline. With all of your organization’s digital capabilities – which undoubtedly have been tested and broadened in recent weeks – collaborating with a skilled provider on your CMMC assessment makes sense.

A skilled partner like CyberSheath will be able to work with you remotely to assess your current IT infrastructure and security posture, helping to get you ready for CMMC. The assessment is the first step to understand the gaps your organization is facing to meet CMMC requirements. To prepare you for the assessment process, to know what to expect, and what is needed to manage a successful engagement, we interviewed a cybersecurity practitioner to share from his years of experience, access the interview now.

As we look to the coming months and plan for an uncertain future, one thing that remains constant is the need to develop, execute, and maintain a robust cybersecurity plan. Delaying your efforts to comply with CMMC could impact your business – and making your IT security a priority is always a good idea – especially now.

The experts at CyberSheath understand your challenges – and we can help. Contact us to make sure your CMMC assessment gets – and stays – on track.

Technology photo created by freepik – www.freepik.com

It has finally arrived, the Cybersecurity Maturity Model Certification (CMMC) version (v) 1.0. CMMC v1.0 changes the DoD acquisition process with certification becoming a pre-RFP requirement to bid a government contract.  Like you, CyberSheath has been aggressively following the CMMC’s progression to this final version which included 3 previous drafts 0.4, 0.6 and 0.7. Overall not much has changed from draft 0.7; however, version 1.0 does have some noteworthy updates.

 

Overview of CMMC Levels 1-5 per the DoD’s released CMMC v1.0 pdf

Level 1 focuses on the protection of Federal Contract Information (FCI) and the practices under the basic safeguarding requirements detailed in 48 CFR 52.204-21.  Level 1 is the only level where processes will not be assessed.

Level 2 is the step between Levels 1 and 3 and as such begins to include a portion of NIST 800-171 controls, in addition to other frameworks. The subset of frameworks introduced at Level 2 also starts to refer to Controlled Unclassified Information (CUI).  Unlike Level 1, documentation of processes and policies is a requirement in Level 2.

Level 3 requires the implementation of all 110 NIST 800-171 controls. There is also 20 new CMMC practices introduced at Level 3.  In addition to documenting processes, “Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation.”

Level 4 concentrates on the “protection of CUI from APTs and encompasses a subset” of practices from the NIST 800-171B draft combined with other cybersecurity models.  Level 4 requires documenting, managing in addition to reviewing processes as well as improving as necessary.

Level 5, like Level 4, Level 5 concentrates on the “protection of CUI from APTs.”  Level 5 requires the continuous optimization of documentation and processes across the organization.

 

Key Differences between NIST 800-171 and CMMC v1.0

CMMC includes security practices in new Domains including Asset Management, Recovery, and Situation Awareness.

Level 2 requires increased standards for Incident Response

Level 2 requires an organization to review logs

Level 3 requires increased standards for Risk Management

Level 3 requires organizations to collect audit logs in one or more central repositories

Level 3 includes new requirements to protect email services

Level 3 includes new requirements to filter access to potentially malicious internet sites (DNS filtering)

Level 3 builds on Levels 1 and 2, requiring 100% compliance with NIST 800-171 plus 20 new CMMC practices (1 less than the previous draft version)

 

Key Differences between CMMC draft v0.7 and CMMC v1.0

Level 4 SOC is now 24/7 instead of “normal business hours”

Levels 3, 4 + 5 the new practice (P1035) requiring organizations to, “Identify, categorize, and label all CUI data” has been removed from all Levels that originally required it in draft versions. However, the original control to mark media is still there, so if you print or put media on a thumb drive, you need to mark it. But identifying and labeling CUI content is not explicitly stated as it was in all previous drafts.

 

If you have any questions or would like support as you ready your organization for CMMC, contact us.  We also invite you to listen to Eric Noonan, CyberSheath CEO, in a recorded webinar to learn how to start preparing your organization for CMMC by leveraging the steps you have taken to be compliant under DFARS.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC

You have completed your NIST 800-171 security controls assessment to see how your company is doing in meeting the requirements of the standard. The evaluation revealed some gaps within your organization’s implementation of the solutions, tools, and processes you have launched. Unsurprisingly, these gaps typically occur in those controls most difficult to rollout. These challenges include those relating to:

Technology – Issues may include trouble identifying the right solution to address problems and the cost to acquire and implement the tools.

Process – There are often organizational matters to navigate as the company deals with changing the way it has always done things. This can extend to the need to adjust attitudes and upgrade the skillsets of members of the IT team as well as executive staff.

People – Impacting how employees perform their day-to-day work can make your whole organization run less smoothly.

 

Based on our work performing hundreds of assessments each year, we have identified consistent implementation gaps regarding the following controls:

 

5 – Training and Awareness, Control 3.2.1

  • Control requirements: This control mandates on-boarding and periodic refresher training of all users with access to sensitive information, as well as specific training for security-related roles.
  • Implementation challenges: Training and awareness impacts everyone and is one of the most effective ways to improve your security. Some employees consider it boring or not directly related or important to their work. The size of your workforce and the technical background of employees will have a direct impact on your implementation. While not the most difficult control to put into action, it can provide the most improvement to your security.
  • 51% of our assessed clients had issues with this control.

 

4 – FIPS-validated Cryptography, Control 3.13.11

  • Control requirements: Using FIPS-validated cryptography is compulsory to protect Controlled Unclassified Information (CUI). This includes deploying it on mobile platforms, including cell phones, tablets, and laptop drives, as well as on removable media and during transmission over unprotected communication channels.
  • Implementation challenges: This technology is complex and integrating it with the rest of your systems can be onerous. The size of your workforce and complexity of your environment also affects your implementation. Conducting the due diligence necessary to determine that all the encryption tools you employ to protect CUI can be challenging. Some of our customers understand that the encryption algorithms employed by their tools are FIPS-validated but are not aware that FIPS-validated cryptography includes other parameters, such as key generation, protection, and management.
  • 52% of our assessed clients had issues with this control.

 

3 – Incident Response, (Controls Class) 3.6.X

  • Control requirements: This control mandates that you establish an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response, as well as the ability to track, document, and report incidents.
  • Implementation challenges: There is a tendency to be reactive rather than proactive, as often people do not like to think about things going wrong, and employees are often not eager to report to management or customers about negative events. Again, the complexity of your environment and size and training of your IT workforce impacts the implementation. Also, effective Incident Response processes go beyond IT and Security, requiring coordination with other organizations such as HR, Legal Consul, Communications, and the Executive Leadership Team.
  • 64% of our assessed clients had issues with this control.

 

2 – Multi-factor Authentication, Control 3.5.3

  • Control requirements: To comply, it is necessary to use multi-factor authentication (MFA) for network and remote access by all users, and in addition, privileged users require MFA for all local access. Authentication factors include “something you know”, such as a password; “something you have”, such as a token or cell phone; and “something you are”, such as a fingerprint. To meet this control, your organization must use two (or more) different factors. For example, using two passwords is not MFA. Using a password and your fingerprint is MFA.
  • Implementation challenges: This control is potentially expensive as it necessitates a new process and affects your service desk, every piece of hardware, and your people, as logging in is different. Implementation is impacted by your current systems and processes, the size of your environment, and the diversity of your platforms.
  • 73% of our assessed clients had issues with this control.

 

1 – Documentation for all Controls

  • Control requirements: NIST SP 800-171 r1 “expects” that nonfederal organizations will have policy, process, and plan documentation covering all the security domains as part of their comprehensive security program.
  • Implementation challenges: Most companies don’t have policy, process, or plans to measure if they are doing the right thing and doing it consistently – and this will be even more important with the introduction of Cybersecurity Maturity Model Certification (CMMC). Also, technical people typically enjoy doing technical work, such as design, implementation, and support and are not as motivated to complete the required paperwork. Implementation of a comprehensive documentation system hinges on your resources and what your company already has in place and on-file.
  • Approaching 100% of our assessed clients had issues with this control.

 

If you need expert help complying with these challenging requirements or any others, you can rely on CyberSheath. Contact us to see how we can help your organization move forward.  We also invite you to join Eric Noonan, CyberSheath CEO, at our upcoming webinar on February 26th, 2020 at 9:00 am (PST) | 12:00 pm (EST) to learn how these difficult NIST 800-171 controls could affect your CMMC efforts.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC

 

Webinar Leveraging NIST 800-171 to Achieve CMMC Registration Link

There is a lot your organization is already doing that you can apply to your preparation for the impending launch of CMMC (Cybersecurity Maturity Model Certification). One important and useful component to consider is a Plan of Action and Milestones  (POA&M or POAM).

Required to achieve compliance with NIST 800-171, a POAM is an extremely useful tool in helping your organization plan for a multitude of security projects, including compliance with standards like CMMC.

How a POAM Helps Realize Project Goals

Providing a structured approach for how to approach any security issue, a POAM delivers many benefits. It:

  • Outlines activities necessary to mitigate security issues.
  • Helps identify the security issue you are having or might have, and the underlying gap in your systems or processes.
  • Assigns resources needed to mitigate issues.
  • Holds your organization accountable with projected completion of milestone activities.
  • Calls out how vulnerabilities were identified.
  • Denotes risk level, labels status, and captures the estimated cost to remediate.

It’s a good idea to be well-versed and able to use a POAM now. Once you factor in the added benefit of helping your organization get ready for proceeding with CMMC compliance, using a POAM just makes sense.

POAM and CMMC Compliance

Preparation  As you ready your organization for tackling CMMC compliance, a POAM will matter more than ever. The plan can be used as a guide to understand what is required of your organization to receive the CMMC level certification your organization needs to bid on a government contract. It will actively manage and guide your project by highlighting the timeframe and resources required to achieve a CMMC level of certification by a specific date.

Maintenance – In the constantly evolving threat and technology landscapes, the tool can also assist in maintaining your certified level. A change to the threat environment could make a security practice no longer, or less, effective. A POAM could be used to reestablish compliance with the security practice if the new threat creates a gap.

Changes to your infrastructure may also create practice or process gaps that require a POAM to remediate. For example, if you are Maturity Level 3 certified at contract bid, which requires you have resources to collect and review your audit logs, and your organization doubles in size during the contract, you could potentially need a POAM to address the resources needed to collect and review audit logs which have now doubled in volume.

Advancement – After you have achieved initial CMMC compliance, a POAM can continue to add value, assisting your organization in leveling up and reaching a new degree of certification (i.e. advancing from CMMC Level 2 to CMMC Level 3). A POAM again becomes a driving force to manage your time around a project completion date as well as the resources required to successfully reach the determined milestones.

Executive Buy-In – As you look for budget and resource approvals to tackle CMMC compliance, a POAM can be a helpful tool in communicating with and getting buy-in from senior management.

Start familiarizing yourself with this valuable tool now by downloading our sample POAM template below.

CMMC Update – Draft Version 0.6

CMMC is being further refined and another update to the standard was recently released (Version 0.7). Draft Version 0.6 includes notable updates such as:
  • Changed from 18 to 17 Domains with the elimination of the Governance domain.
  • Focused more of the Practices on NIST 800-171 Controls.
  • Identified 21 Practices through Practice Level 3 which are not attributed to NIST 800-171 R1. That is, to achieve Practice Level 3, you need to be fully compliant with NIST 800-171 R1 and implement the 21 new CMMC practices.
  • Started referencing international frameworks including those from Australia and the UK.
  • Removed the “redundant” Practices. For example, in Draft Version 0.4 of the standard, Level 1 might have a Practice that is implemented “at least in an ad hoc fashion” and the same control is fully applied in Level 2. These “ad hoc” practices were removed from Level 1.

If you have any questions or would like support as you ready your organization for CMMC, contact us.

 

POAM Template Download

As you are probably aware, there is a new mandatory certification model that will be required to do business with the Department of Defense (DoD). The CMMC (Cybersecurity Maturity Model Certification) builds on best practices established in NIST 800-171 (DFARS), NIST 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others, to create one unified standard for cybersecurity.

CMMC will be a dynamic standard, growing and evolving with the demands of the ever-changing cybersecurity landscape. While the structure of CMMC is set, the details of the new standard are still being vetted, refined, and finalized. The target for launch is early 2020.

How CMMC Compares to NIST 800-171

Similarities

The purpose of both standards is to ensure that DoD contractors employ healthy cybersecurity practices to protect sensitive information. There are several facets of security posture that must be met in order to be in compliance with both standards. Both also require demonstrated compliance to do business with DoD, via self-certification for DFARS and via an audit by certifying organization for CMMC.

Differences

One important distinction touched on above is that CMMC will not allow self-certification. Compliance with the standard will be verified by an outside third-party hired by your company to determine your compliance with the requirements.

The CMMC control framework is (currently) much larger than the 14 control families and 110 controls outlined in NIST 800-171. As of October 31, 2019, CMMC contains 18 domains, 241 practices, and 90 processes at Maturity Level 3.

CMMC Components

The elements of CMMC include:

  • Maturity Levels – These levels range from basic security controls required for level 1 through highly advanced requirements for level 5.
  • Domains – Based on cybersecurity best practices, these are key sets of capabilities for cybersecurity, such as Access Control, Incident Response, Security Assessment, and more.
  • Capabilities – These achievements are the building blocks of each domain, ensuring cybersecurity within each domain.
  • Practices – These are individual cybersecurity activities related to NIST “controls”. They range from Level 1 practices including anti-virus and ad hoc cybersecurity governance to Level 5 practices such as real-time asset tracking and device authentication.
  • Processes – These are documented standards for implementing practices based on the maturity level of your organization.

Below is an example of a cross-reference matrix between NIST and CMMC draft 0.4. It shows some interesting characteristics, such as:

– One NIST Family mapping to multiple CMMC Domains
– One NIST control mapping to multiple CMMC Levels
– One NIST control mapping to multiple CMMC Capabilities
– One NIST control mapping to multiple CMMC Practices
– New CMMC practices not found in the NIST controls

Note, as with most mappings of this kind, they are not always clean, with some aspects of a Control in one framework mapping to elements of a Practice in a different framework.

What You Can Do Now

CMMC specifically calls out the requirement for documentation for all domains in order to achieve compliance. Note that this condition was never explicitly requested in NIST 800-171; rather it is noted in the DFARS appendix that it was assumed you had the appropriate documentation.

While CMMC is continuing to evolve, you can ready your organization to meet the requirements of the new standard. Achieving CMMC compliance will not be a quick endeavor as you will need to define and record your real working processes.

Start now by cataloging your processes and building out the documentation that is called out in NIST as this will surely aid your CMMC compliance activities.

CMMC Maturity Levels 2, 3, 4, and 5 will require Policy, Process, and Plan documents. According to NIST, here are the plans you should have in place:

  • Business Continuity Plans
  • Contingency Plans
  • Continuity of Operations Plans
  • Critical Infrastructure Plans
  • Crisis Communications Plan
  • Disaster Recovery Plans
  • Incident Response Plan
  • Incident Response Testing Plan
  • Occupant Emergency Plan
  • Physical/Environmental Protection Plan
  • Plan of Action
  • Security Assessment Plan
  • Security Plan
  • System Security Plan

And here are the policies and procedure you should have as well:

  • Access Control
  • Audit and Accountability
  • Configuration Management
  • Configuration Planning
  • Incident Response
  • Identification and Authentication
  • Information Flow Control
  • Information Flow Enforcement
  • Information System Maintenance
  • Media Protection
  • Media Sanitation and Disposal
  • Mobile Code Implementation
  • Password
  • Personnel Security
  • Physical and Environmental Protection
  • Portable Media
  • Risk Assessment
  • Security Assessment and Authorization
  • Security Awareness and Training
  • Security Planning
  • Separation of Duties
  • System and Information Integrity
  • System and Services Acquisition
  • System and Communication Protection
  • System Use

Prepare yourself by understanding the latest CMMC updates and, more importantly, how your business should respond to achieve documented, audit-proof evidence of compliance. Listen to Eric Noonan, CyberSheath CEO, in this recorded webinar as he explains how to cut through the noise and jump-start your DFARS compliance efforts.  No matter where you are in your journey towards NIST 800-171 compliance this webinar is guaranteed to better equip you in understanding, implementing, and maintaining compliance!

Register Now to gain your access to the webinar. If you have any questions or would like support as you ready your organization for CMMC, contact us.

Your assessment is behind you. You have been working to create a System Security Plan (SSP) detailing a Plan of Action & Milestones (POA&Ms) based on your assessment findings.  Your goal, to remediate gaps discovered to ensure NIST 800-171 compliance with full implementation of all 110 security requirements.

Think of your SSP and POA&Ms as the required foundation and roadmap to get you to compliance. With over 110 security requirements in NIST 800-171, you need this layer of groundwork and direction to effectively tackle what is likely the most significant aspect of NIST 800-171 compliance, remediation or full implementation. So, where to start when working toward implementation?

 

3 Things to Consider Before Diving into Your NIST 800-171 Implementation:

 

1. Project Management

The SSP and POA&Ms outline the plan and timeline, but who is responsible for owning the outcome? A dedicated resource whose primary focus is ensuring the implementation of the plan is the best way to guarantee success. Implementing outstanding NIST 800-171 requirements is a large project but a project, nonetheless. By assigning a project manager, you have a clear leader to accept accountability, coach, and motivate your team. Also, they will ensure the right processes, resources, and tools are available to keep the project on schedule and within budget.

 

2. Staff Augmentation

NIST 800-171 has been a contractual obligation since December 2017, maybe you’re new to the DoD acquisition process or have been contracting with the DoD for some time. If you are the latter, there is a good chance one reason you are not compliant today is due to a lack of resources. As we all know, NIST 800-171 is in addition to your day job, so making it a priority is challenging. If you are already struggling to keep up with your day job due to constrained resources, then NIST compliance may not seem possible. If hiring a long-term employee is not an option contracting a third-party to partner with during the NIST 800-171 compliance project can help alleviate the stress of limited or already overworked staff.

 

3. Experience

Maybe you have the resources but lack the expertise.  Missing the experience, specifically, with NIST 800-171, within your team, can reduce efficiency ultimately increasing the cost.  The difference between how you handle the implementation for a tier 1 level Prime versus a small 1 to 10-person Subcontractor are significantly dissimilar, yet the same requirements apply.

We are often asked questions like, “Does CyberSheath have a list of tools for a business our size?” ” Does CyberSheath have experience implementing the NIST 800-171 controls for similar-sized businesses?”

Questions like this rely on our 10+ years of experience and 100+ successful NIST 800-171 implementations. Experience allows for decisions to be made in a manner that enables compliance as a documented, automated outcome of day-to-day operations. Hiring a third-party that has demonstrated NIST knowledge will allow your team to learn and grow through the lessons learned and best practices formed by other’s past experiences. More importantly, enable your organization to continue the work of maintaining compliance after the greater effort is complete.

 

Start Your NIST 800-171 Implementation Today

Overall, all three areas of consideration can be handled internally within your organization. The first step being your assessment to discover gaps.  Second, putting the SSP and POA&Ms in place to address those gaps. Lastly, creating a team dedicated to ensuring all 110 security requirements are implemented. However, partnering with a third-party organization will help ease the pains of growing an internal staff or burdening a current resource to manage the project. If partnering with a third-party interest you, check out our NIST Managed Services.  CyberSheath’s Managed Services are specifically designed to address the hurdles you will need to overcome during your implementation of the NIST requirements.  Learn More

 

Business photo created by pressfoto – www.freepik.com

Cybersecurity requirements for Department of Defense (DoD) contractors continue to evolve. However, NIST 800-171 compliance is as much required by law today as it was on the December 2017 deadline. In fact, with the introduction of the Cybersecurity Maturity Model Certification (CMMC) we are fast approaching a major change in how government contracts are bid. Recently, Katie Arrington, Chief Information Security Officer for the Assistant Defense Secretary for Acquisition, spoke at the Billington CyberSecurity Summit where it was noted,  “the new Cybersecurity Maturity Model Certification framework, or CMMC, is out in draft form for public comment. It would start appearing as a requirement in pre-solicitation acquisition documents like RFIs in June. ‘In the fall, we will start putting it into [actual bid solicitation documents like] RFPs,’ Arrington said.”  

With the proposed CMMC requirements contractors will be required to demonstrate compliance as referenced in section L and M of a government Request for Proposal (RFP). Demonstration of compliance will require a third-party certification as self-certification will no longer be allowed. This update is critical, noncompliance with a requirement in section L and M means you are not qualified to bid a proposal. The risk of not meeting compliance with NIST 800-171 pre-RFP will mean the loss of existing and potential work with the DoD.  

Prepare yourself by understanding the latest updates and, more importantly, how your business should respond to achieve documented, audit-proof evidence of compliance. Listen to Eric Noonan, CyberSheath CEO, in this recorded webinar as he explains how to cut through the noise and jump-start your DFARS compliance efforts.

 In this webinar you will learn:

  • What’s New: Cybersecurity Maturity Model Certification (CMMC), NIST 800-171 Revision 2, and NIST 800-171B
  • What’s Not: Understanding DFARS Clause 252.204-7012 and NIST 800-171
  • What To Do Now and Why: How to stay competitive in the DoD acquisition process and comply with DFARS Clause 252.204-7012 and NIST 800-171

No matter where you are in your journey towards NIST 800-171 compliance this webinar is guaranteed to better equip you in understanding, implementing, and maintaining compliance!

Register Now to gain your access to the webinar.

Have contractors implemented the NIST 800-171 controls? DoD Inspector General (IG) audit suggests not, recommends third-party audits. Are you ready?

A recent audit conducted in response to a request from the Secretary of Defense determined that DoD contractors did not consistently implement DoD‑mandated system security controls for safeguarding Defense information. Specifically, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requires contractors that maintain Controlled Unclassified Information (CUI) to implement security controls specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which lists security requirements for safeguarding sensitive information on non-Federal information systems. The requirements include controls for user authentication, user access, media protection, incident response, vulnerability management, and confidentiality of information.

DoD IG Report Findings

The findings across the DoD contractors audited included deficiencies related to:

  • Multifactor authentication;
  • Enforcing the use of strong passwords;
  • Identifying network and system vulnerabilities;
  • Mitigating network and system vulnerabilities;
  • Protecting CUI stored on removable media;
  • Overseeing network and boundary protection services provided by a third-party company;
  • Documenting and tracking cybersecurity incidents;
  • Configuring user accounts to lock automatically after extended periods and unsuccessful login attempts;
  • Implementing physical security controls;
  • Creating and reviewing system activity reports, and granting system access based on the user’s assigned duties.

The audit also found that while DoD requires contractors to protect CUI by complying with NIST 800-171 requirements, DoD contracting offices did not establish processes to:

  • Verify that contractors’ networks and systems met National Institute of Standards and Technology security requirements before contract award;
  • Notify contractors of the specific CUI category related to the contract requirements;
  • Determine whether contractors’ access, maintain, or develop CUI to meet contractual requirements;
  • Mark documents that contained CUI and notify contractors when CUI was exchanged between DoD agencies and the contractor; and
  • Verify that contractors implemented minimum security controls for protecting CUI.

The effect of these findings is that DoD does not know the amount of DoD information managed by contractors and cannot determine whether contractors are protecting unclassified DoD information from unauthorized disclosure.

The results of the audit probably don’t surprise the DoD or its many contractors but the recommendations in the DoD IG report, combined with the proposed Cybersecurity Model Certification (CMMC), should have contractors making plans to immediately implement the NIST 800-171 security requirements. All signs point to a game-changing, pre-RFP validation of compliance making cybersecurity a “go/no-go” factor for DoD contract awards.

DoD IG Report Recommendations

Recommendations out of the DoD IG report included:

  • Revise its current policy related to assessing a contractor’s ability to protect DoD information to require DoD Component contracting offices, as part of the Request for Proposal and source selection processes, and requiring activities, during the contract performance, to validate, at least annually, that contractors comply with security requirements for protecting CUI before contract award and throughout the contract’s period of performance.
  • Develop and implement a policy requiring DoD Component contracting offices and requiring activities to maintain an accurate accounting of contractors that access, maintain, or develop controlled unclassified information as part of their contractual obligations.
  • Revise its current policy to include language that would require DoD Component contracting offices to validate contractor compliance with minimum security requirements. We also recommend that the DoD Component contracting offices, in coordination with requiring activities, implement a plan to verify that the internal control weaknesses for the contractors discussed in this report are addressed.

All these recommendations are in alignment with the proposed CMMC efforts led by Katie Arrington, and DoD contractors who have delayed NIST 800-171 implementation should take notice and act now. Mandatory third-party validation of security requirements is coming in 2020 and failing to act will likely result in exclusion from contracting with the DoD. Both the recommendations from the DoD IG audit and CMMC are proposing third-party validation of control implementation as part of the Request for Proposal and source selection processes – self-certification and implementation after you win the work are going away. Contractors will need to demonstrate compliance before responding to an RFP and that means taking the necessary steps now before these inevitable changes are implemented in 2020.

Prepare for CMMC and NIST 800-171 Third-Party Verification

CMMC proposes that all companies conducting business with the DoD must be certified. The level of certification required depends upon the Controlled Unclassified Information (CUI) a company handles or processes and the intent of CMMC is to combine various cybersecurity control standards such as NIST SP 800-171 into one unified standard for cybersecurity. Given NIST 800-171 security requirements are at the core of CMMC, and NIST 800-171 implementation has been mandated for nearly two years now, that’s where DoD contractors should focus their efforts. Under CMMC the DoD is building on and strengthening, not abandoning NIST 800-171. Implementing the NIST 800-171 security requirements now is the best way to prepare for CMMC and meet your existing contractual requirements around DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and NIST 800-171.

Implementing the NIST 800-171 requirements includes writing a System Security Plan (SSP) and with 110 security requirements, you can expect to be out of compliance with some number of those individual requirements. For requirements not yet implemented you will need to also document Plans of Action & Milestones (POA&Ms). The heavy lifting is in implementing the security requirements as you prepare for CMMC and controls like Multi-Factor Authentication and Incident Response which require time to fully implement. With 2020 less than six months away implementing all 110 security requirements will be a challenge and DoD contractors, subcontractors and vendors taking a wait and see approach to CMMC are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. The DoD IG audit and recommendations are simply the most recent in a flurry of activity that should have contractors taking immediate action to comply.

5 Steps to CMMC Preparation

Download our 5 Step Guide to CMMC Preparation to plan and enable certification as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan to prepare for CMMC in a way that fits your business and budget. Third-party certification is coming in 2020, get the compliance and control implementation expertise you need to stay competitive!

5 Steps to CMMC Preparation

NIST 800-171 Revision 2 and 800-171B drafts were released for comment last week, and as expected there have been no major changes proposed to the controls in NIST 800-171 Revision 2. For DoD contractors waiting to implement the required security requirements of NIST 800-171 Revision 1 pending the latest updates, the proposed updates won’t buy you any time. The fact is enforcement is underway and compliance with DoD cybersecurity requirements is a go/no go decision if you are serious about being eligible to do business with the DoD.

The 800-171B draft enhanced security controls are in addition to 800-171 controls, in cases where the information held by the contractor is determined to be a high-value target. The enhanced requirements are to be applied to nonfederal systems and organizations processing, storing, or transmitting controlled unclassified information (CUI), when such information is contained in a critical program or designated high-value asset. The enhanced security requirements of the 800-171B draft were designed to address advanced persistent threats (APTs) and are mapped to the security controls in NIST 800-53. The implied maturity level required and associated costs with implementing the 800-171B draft enhanced security controls is significant.

The enhanced security requirements include three, mutually supportive and reinforcing components:

(1) penetration resistant architecture;

(2) damage limiting operations; and

(3) designing for cyber resiliency and survivability.

The Path Forward for DoD Contractors

With a tremendous amount of activity related to The Cybersecurity Maturity Model Certification (CMMC), DCMA audits of NIST 800-171 compliance, False Claims Act litigation, and the 800-171 revisions and supplements, the path forward for DoD contractors is clear:

Fund and execute compliance with NIST 800-171 now. Despite all of the proposed changes, the fact remains that the DFARS 252.204-7012 clause in ANY of your contracts requires the implementation of NIST 800-171. That is your contractual requirement and all changes proposed so far rely on NIST 800-171 as a foundation of compliance.

There has been a level of paralysis by analysis across industry caused by the questions of cost reimbursement, proposed changes and uneven auditing of compliance. This is the kind of noise that has caused many DoD contractors across the supply chain to delay their DFARS compliance efforts but that high-risk approach invites legal and competitive pain that should be avoided. While there are many changes to be aware of CyberSheath advises focusing on what you are required to do today as the best approach to current and future compliance requirements. Nothing that has been proposed eliminates the requirement to implement NIST 800-171.

Compliance with the DFARS and NIST 800-171 requirements involves much more than writing a System Security Plan (SSP) and vendors selling you a tool to get compliant are misleading you. There are 110 security requirements in NIST 800-171 and you have to actually implement them, there isn’t a single product to solve this problem.

5 Steps To DFARS Compliance

Download our 5 Steps to DFARS Compliance Guide to plan and enable compliance as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget. DoD contractors, subcontractors and vendors taking a wait and see approach before achieving compliance are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. Act now!

5 Steps to DFARS Compliance

 

The recently announced Cybersecurity Maturity Model Certification (CMMC) scheduled for completion by January 2020 has many DoD contractors scrambling to anticipate how to prepare (learn more about the CMMC announcement here). While there are many unknowns regarding what the CMMC will ultimately look like, DoD contractors should focus on what is already known and currently mandatory with DFARS 252.204-7012, which requires the implementation of NIST 800-171. Stop trying to read the tea leaves and doing the bare minimum by writing System Security Plans (SSP’s) and start implementing the 110 security requirements of NIST 800-171. Demonstrable action, that is NIST 800-171 control implementation, is the best way to prepare for the CMMC.

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, recently said that only 1% of the Defense Industrial Base has implemented the required controls.  “If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1% of [Defense Industrial Base] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”

Why are Contractors Delaying NIST 800-171 Implementation?

Across hundreds of NIST 800-171 implementations, CyberSheath has found the most common reason for delay by DoD contractors has come down to, “Who is going to pay for this?”

Arrington clearly spoke to that concern last week at an event sponsored by the Professional Services Council in Arlington, Virginia, saying “I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington, who got permission to say it from Mr. [Kevin] Fahey [the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment] security is an allowable cost. Amen, right?”

After more than a decade of policy, law, memorandums and continued momentum towards enforcement businesses who continue to delay actual implementation of the 110 security requirements will be in a far worse position come January 2020 when the CMMC rolls out. Don’t wait, implement the NIST 800-171 security requirements in a way that is actionable, measurable and audit ready.

Beyond Your SSP’s and POA&Ms

Compliance with the DFARS and NIST requirements involves much more than writing a SSP’s and vendors selling you a tool to get compliant are misleading you. There are 110 security requirements in NIST 800-171 and you have to actually implement them, there isn’t a single product to solve this problem. Implementing security requirements like multifactor authentication, incident response, encryption and more require thoughtful decisions leveraging what you already own. For the gaps identified in your existing people, processes, and technologies a product purchase, if required, needs to be part of the larger plan to achieve compliance. Too often businesses are over-sold on silver bullet product purchases that aren’t thoughtfully integrated into a system of documented and repeatable control implementation.

5 Steps to DFARS Compliance

To enable compliance as a documented, automated outcome of day-to-day operations download our 5 Steps to DFARS Compliance Guide. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget. Act now to move from thinking about implementation to taking action towards full compliance.

 

 

The window of opportunity for achieving compliance with DFARS 252.204-7012, which requires the implementation of NIST 800-171 across the DoD supply chain, continues to get smaller as the ability to self-certify is set to expire.

CyberSheath attended the Professional Service Council’s 2019 Federal Acquisition Conference where Special Assistant to DoD’s Assistant Secretary of Defense Acquisition for Cyber Katie Arrington stated clearly that “…cost, schedule, and performance cannot be traded for security.” Security is the foundation of defense acquisition.

Much has been written about The Defense Department (DoD) Office of the Under Secretary Acquisition of Sustainment creation of a new certification model to enforce compliance, but the fact is compliance is already required. So, while it is important to understand where the DoD is headed in enforcing compliance, it’s more important to stop delaying and act now. The DoD has been working with industry for more than a decade to address the cybersecurity problem across the supply chain and contractors who continue to self-certify with Plans of Action & Milestones (POA&Ms) that never actually get implemented will be frozen out of acquisition as DoD makes cybersecurity a “go/no-go” part of procurement.

Cybersecurity Maturity Model Certification (CMMC) and the New Certification

The Cybersecurity Maturity Model Certification (CMMC) and the new certification will have required CMMC levels once the certification is released, with levels ranging between one and five –from basic cyber hygiene requirements through “state-of-the-art” cybersecurity capabilities.

Arrington is moving quickly to complete the CMMC by January 2020, and contractors can expect to start seeing the certification in contract requests for information by June 2020.

Within CMMC, a third-party cybersecurity certifier will also conduct audits, collect metrics, and information risk mitigation for the entire supply chain.

“With 70 percent of my data living in your environment, I’m home, so we need to work together to secure it,” Arrington said. “Who is the government? You are when you’re the taxpayer. That’s your money. That’s your data that you have paid for that our adversaries are taking and using it against us. We should be infuriated as a nation about our data. With $600 billion a year being expelled by our adversaries; this room should be irate.”

All of these developments, coupled with the May 8, 2019, California court Civil False Claims Act decision as the first reported FCA decision involving allegations of non-compliance with DFARS 252.204-7012 should spur action towards immediate compliance. Checklist compliance and continued delays of actual control implementation will absolutely cost you more in the long run so get started now, make a plan and execute.

5 Steps To DFARS Compliance

Compliance with the DFARS and NIST requirements involves much more than writing a System Security Plan (SSP) and vendors selling you a tool to get compliant are misleading you. There are 110 security requirements in NIST 800-171 and you have to actually implement them, there isn’t a single product to solve this problem.

Download our 5 Steps to DFARS Compliance Guide to plan and enable compliance as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget. DoD contractors, subcontractors and vendors taking a wait and see approach before achieving compliance are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. Act now!

 

“Those who do not learn from history are condemned to repeat it.”

Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant to cybersecurity.

Both the National Institute of Standards and Technology (NIST) and the SANS Institute describe the learning phase of incident response as one of the most crucial steps, helping businesses to refine and strengthen both their prevention and response protocols.

However, 42% of businesses fail to review and update their incident response plans on a regular basis. If you find yourself experiencing the same security breaches over and over again, you might be one of them. Here’s why you should actively learn from the experience, and how to go about it.

Lessons Learned Session

A lessons learned session takes place after the resolution of a security incident. It involves taking stock of the incident; getting to the root of how and why it happened; evaluating how well your incident response plan worked to resolve the issue; and identifying improvements that need to be made.

Identifying Areas of Weakness

The most obvious benefit of a lessons learned session is that it helps you to identify gaps in your organizational security practices. Was the lapse due to human error? Systems failure? Inadequate security practices? If you don’t know these problems exist, you can’t take the appropriate action to fix them.

Improving Incident Response

Lessons learned sessions help you to understand not only why the incident occurred, but also how effective your response was. For example, were you able to respond quickly and effectively, or did red tape get in the way? Did your team know exactly what to do, or did they struggle to remember their training? Questions like these will highlight areas that need to be improved for next time.

Recognizing the Positive

Don’t just focus on what went wrong in a lessons learned session; it’s also important to highlight what went well. Taking the time to identify successful elements of your response can help to inform robust future security practices while acknowledging and rewarding positive employee performance will set a standard and incentivize similar behaviors in the future.

Lessons Learned Training

Just as frameworks like NIST 800-171 require you to periodically test your Incident Response processes using activities like tabletop exercises, incorporate your lessons learned sessions into these activities as well. Not only will that lead to improvements in your incident response plan, but it will train your teams in how to do effective lessons learned analysis.

The Lessons Learned Process

According to Lessons learned: taking it to the next level, an incident response paper by Rowe and Sykes, lessons learned sessions are most effective when they follow a well-defined five-step process:

  1. Identify and collect all comments and recommendations that may be useful for future projects.
  2. Document all findings and share them with key stakeholders.
  3. Analyze and organize all documentation for future application.
  4. Store documentation in a repository that can be accessed by all key stakeholder.
  5. Retrieve documentation for use on current or future incidents.

This process should be implemented as soon as possible after an incident when the particulars are still fresh in everybody’s minds. In fact, if the incident will take an especially long time to resolve, then beginning the process even sooner might uncover helpful information to support the resolution.

Stakeholders from as many key groups as possible should be present for lessons learned sessions. It’s especially important to have representatives from your IT and executive teams, as the former will be able to implement recommendations and the latter will be able to authorize action and remove bureaucratic obstacles.

We’ve Held a Lessons Learned Session — What Next?

Your lessons learned session will likely turn up numerous security gaps, weaknesses, and other areas that need attention. This is the part that often discourages businesses from lessons learned sessions in the first place — after all, if you go looking for problems to fix, then you must fix them! If you don’t have the time or money to do this, then it’s tempting to skip this step altogether and hope for the best.

With the financial impact of the average data breach running into hundreds of millions, this strategy is only going to cost you more money in the long run. Instead, face the incident head-on and use the lessons learned session as an opportunity to proactively fortify your business against future threats.

Here are some examples of actions you might take to improve your cybersecurity and incident response for next time:

  • If you found that the incident occurred because your staff missed the signs of a threat or were unsure how to respond, then you may invest in more comprehensive and/or frequent training.
  • If bureaucratic layers slowed down your response, you might meet with the C-suite to request executive delegation in future emergency situations, and enshrine this in your incident response plan.
  • If a loophole in one of your systems was exploited, conduct a thorough review of the system to ensure it is fit for purpose and replace if necessary.

Whatever you do, though…

Don’t Let History Repeat Itself

Every incident has a lesson to teach you, but we know that implementing these lessons isn’t always easy. That’s why CyberSheath specializes in providing comprehensive, affordable incident response solutions to businesses like yours. Contact us today to find out how we can help.

 

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with the DoD and the incentives to act now are many and include:

  • Compliance was mandatory as of December 2017; regardless of when you found out about the requirement, it’s been on the books for several years now
  • Noncompliance penalties for failure to meet the requirements can lead to criminal, civil, administrative, or contract penalties that include:
    • Breach of Contract Damages
    • False Claims Act Damages
    • Liquidated Damages
    • Termination for Default
    • Termination for Convenience
    • Poor Past Performance
    • Suspension/Debarment

Ultimately the DoD has been preparing the contractor community for more than a decade and with audits underway there is little doubt that cybersecurity compliance is becoming a competitive discriminator.

Read more about DoD audits of cybersecurity compliance here.

Understanding DFARS 252.204-7012 and NIST SP 800-171

The Defense Federal Acquisition Regulation Supplement, or DFARS, has been working to encourage DoD contractors to proactively comply with certain frameworks in order to achieve this goal. Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is the latest mandatory addition.

Under the Clause, all contractors must comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), a framework that lays out how contractors must protect sensitive defense information and report cybersecurity incidents.

The NIST framework requires you, as a defense contractor, to document how you have met the following requirements in particular:

  • Security requirement 3.12.4 requires the contractor to develop, document, and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
  • Security Requirement 3.12.2 requires the contractor to develop and implement Plans of Action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

Read more about implementing SSPs and POAs.

Under the Clause, DoD contractors are obliged to submit evidence of their compliance with NIST SP 800-171 to the U.S. Government. However, the Clause goes beyond NIST compliance and sets out additional rules for the protection of Covered Defense Information (CDI).

Supply Chain Management

DFARS Clause 252.204-7012 aims to encourage you, as a contractor, to take a proactive role in the protection of CDI. Not only are you required to demonstrate compliance within your own business, but in order to strengthen the entire supply chain, you must take steps to ensure that your subcontractors comply, too.

It is the responsibility of your subcontractors to inform you if their practices deviate in any way from the DFARS and NIST 800-171 guidelines, and it is your responsibility to demonstrate that an equally secure alternative practice is in place before you share CDI with that subcontractor.

Reporting Cybersecurity Incidents

A cybersecurity incident is defined as a breach of security protocols that negatively impacts, compromises, or endangers CDI held on your systems or networks, or those of your subcontractors.

In the event of a cybersecurity incident, your responsibility under DFARS Clause 252.204-7012 is to report the incident to the DoD within 72 hours. You must present the affected data and all related data covering the 90 days prior to the date of the report, along with any infected software. You must also conduct a thorough systems review and identify ways in which you will prevent future breaches.

If a subcontractor experiences a cybersecurity incident, they must report it to you, or to the next highest tier of subcontractor, and present the evidence as required. As the prime contractor, you’re then required to report the incident to the DoD and submit the evidence, as detailed above.

Cloud Service Provision

If you offer your own cloud services as part of your DoD contract, then DFARS states that you must enact the safeguards set forth in the Cloud Computing Security Requirements Guide (SRG), unless waived by the Chief Information Officer of the DoD. If you use a third-party cloud service, then you’re required to ensure that your cloud service provider follows the security provisions therein.

Not DFARS Compliant?

A quick look at documents like the above and it’s clear to see why some contractors are still struggling with compliance long after the December 31st, 2017 deadline has passed. Bringing your business in line with these extensive regulations is required and the stakes are so high.

Download our 5 Steps to DFARS Compliance Guide to avoid penalties and make compliance a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget.

5 Steps to DFARS Compliance

 

The management of organizational risk is a key element in any organization’s information security program, particularly those like Department of Defense (DoD) contractors that process highly sensitive, critical data.

With this in mind, the National Institute of Standards and Technology (NIST) has developed the Risk Management Framework (RMF), a set of processes for federal bodies to integrate information security and risk management into their systems development life cycles.

The Six Steps of the Risk Management Framework (RMF)

The RMF consists of six steps to help an organization select the appropriate security controls to protect against resource, asset, and operational risk. They are:

Step 1: Categorize the system and the information that is processed, stored and transmitted by the system.

Step 2: Select an initial set of baseline security controls for the system based on the categorization, tailoring and supplementing as needed.

Step 3: Implement the security controls and document how they are deployed.

Step 4: Assess the security controls to determine the extent to which they are meeting the security requirements for the system.

Step 5: Authorize system operation based upon a determination that the level of risk is acceptable.

Step 6: Monitor and assess selected security controls in the system on an ongoing basis and reporting the security state of the system to appropriate organizational officials.

Who Needs to Implement the RMF and Why?

Industries with critical or highly sensitive data needs are increasingly adopting the RMF in an effort to cope with growing risk and comply with their strict legislation— think defense (DFARS), healthcare (HIPAA), and retail/payment (PCI).

However, it’s our professional opinion that every organization that handles sensitive data can benefit from adopting the RMF. Why?

First, the RMF functions as a very effective security planning tool that gives you a comprehensive picture of your organizational risk. This helps to inform a solid risk management strategy and focus your attention on the areas that matter most to your organizational security.

Second, the RMF is not specific to any one agency or body, which gives it the flexibility to be adopted and applied by organizations of all shapes, sizes, and industries — including yours.

Finally, the RMF is seen as the gold standard on which many risk management approaches are modeled. For that reason, it wouldn’t be surprising to see it mandated in some form in the near future, particularly for high-risk industries, but possibly across the board.

This happened recently with the EU’s General Data Protection Regulation (GDPR), which mandated that any and every company handling sensitive data comply with the regulations, regardless of industry.

By adopting RMF in your own organization, you’ll be automatically compliant if and when any similar legislation comes into force on our own shores, while your competitors will likely be scrambling to catch up.

RMF and Defense Contractors

Contractors of the DoD have a set of legal obligations under the Defense Federal Acquisition Regulation Supplement, or DFARS. This legislation requires such contractors to demonstrate proactive compliance with, among other frameworks, the NIST Special Publication 800-171 (NIST 800-171), which lays out how they must protect sensitive defense information and report cybersecurity incidents.

So, if a contractor is already DFARS-compliant, and they’re already implementing the security controls set out in NIST 800-171, why do they need to adopt the RMF too? (Not DFARS Compliant? Download our 5 Steps to DFARS Compliance Guide to avoid penalties and make compliance a documented, automated outcome of day-to-day operation.)

In working with our defense clients on securing their acquisitions processes, we’ve consistently observed the need for security controls above and beyond what NIST 800-171 requires. That’s exactly what the RMF provides, paying attention to areas such as resilience enhancements and tailoring requirements.

It’s our opinion, then, that the RMF can help defense contractors to plan risk-based security control implementation in a much more broad, holistic manner than DFARS and NIST 800-171 compliance alone.

Limitations of RMF

Because it’s a framework, the NIST RMF doesn’t tell you how to achieve the recommended steps. That means that for small and medium organizations without significant information security experience, or the resources to obtain it, implementing the framework can be a challenge.

That’s Where CyberSheath Comes In

Our cybersecurity experts can help you to minimize your organizational risk with comprehensive risk management planning, including the implementation of the NIST Risk Management Framework. Contact us now to find out how we can help protect your organization.

In a previous blog post we detailed how the November 6th, 2018, DoD’s Acting Principal Director for Defense Pricing and Contracting (DPC) memorandum titled, “Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” was expected to be transformative in the enforcement of compliance throughout the acquisition process.

As a follow up to the November guidance; DoD has issued two additional guidance memoranda in the last 60 days further solidifying the DoD intent to enforce compliance. Contractors should be actively be addressing NIST 800-171 compliance.

Let’s See Your System Security Plans (SSP) Plans of Action and Milestones (POA&M)

On December 17, 2018, Kevin Fahey (Assistant Secretary of Defense for Acquisition) issued a memorandum, which provides contractual language addressing (i) access to and delivery of contractors’ and subcontractors’ SSPs (or extracts thereof), (ii) access to and delivery of a contractor’s plan to track flow down of CDI to subcontractors and restriction on unnecessary sharing/flow down of CDI and (iii) the requirement for a prime contractor to flow down (ii) and (iii) to its first-tier subcontractors.

The Fahey memo details requirements that were not clearly reflected in DFARS 252.204-7012.

The creation of SSPs and POA&M documents was included with NIST SP 800-171 and the November 6th guidance further clarified that DoD would require delivery of the Prime’s SSPs and POA&Ms to the government. Additionally, Prime contractors must ensure government access to the SSP and POA&Ms of its first- and second-tier subcontractors, vendors, and suppliers.

Contractors will need to ensure that their processes for subcontractors, vendors, and suppliers meet this requirement.

Auditing of DFARS Compliance

On January 21, 2019, Ellen Lord (Under Secretary of Defense for Acquisition and Sustainment) issued a second memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits. The DCMA audits focus on contractor oversight of its first-tier subcontractors which can include first-tier subcontractors, vendors, and other suppliers.

The DCMA audits focus on contractor oversight for first-tier subcontractors and include:

  • Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers.
  • Review Contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.

While there is no specific requirement in the DFARS cyber clause for documented procedures to flow down CDI to first-tier subcontractors or any specific requirement to assess compliance of first-tier subcontractors with the DFARS cyber clause, it is expected these requirements will be mandated with the new contractual language in the December 17 Fahey memorandum.

Additionally, in May 2018 Defense Security Service (DSS) was directed to execute an operational plan for oversight of Controlled Unclassified Information (CUI) protection through collaboration with industry partners across the Defense Industrial Base (DIB).

Product Purchases Won’t Get You There

The disconnect between achieving compliance and the offerings that many product vendors are marketing is increasing both complexity and confusion. There isn’t a product in existence that addresses all 110 NIST 800-171 security requirements and many of the requirements can often be met with existing solutions contractors already own. Software that simply assesses your current compliance isn’t automated, despite claims, and does nothing to actually implement the required controls.

There are features or capabilities of products that can be mapped to the 110 NIST 800-171 security requirements but the first action in getting compliant doesn’t start with buying another product. Part of a comprehensive gap assessment will include detailing what you already own that can be configured, deployed or otherwise implemented to satisfy the control requirements.

Getting Compliant and Staying Compliant

Updated guidance, overlapping audits, and general confusion can make DFARS compliance difficult and expensive, but it doesn’t have to be. Cybersheath has enabled hundreds of contractors to achieve compliance and stay competitive in the DoD acquisition process and we guarantee success.

To learn more start here and Download our 5 Step Process To Comply With NIST 800-171. It’s free and if you have the right team and resources available you can do it all yourself.

Get expert assistance, before you are audited and achieve compliance in a way that fits your budget and mission, contact CyberSheath for a no-obligation scoping call to learn how to stay ahead of an audit and comply now!

DoD contractors, subcontractors and vendors taking a wait and see approach before achieving compliance are mistaken, the time is now!

On November 6th, 2018, DoD’s Acting Principal Director for Defense Pricing and Contracting (DPC) issued a memorandum titled, “Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” that is expected to be transformative in the enforcement of compliance throughout the acquisition process.

While the implementation of DFARS and NIT 800-171 requirements have been mandatory since December 2017, many Department of Defense (DoD) contractors haven’t yet felt the sting of an audit and efforts were largely contained to completing checklists from government contracting officers or Primes. The DoD telegraphed a transition to enforcement and the impacts of non-compliance with guidance made available to the public for comment in Federal Register, Volume 83 Issue 79 (Tuesday, April 24, 2018). All comments were considered and integrated, when appropriate, into the final documents and as expected 2019 will be a game changer for non-compliant Prime and subcontractors.

The November 6th, 2018 memorandum references two new guidance documents providing for enforcement of DFARS 252.204-7012 & NIST 800-171 across the entire supply chain:

“DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented”

“Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System”

This new set of guidance empowers acquisition officers to enforce compliance throughout the entire acquisition lifecycle, both before and after contract award. Changes include:

  • A standard for the data content and format to be used in NIST SP 800-171 System Security Plans
  • Adding cybersecurity measures in addition to those found in NIST SP 800-171
  • Creating an “Acceptable” (Go/No Go threshold) rating, which can require “must-have” NIST 800-171 requirements to be in place before an award can be made
  • Incorporates 800-171 compliance as a technical evaluation factor, which often becomes part of the weighted score for contract awards
  • Conducting on-site assessments, using NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information
  • Requiring a contractor to complete a new form titled: ‘Contractor’s Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense Information
  • Requesting a contractor’s plan to track flow down of Covered Defense Information
  • Requesting a contractor’s plan to assess the compliance of their own suppliers

With the ability to request a contractor’s plan to track flow down of Covered Defense Information (CDI) and request the contractor’s plan to assess the compliance of their own suppliers, Prime contractors are expected to document and demonstrate enforcement of their own supply chain’s compliance.

In 2019 Prime and Subcontractors can expect to be audited against actual implementation the DFARS 252.204-7012 & NIST 800-171 security requirements. For those taking a wait and see approach to the impact of your ability to do business with the DoD without implementing NIST 800-171; you just got your answer, 2019 will be a year of reckoning for non-compliant Prime and subcontractors.

If you have delayed documenting your SSP, POA&Ms or actually implementing the NIST 800-171 requirements, CyberSheath can lead your efforts to achieve compliance by conducting a gap assessment of your compliance with NIST 800-171, writing the required System Security Plan (SSP) and leading your implementation efforts. Contact Us today to get started!

As a subcontractor on a Department of Defense contract, you have likely had flow down requirements from your primes related to DFARS clause 252.204-7012, commonly referred to as NIST 800-171. Many subcontractors, as they scramble to secure their infrastructure to be in compliance before the December 2017 DFARS deadline, are also asking, “When should DFARS clause 252.204-7012 flow down to our subcontractors?”

To help you answer that question, here are some basics related to DFARS clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting (effective October 21, 2016) and NIST 800-171.

The Basics of DFARS Clause 252.204-7012

This clause is required in all contracts except for those contracts solely for the acquisition of COTS items. It requires contractors and subcontractors to:

  1. Safeguard covered defense information (CDI) that is resident on or transiting through a contractor’s internal information system or network.
  2. Report cyber incidents that affect covered defense information or that impact the contractor’s ability to perform requirements designated as operationally critical support.
  3. Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
  4. If requested, submit media and additional information for damage assessment.

What is Covered Defense Information (CDI)?

This term is used to identify information that requires protection under DFARS Clause 252.204-7012. Covered defense information is unclassified controlled technical information (CTI) or other information as described in the controlled unclassified information (CUI) Registry that requires safeguarding or dissemination controls*, and is either:

  • Marked or otherwise identified in the contract, task order, or delivery order and provided to contractor by or on behalf of DoD, in support of the performance of the contract or
  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor, in support of the performance of the contract.

* Pursuant to and consistent with law, regulations, and Government-wide policies

Does DFARS clause 252.204-7012 flow down to subcontractors?

The clause impacts subcontractors when performance will involve operationally critical support or CDI. You should determine in consultation with your contracting officer if necessary, if the information required for subcontractor performance is or retains its identify as CDI, and requires safeguarding or dissemination controls. Flowdown is to be enforced by the prime contractor. If a subcontractor does not agree to comply with the clause, CDI should not be on that subcontractor’s information system.

What does DFARS Clause 252.204-7012 require?

Simply stated, this DFARS clause mandates adequate security. The contractor shall provide sufficient security on all covered contractor information systems. To provide satisfactory security for covered contractor information systems that are not part of an IT service or system operated on behalf of the Government, at a minimum, the contractor must implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.

What is NIST SP 800-171?

This standard:

  • Enables contractors to comply using systems and practices likely already in place.
  • Significantly reduces unnecessary specificity, as requirements are performance-baseda, and more easily applied to existing systems.
  • Provides standardized, uniform set of requirements for all CUI security needs.
  • Allows non-federal organizations to consistently implement safeguards for the protection of CUI (i.e., one CUI solution for all customers).
  • Allows contractors to implement alternative, but equally effective, security measures to satisfy CUI security requirements.

If you are struggling with interpreting these requirements or need help implementing the security controls? CyberSheath can help you determine a path forward for achieving compliance by conducting a gap assessment of your compliance with NIST 800-171, writing the required System Security Plan (SSP) and leading your remediation efforts. Contact Us today to get started!

With the deadline for compliance with DFARS Clause 252.204-7012 having passed on December 31st 2017, many companies are still scrambling to catch up. But in their haste, many may be ignoring a vital aspect of the mandate.

Chiefly designed to ensure adequate security in safeguarding “covered defense information” (CDI), DFARS requires Department of Defense (DoD) contractors and subcontractors to implement controls to protect sensitive data “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”

However, it also includes clearly specified mandates for cyber incident reporting, when a contractor or subcontractor discovers that CDI has been compromised or adversely affected within their networks. In addition to safeguarding CDI, it is imperative that companies follow these prescribed reporting requirements if they experience a cyber incident.

Report Rapidly

Collecting information on cyber incidents allows the government to investigate key details in order to monitor and hopefully contain future cyber threats. As such, DFARS cyber incident reporting mandates are designed to assure businesses turn over this information quickly.

According to DFARS, a cyber incident is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” If you have determined that a cyber incident has taken place, then in accordance with the “Rapid Reporting” requirement you must:

(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and

(ii) Rapidly report cyber incidents to DoD at http://dibnet.dod.mil within 72 hours of discovery.

The DFARS provision defines a compromise as the “disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.”

Although there has been some debate as to what reporting triggers define the start of the 72-hour timeframe, implementing a clear cyber incident response plan can create a track record of internal consistency that would prove responsibility if a contractor’s reporting methods were ever to be scrutinized.

A full list of what to report can be found on this page of the DoD’s DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal.

Detect Malware

In the event that malicious software (malware) is found on a compromised system, the contractor must also collect information about the malware and submit it using a malware submission form to the DoD Cyber Crime Center (DC3) “in accordance with instructions provided by DC3 or the Contracting Officer.”

Preserve Your Media

The DoD may also choose to conduct a thorough post-incident investigation, also known as a damage assessment. To allow for this, they require companies that have been breached to “preserve and protect images of all known affected information systems” and “all relevant monitoring/packet capture data” for at least 90 days following the discovery of an intrusion.

Advice on Reporting

Opening up the lines of communication with the DoD prior to any incident ensures that the process is less complicated and helps you to report in a timely fashion.

In addition, making sure your forensics tools and procedures meet the DoD collection requirements will also ensure that you’re able to quickly gather the required information and report all the pertinent details in full.

Preparation is key. Make sure to practice using your forensics collection procedures so you can quickly report and recover without missing a beat. It’s also important to note that any report of a cyber incident must have a DOD-approved medium assurance certificate. Information on how to obtain this certificate can be found at  iase.disa.mil.

Need Assistance?

If you’re looking for someone to stay on top of your reporting so you don’t drop the ball, or if you just need further assistance understanding the complex process of reporting a cyber incident, Contact Cybersheath today for a free consultation.

 

 

On December 31, 2017, the deadline passed for defense suppliers to comply with NIST 800-171, a requirement specified in Defense Federal Acquisition Regulation Supplement 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting.

This mandate attempted to ensure a higher standard of security controls surrounding the processes and procedures for protecting controlled unclassified information (CUI). As defined by the National Archives, CUI is “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”

Confused? You’re not alone! Assessing what is and what isn’t CUI, as well as navigating the complex and potentially costly road to compliance, has left many contractors struggling to stay on schedule. Although the deadline has passed, a large number of companies are still standing around scratching their heads, wondering how to proceed.

Consequences of Non-compliance

Non-compliance is not going to be acceptable for much longer. Clause 3.12.4 of NIST 800-171 allows for the submission of a Security System Plan (SSP) and a Plan of Actions and Milestones (POA&M) to help companies define how they will bridge the gap, but it is also reasonable to expect that the U.S. Government will soon begin to terminate contracts that fail to meet the accepted requirements. Defense prime contractors will also begin to terminate non-compliant subcontractors and suppliers to avoid having to report themselves as non-compliant.

Because so many companies have fallen behind, those that have achieved this rare milestone will have positioned themselves to receive the lion’s share of future defense contracts. Simply put, if companies want to remain competitive, they must move as quickly as they can to get on track or risk falling behind their competition.

Becoming Compliant

If your company has fallen behind, don’t get discouraged. The path to compliance is a confusing one, but it’s possible to find your way. Start by taking the following steps…

1. Define CUI

CUI is situation-specific and can be tricky to assess. In some cases, the information that needs to be protected are specified in the awarded contract. However, most of the time the definition is unclear.

In their own definition, DFARS has included CUI that is “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.” Information that has been created or received by contractors, but not marked, may also need to be appropriately safeguarded. Identifying what needs to be protected is the first step.

2. Identify where it lives

The next step is to figure out exactly where the CUI is being stored, processed, or transmitted from so that you know which systems need to be secured.

Creating a Data Flow Diagram (DFD) is a helpful way to begin figuring out how CUI is traveling through your network. It could also be useful to create a network diagram to identify what controls you already have in place that are effectively safeguarding your CUI. Together, these tools can help you identify the weak points you’ll need to address to close the gaps in your systems.

3. Document your progress

Having identified CUI and where it lives, you should now begin the process of referring back to NIST 800-171 to figure out the controls you will need to put into place.

As you forge ahead in making these updates, it’s critical to document what you’ve changed, how it will improve security, what controls are not applicable to your current situation, and why they won’t be needed.

This process will create a record demonstrating your ability to assess and safeguard sensitive information, moving you closer to your ultimate goal of declaring full compliance with the DFARS/NIST 800-171 mandate.

Your Competitors are Working on Compliance — Are You?

If you’re not currently working towards meeting the DFARS/NIST requirements, rest assured your competitors are! The window for implementing this essential security update is closing rapidly, so don’t lose your competitive edge — contact us now for a free consultation on achieving your compliance goals.

On December 31, 2017, the deadline for compliance with the NIST 800-171, a mandate for contractors serving local and federal governments, came and went.

This Special Publication provided guidance on the processes and procedures needed to adequately safeguard controlled unclassified information (CUI), defined as any information created by the government or entities on behalf of the government that is unclassified, but still must be appropriately safeguarded.

While some companies were quick to adapt to these new regulatory measures, many companies fell behind because of a lack of resources, confusion over the head-spinning compliance process, or just downright procrastination.

With the deadline long gone and the Department of Defense (DoD) making it crystal-clear that NIST 800-171 is here to stay, becoming compliant is an absolute must for those looking to remain competitive in the industry.

A Common Problem

Unlike previous security mandates, this is the first that impacts sub-contractors working further down the federal supply chain. This means that for many companies, it’s the first time they’re having to figure out compliance.

If this describes your company, you’re by no means alone. Because these standards must be met by anyone who stores, processes, or transmits CUI for the DoD, General Services Administration (GSA), NASA, or other federal or state agencies, many contractors are struggling to wrap their heads around the complex process ahead.

As it’s critical to a supplier’s ability to win new business and keep current defense contracts, both prime and sub-contractors will want to confirm that they are, at the very least, on the path to compliance with NIST 800-171.

Achieving Compliance

Of course, becoming compliant is easier said than done. The fact that there is no certification process for NIST means contractors work on the honor system, attesting that they have reviewed and heeded the applicable requirements specified in the regulation.

This also means that becoming compliant is not a one-time achievement. Rather, it’s an ongoing process of continuous evaluation. Here are the three key actions you can take to get started…

Assess Your Compliance Level

First, you’ll need to do due diligence in identifying CUI as it applies to you. Check with your contracting officers or look through your contract to see if CUI has been clearly defined. In many cases, it may not be, and you’ll have to review the CUI registry to find similar examples of CUI.

Once you’ve clearly defined what you need to protect, you can begin to figure out if it’s actually being protected sufficiently. You’ll have to carefully review your critical systems, including servers, laptops, storage devices, network devices, end-user workstations. You’ll also need to assess the physical security of those devices that contain CUI to make sure they are properly safeguarded.

Design a Plan of Action

Chances are there will be a gap between where you are now and where you need to be. This is common so don’t worry!

Fortunately, clause 3.12.4 allows for the submission of a Security System Plan (SSP) and a Plan of Actions and Milestones (POA&M) to buy yourself some time as you work towards your compliance goal. Since many contractors are not yet compliant, these documents are required to show procurement officials you are heading in the right direction.

An SSP will provide an overview of the security requirements needed for every system you use, describe the curent controls you have in place, and outline the expected behaviors of all who access them. Your POA&M will show a clearly defined corrective strategy for exactly when and how you plan to resolve any security weaknesses. 

Begin Implementation  

All this planning and assessing means nothing if you don’t step up and deliver! Once you’ve put milestones in place, you’ll need to train your staff and ensure they adhere rigorously to these deadlines. You’ll also need to document critical advancements in your quest for compliance, properly maintaining your records as you go.

Still Nowhere Near Compliance? Don’t Panic!

If you missed the December 2017 deadline and you’re starting to feel the pressure, don’t panic. CyberSheath’s Managed Security Services can help you to define your CUI obligations, create a plan of action, and move step-by-step towards full compliance. Contact us today for a free consultation.

 

 

More than two years ago, the Department of Defense (DoD) sounded the alarm for increased cybersecurity with a new set of controls designed to raise the level of safeguarding standards across the industry.
The requirements specified in Defense Federal Acquisition Regulation Supplement (DFARS) provision 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting”, were gleaned from Special Publication (SP) 800-171, authored by the National Institute of Standards and Technology (NIST).
A non-regulatory government agency designed to promote U.S. innovation and industrial competitiveness, NIST identified a set of 110 security control requirements, appropriate for non-government organizations, to be implemented by December 31st of 2017. But even with the deadline long since passed, many contractors are still struggling to meet these standards. Here are the three main reasons why…

Lack of Resources

NIST’s daunting to-do list has left many small to medium companies wondering how they’ll close the gap between what is required and what they can afford to implement.
Put at a disadvantage by budget and workforce limitations, companies find themselves falling behind due to a lack of cost-effective solutions and an inability to dedicate the manpower to keep their cybersecurity standards up-to-date.
Companies must report any shortcomings or gaps in their compliance to the DoD’s Chief Information Officer (CIO) within 30 days of any contract award. That means that the time and resource constraints are only exacerbated if the people in charge don’t have an intimate understanding of the NIST SP 800-171 security controls.
These companies need help but don’t know where to turn. As a result, they’ve found themselves exposed to increasingly advanced cybersecurity threats and will continue to accrue non-compliance penalties until they can find the assistance they need.

Complexity

In an attempt to provide flexibility, make the controls technology-neutral, and allow for contractors to implement whatever solutions best fit their company, NIST has inadvertently made it difficult to know whether your company has actually achieved compliance or not.
The first challenge contractors face is assessing whether or not an information system is processing covered defense information (CDI). CDI is defined by the registry maintained by the National Archives and Records Administration and includes Controlled Technical Information (CTI) and Controlled Unclassified Information (CUI).
If these information systems are precisely specified in the awarded contract, the process is simplified. But DFARS has also included CUI that is “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”
This opens the door for large chunks of information that have been created or are received by contractors, but not marked, to also be considered CDI, making the process of identifying which systems process this information much more difficult.
On top of this, the DoD does not currently have any system in place to certify compliance and has not authorized any third-party certification process, leaving it up to you to accurately assess where you stand at any given moment. 

Being Human

As with any complex set of rules, the risk for human error also enters the mix. In the midst of wrapping their heads around a barrage of complicated regulations, many people simply drop the ball.
In companies that are already struggling to dedicate the necessary human resources to compliance, the overwhelm of adjusting to a whole new world of security requirements can lead to small errors that pave the way for much bigger problems.
In cases like these, it’s essential to have an extra set of eyes on the details to make sure problems don’t snowball and create an avalanche down the line.

Rising to the Challenge

If you’re a defense contractor struggling to keep up with NIST 800-171 requirements, performing a compliance assessment should be your top priority. CyberSheath’s Managed Security Services can help you identify the roadblocks on your path to NIST compliance and find cost-effective solutions to overcome them. Contact us today for a free consultation to find out more.

Every day, hackers and thieves are becoming more sophisticated, daring, and aggressive in their attempts to turn stolen data into substantial paydays. And with criminal entities regularly on the prowl for cyber weaknesses to exploit, it’s no wonder that the number of data breaches is growing at a record pace. Partially in response to this rise in cyber attacks, Ohio Attorney General Mike DeWine’s CyberOhio Initiative has introduced The Data Protection Act, signed into law by Governor John Kasich on August 3rd 2018.

Whereas most of the preceding cybersecurity legislation has sought to motivate businesses with punitive and disciplinary action, the DPA is a looking to take a new approach by giving companies a positive and confident push forward towards a more secure future.

The first law of its kind in the nation to provide an affirmative legal defense, the DPA is an absolute boon to any company involved the handling of sensitive data. Beneficial for all involved, it’s designed to inspire a proactive approach to cybersecurity to make the exchange of sensitive information safer and more comfortable for everyone.

The law incentivizes businesses to further protect themselves against cybersecurity risks by providing legal protection to those who deal with personal information in case of a breach, provided that they comply with a designated cybersecurity framework.

A Safe Harbor

Fairly or not, people affected by data breaches often look for a scapegoat. In many cases, they end up trying to hold the breached company liable for losses or damages they’ve incurred.

With even the smallest attack leaving a business vulnerable to serious legal consequences, this bill represents a valuable tool for those looking to limit their liability. Although it doesn’t provide immunity to your company if you comply, it does afford you a ‘safe harbor’ against tort claims that failed cybersecurity measures resulted in the data breach.

Both businesses and consumers should be set to benefit from this development as companies become more motivated to up their game and meet industry standards for cybersecurity.

How to Comply

As of November 2nd, 2018, your business can trigger the ‘safe harbor’ provided that you adopt a cybersecurity program designed to:

  • Protect the security and confidentiality of personal information;
  • Protect against any anticipated threats or hazards to the security or integrity of the personal information; and
  • Protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.

Since no two companies are alike, the law does acknowledge that the above guidelines are not meant to be a one-size-fits-all approach to cybersecurity. An effective program will have to be scaled to match:

  • The size, complexity, and nature of your business and its activities;
  • The level of sensitivity of the personal information your business possesses;
  • The cost and availability of tools to improve your security and reduce vulnerabilities; and
  • The resources your business has at its disposal to expand on cybersecurity.

Further guidance also advises businesses to ‘reasonably conform’ to one of the following industry-recognized frameworks:

  • The National Institute of Standards and Technology’s (NIST) Cybersecurity Frameworks;
  • NIST Special Publication 800-171, or Publications 800-53 and 800-53a;
  • The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework;
  • The International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards;
  • Center for Internet Security’s Critical Security Controls for Effective Cyber Defense;
  • The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) for healthcare industry businesses subject to HIPAA oversight;
  • The Federal Information Security Modernization Act of 2014 (P.L. 113-283); and
  • The Safeguards Rule of the Gramm-Leach-Bliley Act, for certain financial institutions.

If you accept card payments, you’ll also have to comply with the Payment Card Industry’s Data Security Standards (PCI-DSS).

Challenges Ahead

Although guidelines have been provided, demonstrating full compliance may prove challenging since many of the specified frameworks lack standard certification processes.

Also, since some data security laws have more flexible requirements than others, questions remain over how to demonstrate complete conformity, or which aspects to comply with to ensure the best legal defense. For this reason, when attempting to implement frameworks, it’s a wise move to consult with cybersecurity experts like CyberSheath.

Our Managed Services enables compliance with the Ohio DPA to ensure comprehensive, framework based compliance. We’ll guide you through the process from assessment through remediation, integrating your existing people, processes, and technologies with your chosen frameworks.

A Win-win for Your Business and Your Customers

Not only will CyberSheath’s managed services help you to achieve full compliance and reduce your legal liability, but you’ll also see a demonstrable improvement to your day-to-day operational security — a true win-win for your business and your customers.

 

Thanks to the increasingly sophisticated and aggressive cybersecurity threats facing the U.S., there has been much focus recently on reinforcing the nation’s cybersecurity. Much of this effort has revolved around strengthening the Department of Defense (DoD) supply chain.

The Defense Federal Acquisition Regulation Supplement, or DFARS, has been working to encourage DoD contractors to proactively comply with certain frameworks in order to achieve this goal. Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is the latest mandatory addition.

Under the Clause, all contractors must comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), a framework that lays out how contractors must protect sensitive defense information and report cybersecurity incidents.

The NIST framework requires you, as a defense contractor, to document how you have met the following requirements in particular:

• Security requirement 3.12.4 requires the contractor to develop, document, and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Security Requirement 3.12.2 requires the contractor to develop and implement Plans of Action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

Read more about implementing SSPs and POAs.

Under the Clause, DoD contractors are obliged to submit evidence of their compliance with NIST SP 800-171 to the U.S. Government. However, the Clause goes beyond NIST compliance and sets out additional rules for the protection of Covered Defense Information (CDI).

Supply Chain Management

DFARS Clause 252.204-7012 aims to encourage you, as a contractor, to take a proactive role in the protection of CDI. Not only are you required to demonstrate compliance within your own business, but in order to strengthen the entire supply chain, you must take steps to ensure that your subcontractors comply, too.

It is the responsibility of your subcontractors to inform you if their practices deviate in any way from the DFARS and NIST 800-171 guidelines, and it is your responsibility to demonstrate that an equally secure alternative practice is in place before you share CDI with that subcontractor.

Reporting Cybersecurity Incidents

A cybersecurity incident is defined as a breach of security protocols that negatively impacts, compromises, or endangers CDI held on your systems or networks, or those of your subcontractors.

In the event of a cybersecurity incident, your responsibility under DFARS Clause 252.204-7012 is to report the incident to the DoD within 72 hours. You must present the affected data and all related data covering the 90 days prior to the date of the report, along with any infected software. You must also conduct a thorough systems review and identify ways in which you will prevent future breaches.

In the event that a subcontractor experiences a cybersecurity incident, they must report it to you, or to the next highest tier of subcontractor, and present the evidence as required. As the prime contractor, you’re then required to report the incident to the DoD and submit the evidence, as detailed above.

Cloud Service Provision

If you offer your own cloud services as part of your DoD contract, then DFARS states that you must enact the safeguards set forth in the Cloud Computing Security Requirements Guide (SRG), unless waived by the Chief Information Officer of the DoD. If you use a third-party cloud service, then you’re required to ensure that your cloud service provider follows the security provisions therein.

Don’t Know Where to Start?

A quick look at documents like the above and it’s clear to see why some contractors are still struggling with compliance long after the December 31st, 2017 deadline has passed. It truly is a daunting task bringing your business into line with these extensive regulations, especially when the stakes are so high.

That’s where a Managed Services expert like CyberSheath comes in. We’ve helped defense contractors large and small to achieve comprehensive DFARS and NIST compliance.

Put Your Cybersecurity Compliance in Expert Hands

We’ll take the stress and the guesswork out of compliance by handling every step of the journey, from assessment and gap identification to the development of robust System Security Plans and Plans of Action. And because we’re always monitoring the evolution of DoD frameworks, we’ll continue to update your plans in line with regulatory changes to guarantee ongoing compliance.

Let CyberSheath help you to protect your valuable DoD contracts and remain competitive in the defense supply chain. Contact us now for a no-obligation discussion to find out how.

 

5 Steps to DFARS Compliance

As cyber-attacks become more frequent and sophisticated, addressing tighter security needs has become a priority for the federal government. Enforcement of “Controlled Unclassified Information” (CUI) protection continues to intensify as private contractors and organizations are now required to upgrade their cybersecurity systems and overall procedures to keep up with these increasing threats. On April 24, 2018, the Department of Defense (DoD) issued draft guidance for assessing contractors’ System Security Plans (SSPs) and the implementation of security controls in NIST Special Publication (SP) 800-171.  If you’re a defense contractor, you’re required to comply with these regulations and provide “adequate security” for networks where covered defense information (CDI) is processed, stored, or transmitted. DoD issued two draft guidance documents. The first, “Assessing the State of a Contractor’s Information System,” provides guidance on four different objectives.  They include what must be in an RFP, how the source selection authority would evaluate the requirement, what resources are available for that evaluation, and the contract provisions that will be needed to implement the requirement during performance. The second draft guidance document, “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented,” was developed by DoD to determine the risks that an unimplemented security control has on an information system, and which of the unmet controls need to be prioritized. What does “adequate security” mean? At a minimum, defense contractors must implement the requirements in NIST SP 800-171 to become compliant. Contractors need to provide an SSP to prove the implementation of the security requirements, and also develop plans of action and milestones (POA&M) that describe how any unimplemented security requirements will be met.

Unimplemented Controls Receive a Value Rating

NIST 800-171 is comprised of 110 technical controls to ensure the best security policies and procedures.  DoD has decided to assess the risk of unimplemented controls by assigning a “DoD Value” for each security requirement ranging from 5 (highest impact on the cybersecurity system) to 1 (lowest impact on the cybersecurity system). These priority codes are used for priority rankings that NIST assigns to the NIST SP 800-53 Revision 4 security controls that are used for government information systems and which form the basis for NIST SP 800-171.

Non-Compliance is Not an Option 

In 2018, proposed DOD guidance is already moving to full enforcement of compliance. Compliance failures can lead to more serious consequences than a data breach.  Failure to comply with DFARS can lead contractors to incur penalties either by the United States Government (civil, criminal, contractual actions in law and administrative), or by individuals and private organizations that were damaged by lack of compliance (actions for damages).

  • Bid Protests: While SSPs and POA&Ms are important for determining “adequate security,” it’s still unclear the exact part they’ll play in bid protests and the implementation of NIST SP 800-171. After reviewing the implementation status during the pre-award stage, the DoD can make an unacceptable or acceptable determination, and ultimately decide if the contract should be rewarded. Another option is to evaluate implementation as a “separate technical evaluation factor.” During the pre-award process, contractors may choose to protest terms where a solicitation’s treatment of NIST SP 800-171 implementation fails to be consistent with DoD’s guidance. On the other hand, if a contract was rewarded to another contractor, disappointed offerors may consider challenging the award to another offeror where the assessment of the protester’s or awardee’s implementation of NIST SP 800-171 is inconsistent with the guidance documents. If the DoD notices inconsistencies between the implementation of NIST SP 800-171 and your SSP and POA&M, they could award the contract to another contractor. During 2018, contract protests awarded to higher-priced bidders were based in part on compliance with cybersecurity and employing more than the minimum security requirements in NIST SP-800-171.
  • Termination Risk: The accuracy of your SSP and POA&M, along with providing proof that you’re moving toward full compliance, is crucial. For the most accurate evaluation, the draft guidance states that solicitations and contracts must include contract data requirements (CDRLs) to “require delivery of System Security Plan and any Plans of action after contract award.” Now that both SSPs and POA&Ms are a contractual obligation, failure to be in compliance may provide a basis for termination if compliance isn’t completed. Or, if the SSP does not accurately state the implementation status of the contractor’s cybersecurity.
  • DCMA Audits: DoD has recently stated that as part of its audit function, DCMA will pull out all the stops to confirm all contractors have an SSP and POA&M.  However, DCMA will not be providing an analysis if the SSP fully complies with the NIST 800-171 security requirements. It’s unknown at this point if the DCMA would leverage any of DoD’s guidance in its review.
  • False Claims Act: If a contractor is audited by DoD and found not to have implemented DFARS/NIST 800-171, the contractor can be on the receiving end of numerous penalties. For example, if your SSP misrepresents your actual cybersecurity status, DoD can bring an action based on fraud, which is a False Claims Act violation. DoD may also be able to prove that the original SSP was key to the Department’s award decision. If DoD’s argument is successful, your earnings under the original contract are at risk, along with the reputation of your organization.

Make Compliance a Priority Before it’s Too Late!

At CyberSheath, we know that implementing these new security controls can seem like a daunting undertaking. We’ve successfully assessed and implemented the required NIST 800-171 controls for leading organizations in the defense industrial base supply chain.

Last week the Washington Post reported that in January and February of this year Chinese government hackers stole 614 gigabytes of material relating to a closely held project known as Sea Dragon from a Navy contractor’s unclassified network. Stolen data included signals and sensor data, information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library.  Officials said the material, when aggregated, could be considered classified and this should come as no surprise to anyone familiar with unclassified defense contractor networks.

Unclassified contractor networks often contain a wealth of important information related to the important work they do in support of the Department of Defense DoD and other government entities. This reality is one of the many reasons that the DoD made compliance with DFARs clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and implementation of NIST 800-171 mandatory no later than December 31, 2017. Unfortunately, many companies are still struggling with implementing the NIST 800-171 requirements or worse, writing the required System Security Plans (SSP) and Program of Action and Milestones (POA&M) and never getting around to implementing the security requirements.

The delay in implementing the NIST 800-171 requirements is likely in part why on April 24th, 2018 the DoD released its draft “Guidance for Reviewing System Security Plans and the NIST SP-800-171 Security Requirements Not Yet Implemented.” The extensive document contains more stringent guidelines on exactly how the DOD will enforce and assess the implementation of security controls for awarding contracts and evaluating proposals. It also provides detailed recommendations for properly assessing System Security Plans (SSPs) and Plans of Action and Milestones (POA&M).

The DoD Guidance provides additional information on how they might penalize business partners who fail to adhere to new security rules, including penalties and not being awarded new contracts. Aside from the obvious competitive business reasons to immediately implement the NIST 800-171 security requirements this latest theft of project Sea Dragon data is a reminder of the implications to national security. Most of NIST 800-171 is just good cybersecurity hygiene that at a minimum will make contractors harder targets for hostile nation-states.

In February, Director of National Intelligence Daniel Coats testified that most of the detected Chinese cyberoperations against U.S. industry focus on defense contractors or tech firms supporting government networks. During his April nomination hearing to lead U.S. Indo-Pacific Command, Adm. Philip S. Davidson, told the Senate Armed Services Committee “One of the main concerns that we have, is cyber and penetration of the dot-com networks, exploiting technology from our defense contractors, in some instances.”  These comments along with the new DoD guidance are a clear indication that compliance isn’t going away.

Attention and focus on contractor networks started in earnest at least ten years ago when industry and the DoD started working together, voluntarily, to select NIST 800-53 base security requirements for implementation and defining cyber incident and information sharing processes. That effort has now evolved into the mandatory implementation of DFARs clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and implementation of NIST 800-171. The deadline for achieving compliance has come and gone.

At CyberSheath, we know that successfully implementing these new security controls can be a daunting undertaking for your organization. We’ve successfully assessed and implemented the required NIST 800-171 controls for organizations large and small in the defense industrial base supply chain. We’ll ensure your System Security Plan (SSP) and associated Plans of Action & Milestones (POA&M) are documented and fully implemented. Our cybersecurity experts will take care of all identified gaps in your information systems, schedule implementation of any outstanding items and ensure your organization is compliant with all of the latest requirements. We follow all DOD guidance to ensure review of SSPs and POA&Ms and “assist in prioritizing the implementation of security requirements not yet implemented.” After we have delivered a fully compliant solution we offer managed services to maintain your compliance and incorporate any updates from the DoD.

Contact CyberSheath today for a no-obligation phone consultation, and learn how we can ensure compliance with NIST SP 800-171 in five steps sales@cybersheath.com

 

 

The December 31, 2017 deadline for achieving compliance with NIST 800-171 has come and gone. If you’re still not compliant, you’re at risk for penalties, and chances of winning future contracts and bids are at great risk. The good news is it’s not too late!

It’s understandable if you haven’t yet actually implemented the required NIST 800-171 security requirements. In the past, the DOD permitted businesses to choose a future date for implementing required security controls through the Plan of Actions & Milestones (POA&M) policy. As a result, businesses and organizations used POA&M merely as a simple checkbox system, which led to weak System Security Plans and stalled control implementations. Today, the DOD has upped their game by insisting on stronger cybersecurity practices among its business partners. They’ve moved to an enforcement phase for cybersecurity compliance and requirements with recently released DoD Guidance.

On April 24th, 2018 the U.S. Department of Defense released its draft “Guidance for Reviewing System Security Plans and the NIST SP-800-171 Security Requirements Not Yet Implemented.” The extensive document contains more stringent guidelines on exactly how the DOD will enforce and assess the implementation of security controls for awarding contracts and evaluating proposals. It also provides detailed recommendations for properly assessing System Security Plans (SSPs) and Plans of Action and Milestones (POA&M).

The DoD Guidance provides additional information on how they might penalize business partners who fail to adhere to new security rules, including penalties and not being awarded new contracts.

Failure to Implement the Required NIST 800-171 Controls will Lead to Lost Bids, Vendors and Revenue

For the best chances of new contract awards and superior contract performance in the competitive cybersecurity market, you need to implement the Security Controls and heightened information security requirements as outlined in NIST SP 800-171.

NIST has a set of 110 security requirements that stem from the NIST SP 800-53, which governs the cybersecurity standards for government systems. The new guidance was also designed to help businesses assess and prioritize the most effective ways for them to begin implementing these crucial 110 security controls specified in NIST SP 800-171.

The DOD has a new tactic for reviewing SSPs and security requirements not yet implemented, which is to assign risk scores to controls. For example, security controls that are considered high risk and haven’t been implemented pose an extremely high risk to the data being protected and your ability to win DoD contracts.

Security controls that haven’t been implemented are given a DOD Risk Value for each security requirement that ranges from the highest, which is 5 (highest risk and priority for implementation) to 1 (lowest risk and priority for implementation).

If you don’t meet the 110 security requirements, it will likely lead to losing potential contracts through poorly written SSPs and high-risk scores resulting from a failure to implement the required controls.

Relax. We’ve Got This!

At CyberSheath, we know that successfully implementing these new security controls can be a daunting undertaking for your organization. We’ve successfully assessed and implemented the required NIST 800-171 controls for organizations large and small in the defense industrial base supply chain. We’ll ensure your System Security Plan (SSP) and associated Plans of Action & Milestones (POA&M) are documented and fully implemented. Our cybersecurity experts will take care of all identified gaps in your information systems, schedule implementation of any outstanding items and ensure your organization is compliant with all of the latest requirements. We follow all DOD guidance to ensure review of SSPs and POA&Ms and “assist in prioritizing the implementation of security requirements not yet implemented.” After we have delivered a fully compliant solution we offer managed services to maintain your compliance and incorporate any updates from the DoD.

Contact CyberSheath today for a no-obligation phone consultation, and learn how we can ensure compliance with NIST SP 800-171 in five steps.

It’s time to demonstrate compliance with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 1, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.

There is No Excuse for Non-compliance

Compliance with NIST SP 800-171 and DFARS clause 252.204-7012 is mission-critical for DoD contractors and demonstrating adherence to the requirements has become a competitive discriminator. For a deeper dive and a chance to ask questions specific to your implementation, please join us for the comprehensive webinar “NIST SP 800-171 DFARS clause 252.204-7012 Compliance in 5 Steps” on Thursday, March 29, 2018, 12:00 PM EST.

During the webinar you get answers to these critical questions and more:

  • Did the government extend the deadline?
  • How do I determine compliance with NIST SP 800-171 Rev. 1.?
  • What exactly does it mean to be compliant?
  • How do I know if I am already compliant?
  • What needs to be included in my System Security Plan (SSP)?
  • What are Plans of Actions & Milestones (POA&M’s)?
  • How do the controls apply to manufacturing environments?
  • Does NIST 800-171 apply to cloud computing?
  • How long will it take to achieve compliance?

No matter where you are in your journey towards NIST 800-171 compliance, this webinar is guaranteed to better equip you in understanding, implementing and maintaining compliance!

Achieving NIST SP 800-171 Rev. 1 compliance isn’t easy but the process doesn’t have to be complicated. If you need help staying competitive with this DoD mandate, contact us at sales@cybersheath.com.

 

It’s more important than ever to make sure your applications are secure. What tools are available to help in this effort – and what are the pros, cons, features, and benefits of these enablement tools?

In our previous post we set the stage for this discussion by covering the challenge application developers and their security teams face securing code in an efficient manner. Read about the impact securing (or not securing) application credentials can have on your organization and what you can do about it.

To continue our discussion, apps typically run in one of three network zone configurations. These include:

  • On-Prem – Apps that run in this space are your traditional applications, which usually run on physical machines or dedicated VMs. These apps have a long lifecycle.
  • Internal Cloud – Apps in this zone run on semi-elastic machines. Their lifecycle is much shorter than traditional servers and they are deployed much quicker than on-prem apps.
  • “The Cloud” – This zone exists outside the organization’s firewall. Apps in the cloud run on a very short-lived infrastructure, which is hosted by an outside vendor. These apps are deployed and destroyed auto-magically based on the application’s needs.

Whether you’re trying to meet DFARS, MAS, HIPPA, or NERC compliance, you have choices on where your apps run. Whichever environment meets your needs, CyberSheath has the resources to help keep your applications secure.

What you needHow CyberSheath can help
On-PremYour on-premise applications need to be just as secure as apps in the cloud.Depending on the way your application functions (homegrown code, services, scheduled tasks, IIS services), the CyberArk Enterprise Password Vault (EPV) has a feature for you. EPV is designed for:

  • Managing secrets.
  • Rotating passwords and keys.
  • Allowing humans and applications to fetch them for authorized tasks.
Your on-prem apps are developed on a platform like Java or C++.CyberArk’s Application Identity Manager can help. An agent, which serves as a credential provider, is installed on the local host. It:

  • Communicates between the application and the Vault, serving up the password each time it’s needed.
  • Is designed for high transaction volumes, and high availability.
  • Allows for seamless credential rotation with zero downtime.
  • Challenge: Agent workflow and management can be cumbersome.
Your on-prem applications rely on less hardcore code, but more scripting and basic Windows functions.The built-in remote management features of the Central Policy Manager are a good alternative.

  • Scheduled tasks, services, and IISAppPools running under a specific user can have that user’s password rotated automatically.
  • Challenge: Configuring the workflow for this is where most app teams get hung up.
Internal CloudYour apps running on an internal or private cloud tend to be less risk-oriented. These apps generally require faster deployment, have shorter return to operations (RTO) requirements, and need to be semi-elastic.CyberArk’s Central Credential Provider (CCP) is one recommended approach.

  • It allows app teams to make simple code changes.
  • Instead of an agent installed on a semi-elastic device, a web service call is made to retrieve the credential.
  • Identity can be established with a number of machine characteristics, in addition to client certificates.
  • Challenge: It can be difficult to define a clear and repeatable process to register applications and issue certificates to them.
“The Cloud”Your applications running on cloud infrastructure (a.k.a. the public cloud) generally require extremely high availability and elastic growth on demand.

Provisioning applications’ access to secrets at such quick speeds is challenging, which is why many organizations are hesitant to put apps in the cloud.

CyberArk’s Conjur, which is a DevOps security platform designed for cloud computing, can help.

  • As a cloud application itself, it conforms to the highly elastic nature of cloud applications.
  • It uses the concept of machine identity to establish trust that your app is who it says it is.
  • Using web calls (similar to CCP), Conjur serves up secrets to authorized applications.
  • No configuration is required for a new app instance. It’s built, has its authorizations, and it’s on its way.
  • Challenge: It’s not easy to create a system to import secrets or to build a methodology for developers to code in Conjur during their build process.

Contact CyberSheath to learn how we can help your organization secure your applications.

Are you a U.S. manufacturers who supply products within supply chains for the DOD? If you are it’s likely that you are required to ensure adequate security by implementing NIST SP 800-171 as part ensuring compliance with DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” available at:

http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

Manufacturing environments can pose unique challenges when implementing the 110 controls required by NIST 800-171 Rev. 1 and applying the controls to a production line can be daunting with the risk of business interruption often a click away. To de-risk the implementation of the NIST 800-171 Rev. 1 controls it’s recommended that you start with an assessment of your current operations (people, process, technology) against the NIST 800-171 Rev. 1 requirements. Finding a trusted third party with applicable manufacturing environment experience to execute your assessment can be a great way to jump start your compliance efforts. If you choose to so the assessment in-house one of the best resources, targeted to small manufacturers, is NIST Handbook 162 NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements. Found here:

http://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

NIST SP 800-171 Rev. 1 assumes that small manufacturers currently have IT infrastructures in place, and it is not necessary to develop or acquire new systems to handle Controlled Unclassified Information (CUI). Small manufacturers likely have some security measures to protect their information which satisfy some of the 800-171 security requirements. For controls that are not currently satisfied there are many potential security solutions that can be implemented to satisfy the security requirements. There is no single security technology or solution that will meet all requirements. Manufacturers will need to understand their operating environment and apply the security requirements to meet their unique operations which should be reflected in their System Security Plan (SSP). Manufacturers often have unique operational requirements that run counter to some required controls and will have to implement alternative, but equally effective, security measures to satisfy a control requirements.

NIST Handbook 162 was developed by the National Institute of Standards and Technology (NIST) and Manufacturing Extension Partnership (MEP) collaboration committed to strengthening U.S. manufacturing. The Handbook provides a step-by-step guide to assessing a small manufacturer’s information systems against the security requirements in NIST SP 800-171 Rev 1, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” The handbook is intended for use by a small manufacturer and essentially walks manufacturers through conducting a self-assessment answering Yes, No, Partially, Does Not Apply or Alternative Approach to each control.

The Handbook includes an excellent section titled “Using this Handbook to Conduct an Assessment” which details the preparation and expectation setting before, during, and after an assessment. Often this is an overlooked step in the process as the desire to “just get compliant” informs most activities. While understandable, it’s a mistake to set compliance as the only outcome of a your NIST 800-171 Rev. 1 self-assessment.  When preparing for your self-assessment take the time to think about educating executives and business stakeholders on the compliance requirements and how you are going to earn their long-term support for this initiative.  There is no end state to NIST 800-171 Rev. 1 compliance and you should answer the following questions in soliciting executive support and sponsorship:

Does the business even know about this requirement for doing business with the Department of Defense (DoD)?

They might not. Now is your opportunity to educate them on the long-term implications of the requirements and help them begin to think about building the cost of compliance into the business plan.

Does the business understand the NIST 800-171 Rev. 1 impact on Acquisition? (for a detailed explanation see this blog post: http://www.cybersheath.com/understanding-nist-800-171-impact-acquisition/

At some point, you will need to demonstrate compliance in order to be competitive for future acquisition. Engaging the business now and getting ahead of that inevitability will pay dividends in the future.

How will you measure and communicate your self-assessment and overall compliance to the business?

Don’t make the mistake of only communicating the fact that you are undertaking a self-assessment. This is your opportunity to communicate your long-term approach to managing a NIST 800-171 Rev. 1 compliance program. Take the time to develop a strategy that includes:

  • Executing an Annual Assessment
  • Documenting your System Security Plan (SSP) and Plans of Action & Milestones (POA&M’s)
  • Implementing the required controls
  • Maintaining Compliance

Developing this strategy up front presents the opportunity to transform security from” order takers” to a business enabling function, don’t pass that up!

When you are ready to start your self-assessment using NIST Handbook 162 you will find descriptions of each control and importantly practical recommendations on how to assess your compliance with each control. The guidance included suggestions around who to talk to, where to look and what tests to perform when assessing control compliance. The recommendations should help you and your team work your way through each control and ultimately complete a thorough self-assessment.

Achieving NIST SP 800-171 Rev. 1 compliance for a manufacturing  business has its own unique challenges, most of which CyberSheath has already solved.  If you need help staying competitive with this DoD mandate, contact us at sales@cybersheath.com.

 

The December 31, 2017 deadline for creating a System Security Plan (SSP) and associated Plans of Action & Milestones (POA&Ms) aligned with NIST special publication 800-171 requirements has passed. If you are a DoD prime contractor, now it’s time to focus subcontractor compliance.

Subcontractor Compliance and CDI

DFARS 252.204-7012 (“the DFARS cyber clause”) compelled you to validate your own compliance status and address any cybersecurity gaps. As a prime, you have satisfied your in-house compliance obligations. Now it’s time to turn your attention to your subcontractors since the DFARS cyber clause must be flowed down to all suppliers or subcontractors that store, process and/or generate Covered Defense Information (“CDI”) as part of contract performance.

Keep in mind that CDI is defined as “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is:

  1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
  2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Controlled technical information is technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.”

How to Ensure Subcontractor Compliance

Subcontractors can achieve compliance with the NIST 800-171 Rev. 1 requirements in a variety of ways including flow down of the 252.204-7012 clause in subcontract documents that contain detailed communication with the specific requirements of the DFARS cyber clause. This includes the mandate for subcontractors to:

  • Create an SSP and associated POA&Ms.
  • Fully implement the requirements outlined in the clause and NIST 800-171.
  • Report non-compliance to the DoD CIOs office within 30 days after contract award.
  • Report cyber incidents within 72 hours.
  • Formally flow down the DFARS cyber clause to all lower-tier suppliers/subcontractors storing, processing, and/or generating CDI.
  • Be in full compliance with the DFARS cyber clause.

Remember that as a prime contractor, you are ultimately liable for the compliance of your suppliers and subcontractors. Make sure the flow down of requirements and the validation of compliance is a formal, documented, and repeatable process.

Also, if you are using an existing Governance, Risk, and Compliance (GRC) technology for other regulatory compliance requirements, you should be able to extend its use to cover DFARS 252.204-7012 subcontractor compliance. If you don’t have an existing GRC solution consider these alternatives:

  • Partner with a Managed Security Services Partner (MSSP) that offers a compliance and reporting capability specific to NIST 800-171. Many of the required controls can be mapped back to managed service offerings to produce automated compliance reporting.
  • Work with your contracting organization to create and implement a process that can be incorporated into the existing contracting business cycle. Contracts staff already play a key role related to subcontractor compliance for other contract clauses and adding DFARS 252.204-7012 requirements should be a logical fit.

Bottom line: It’s the prime contractor’s obligation to flow down DFARS 252.204-7012 requirements to all suppliers or subcontractors. Planning for success now is imperative.

If you need help complying with NIST SP 800-171, contact us at sales@cybersheath.com

 

As an owner of a small or mid-sized business, you have endless options available as you partner with a Managed Security Services Provider (MSSP) to better secure your business. The array of choices, industry jargon, and configurable service options can leave you wondering if you left something on the table that you will later regret. Without a team of security experts to vet vendor service offerings, the selection process is even more daunting.

How can you simplify the process and ensure that you are getting everything you need to be secure and compliant?

Maximize Your Chance of Success When Selecting an MSSP

  1. Document your requirements
    • Increase your likelihood of getting what you need by taking the time to compile this list. It will make you a smarter buyer and tremendously help you find the right resource for your needs.
    • Note that this doesn’t have to be a detailed spreadsheet of operational capabilities and Service Level Agreements (SLAs). You may opt to start with compliance issues as most businesses have specific regulatory requirements that they must satisfy including DFARS NIST 800-171, Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and many others.
    • Ask potential MSSP vendors how they can help your business to measure, satisfy, or simplify compliance with any of the above compliance requirements. MSSPs should possess in-depth knowledge of the requirements, use cases from existing customers, and references.
  2. Be ready to answer questions
    • Have a technical person and someone who understands your business available to answer questions around current security tools in place including how they are used, which users need what level of access, and existing business processes. A good MSSP will want to understand your business both in terms of your existing on-premise and cloud-based infrastructure and your actual business.
    • Trust your instincts and steer clear of sales pitches that focus on technology rather than your business requirements. Know that MSSPs who don’t ask the right questions and who push technology won’t be good long-term partners. There isn’t a tool on the planet that can make you secure. Ideally, your conversations will be with the MSSP operational staff rather than salespeople as operational folks will have the experience that can be applied to your business requirements.
  3. Make sure your MSSP enables security and compliance
    • Remember that operational security enables compliance. Drive your MSSP to explain how their proposed solution to your requirements can make your business both secure and compliant. Chances are you don’t have the time or resources to manage compliance as a separate activity from securing the company. Whatever you contract for should enable both operational security and compliance and the alignment between the two should be documented.
      • Example: If an MSSP is offering a Security Incident Event Management (SIEM) and log management capability, there should be a documented alignment of the capability delivered and your specific compliance requirements. You intuitively understand why you need a firewall and anti-virus protection, but make the MSSP demonstrate how that operational need maps to your compliance requirements to become a force multiplier.
    • Keep in mind that other examples of operational technologies that your MSSP should easily be able to map to your compliance requirements include:
      • Asset Discovery and Inventory
      • Vulnerability Assessment
      • Intrusion Detection
      • Behavioral Monitoring
      • SIEM and Log Management
  4. Vet your MSSP to ensure service delivery
    • Spend time examining your MSSP to be sure that you are they are going to deliver on the “service” part of being an MSSP. SLAs should be a part of your contract but there is an undocumented level of service that you should be getting from your MSSP that can’t be captured in an SLA.
    • Consider these things:
      • Are you comfortable with their technical expertise?
      • When you call, do you know if you’ll get a knowledgeable expert who goes the extra mile to solve your problems or a tier-one analyst who just opens a ticket?
      • When compliance questions relating to a business issue arise, will you find your MSSP to be a partner working with you to solve to problems?
      • Does the MSSP have clear value-added services that go beyond “management dashboards” that only demonstrate tools are being deployed?
    • Narrow your selection to responsive, service-oriented vendors during your procurement process. Many customers has been sold MSSP “services” that do little more than collect logs and monitor.
  5. Be diligent in checking references
    • Ask for references and take the time to call these contacts. Inquire about the reference’s experience during onboarding and delivery of services months after the sale was made. Is the MSSP still engaged and delivering value or do they only surface at contract renewal time?
    • See if your chosen MSSP has delivered any remediation or implementation projects as they are indicators of hands-on experience that will benefit your business. Ideally, references will be in the same business or industry as yours, but if everything else checks out this isn’t a necessity.

Partnering with an MSSP is a great way to secure your business infrastructure. To find out how quickly CyberSheath can enable 24/7 operational security and compliance reporting for your business, contact us at sales@cybersheath.com.

 

It’s time to demonstrate compliance with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 1 (NIST 800-171), “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.

There is No Excuse for Non-compliance

Originally Department of Defense (DoD) primes and subcontractors had until December 31, 2017, to demonstrate compliance with NIST 800-171. Recently, however, Ellen Lord, the defense undersecretary for acquisition, technology, and logistics told the Senate Armed Services Committee offered a bit of conflicting information. “We said that clearly, the only requirement for this year is to lay out what your plan is,” she said at the December 7th hearing. “That can be a very simple plan. We can help you with that plan. We can give you a template for that plan. Then just report your compliance with it.”

Bear in mind that those words are not an indication of all prevailing thoughts on the matter. Indeed, that guidance was contradicted by a Pentagon spokesman who said the change should not be considered a delay in the deadline since contractors must still document by December 31st how they will implement the new rules.

The clear takeaway is: This requirement for doing business with the DoD isn’t going away. Given the years of delays and widely available information regarding the requirements, there will be no excuse for non-compliance. The Director, Defense Pricing/Defense Procurement and Acquisition Policy issued guidance which articulates how compliance will be factored into acquisition which we explain here: http://www.cybersheath.com/understanding-nist-800-171-impact-acquisition/

4 Steps to Compliance with NIST 800-171

Note that these steps are not simple – you’ve got to put in the work to get the results. Another tip: Ignore vendors who are trying to sell you a product to easily achieve compliance, as such a solution does not exist. Many of the 110 controls of the NIST standard deal with the process – and how you implement the controls will be unique to your business.

To stay competitive in the DoD acquisition process and comply with NIST 800-171, you should (immediately):

  1. Assess current operations for compliance with NIST 800-171. – Starting with a gap assessment of your current people, process, and technology against compliance with NIST 800-171 is a useful step in achieving compliance. When done correctly an assessment will:
    • Directly link to Control 3.12.1 of NIST 800-171 which requires that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.”
    • Give you a clear view of your current compliance with the remaining controls.
    • Generate a System Security Plan (SSP) and associated Plans of Action & Milestones (POA&Ms), both of which are NIST SP 800-171 requirements.
  1. Write your SSP & POA&Ms – NIST 800-171 was revised (Revision 1) in December 2016 to require a “system security plan (SSP)” and associated “plans of action (POA&Ms)”. Initially, your SSP will be an aspirational document as you will find that many of the required 110 NIST SP 800-171 controls are not fully implemented in your environment. Your POA&Ms will detail your plans to remediate deficiencies and achieve compliance. The requirements are:
    • Security Requirement 3.12.4 (System Security Plan, added by NIST 800-171), requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
    • Security Requirement 3.12.2 (Plans of Action), requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.
    • Note that these plans can be documented in a variety of formats but at a minimum, they should detail:
      • The deficiency identified
      • The plan to correct the deficiency (people, process, and/or technology)
      • Dates by which you intend to be compliant against the specific deficiency
  2. Implement the required controls  – Execute your POA&M’s and achieve full compliance with NIST 800-171. This is probably going to be a full-time effort and if you are using only internal resources remember they all already have day jobs so set your expectations accordingly. If you work with a third party to implement the controls look for the following expertise:
    • Have they implemented the NIST 800-171 controls for similar-sized businesses?
    • Have they solved the unique challenges that come with implementing NIST 800-171 controls in manufacturing, lab, and engineering environments?
    • Ask for and check references.
  3. Maintain Compliance – If you have made it this far, congratulations! Now plan for ongoing compliance in a way that achieves the following:
    • Documented and automated compliance reporting
    • Support Request for Proposal (RFP) and other acquisition-related business development activities
    • Ongoing operational expense related to maintaining compliance

Compliance is a Journey – and Not a Destination

Your SSP will need to be updated as your business changes and specific control implementations need to be continually validated. If you have a Managed Security Services Partner (MSSP), have them map the work they do back to NIST 800-171 compliance for the appropriate controls and modify your contract to provide for periodic reporting. For the controls maintained by in-house staff, automate control validation and reporting so that you can demonstrate compliance on a real-time basis.

Achieving NIST 800-171 compliance isn’t easy but the process doesn’t have to be complicated. If you need help staying competitive with this DoD mandate, Contact Us at sales@cybersheath.com.

 

These days, it’s not easy to be in charge of your organization’s IT security. With cyberattacks increasing in frequency, severity, and reach, it’s more important than ever to develop a plan for achieving, managing, and documenting the security of all of your systems.

It’s Not Only Good Practice to Have a System Security Plan, but It’s Also a Requirement

NIST SP 800-17, Revision 1 recently added requirement 3.12.4 to the Security Assessment control family stating that organizations must “Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.”

This one-sentence requirement is based on NIST SP 800-18 – Guide for Developing Security Plans for Federal Information Systems.

Identify What Systems Need a System Security Plan

Now it’s time to figure out which systems in your organization require a System Security Plan (SSP). Each SSP should be focused on an information system, which is defined as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” An application, information or technology service, platform, and infrastructure are all considered systems, and their security must be formally planned according to the NIST SP 800-171 requirement for in-scope systems.

Compile your list of systems needing an SSP and start uncovering all the information you will need to write them. Each SSP will need two types of information, both of which can be a challenge to compile. These include:

  1. System details documenting how the system operates
  2. Details about how the NIST SP 800-171 Revision 1 controls requirements are met for that particular system. Note that the control statement responses are a granular system-specific response to the 110 control requirements.

Once you have your inventory of systems that store, process, or transmit Controlled Defense Information (CDI) or Controlled Unclassified Information (CUI), it’s time to start planning.

First, create a system security planning template. The appendix to NIST SP 800-18 – Guide for Developing Security Plans for Federal Information Systems has a template, which provides a great starting point for creating your organization’s SSPs.

Next, assemble your team for the planning process, making sure to include these roles:

  • System Owner – This role is critical to the system security planning process as this person has deep knowledge about the systems and understands what the system does, how it works, and how it is controlled. The system owner owns the security plan for the system and is responsible for providing diagrams and explanations that articulate where the sensitive data is stored at rest, where and how it is transmitted, and what system interfaces exist, especially those interfacing systems that transmit the sensitive (CDI and CUI) data.
  • IT/Security Support Staff – Depending on the size of your organization, your support team may provide a set of core IT services that provide control to the broader network and computing environment. Inheritable controls could include authentication services, firewalls, network segmentation, secure system baselining, access management, and change management. A system owner will work hand-in-hand with the support team to understand how and if the controls apply to his or her particular system.
  • Administrative/Business Operations Support Staff – Some controls that apply to systems may not be technical. Administrative and/or business operations staff will need to provide input into how non-technical controls, such as background screening processes, facility security mechanisms, training and awareness programs, and staff management controls, are addressed. The people who have ownership of these functional business capabilities will need to weigh in on the security planning effort so that controls are adequately defined.

Once you have the right people involved, it’s time to get to work and write the plan. It’s a laborious process, but the intent is to provide defensible information and responses as to how a system works and how security controls are applied. An auditor or contracting official will want to know how you safeguard their sensitive data, and the information you document along with control responses should provide assurance of that protection.

Create a Master SSP

Every system used for the storage, processing, and transmission of CDI/CUI should have a security plan. Think about the roles above and the functional areas they represent. If these roles exist as a core, corporate function that is applied consistently across the organization, then consider creating a master system security plan that documents a core set of controls meeting the NIST 800-171 requirements.

A Master SSP helps you define a standard across the enterprise for inheritable controls, which provides guidance to the system owners about how they may be consuming controls that are broadly applied to the organization. The effectiveness of using the master system security planning concept depends on how effective those broad controls are applied by mandate.

  • For those organizations who strictly apply their standards, the master system security planned controls would be thoroughly applied and relied on.
  • For those organizations looser about applying standards and mandates, a master system security plan makes a good reference, but system owners should pay close attention to whether they actually inherit the standard control offering, or if a system-specific control response is required.

Build Proactive Measures into Your SSPs

Developing your System Security Plan(s) will provide a systems-focused macro-view of how your security controls are being applied. The process also helps identify non-compliance and uncover insecure practices, alerting you and helping you create a plan to resolve issues.

Consider building your Plan of Actions & Milestones (POAM) into your SSPs, and track compliance deficiencies to resolution. This helps you be proactive in your remediation and corrective action planning and moves you closer to a mature state in managing security controls.

The CyberSheath team is experienced at helping organizations like yours create System Security Plans. Contact us to learn how we can help you.

As a contractor, you need to safeguard covered defense information that is processed or stored on your internal information system or network.

To stay in the running for work from your primes, you need to comply with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. You have until December 31, 20 I 7 to implement NIST SP 800-171.

How will non-compliance with NIST SP 800-171 impact contractors’ future acquisition?

On September 21, 2017, The Director, Defense Pricing/Defense Procurement and Acquisition Policy issued guidance for acquisition personnel in anticipation of the December 31, 2017 deadline, which:

  • Outlines how contractors might implement NIST SP 800-171.
  • Addresses how a contractor may use a system security plan to document the implementation of the NIST SP 800-171 security requirements.
  • Describes how DoD organizations might choose to leverage the contractor’s system security plan (SSP), and any associated plans of action, in the contract formation, administration, and source selection processes.

To not jeopardize future opportunities, contractors should focus on developing a well-written SSP and associated Plan of Action and Milestones (POA&M) to achieve compliance.

What are the SSP and POA&M requirements?

NIST SP 800-171 was revised (Revision 1) in December 2016 to require a “system security plan” and associated “plans of action.” Specifically:

  • Security requirement 3.12.4 (System Security Plan, added by NIST SP 800-171, Revision 1), requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
  • Security Requirement 3.12.2 (Plans of Action), requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

How do you write an SSP and POA&M?

Documenting implementation of the NIST SP 800-171 security requirements by the December 31, 2017, implementation deadline requires an SSP and associated plans of action which describe how and when you will meet unimplemented security requirements, how you will implement planned mitigations, and how and when you will correct deficiencies and reduce or eliminate vulnerabilities in the systems. System security plans and plans of action can be documented as separate or combined documents. You should choose a format that integrates with existing business processes and can be easily maintained year-over-year. Governance, Risk, and Compliance platforms can provide a technical, somewhat automated capability to meet this objective.

There is no prescribed methodology for contractors to implement the requirements of NIST SP 800-171, or even to assess your current compliance with the requirements -nor is there a prescribed format for SSPs or POA&Ms. A reasonable first step in creating an SSP and POA&M is to use company personnel or a qualified third party to execute a gap assessment against current operations compared to the NIST SP 800-171 requirements. The gap assessment will detail changes to policy and highlight areas where additional hardware or software are required to achieve compliance. A well-executed gap assessment will determine:

  1. Requirements that can be met using in-house IT personnel.
  2. Requirements that can be met using outside assistance.
  3. Plan of Action and Milestones for achieving compliance.

Which version of NIST 800-171 applies?

DFARS Clause 252.204-7012 requires the contractor to implement the version of the NIST SP 800-171 that is in effect at the time of the solicitation, or such other version that is authorized by the contracting officer.

How do you inform the Government of compliance with NIST SP 800-171 requirements?

You can inform the Government of your implementation of the NIST SP 800-171 requirements in a number of ways.

  • The solicitation provision DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls,” provides that by submitting the offer, the contractor is representing its compliance (and provides a procedure for the contractor to request the DoD Chief Information Officer (CIO) to authorize a variance from any of those requirements as being non-applicable, or because the contractor has a different but equally effective security measure).
  • Paragraph (c)(2)(ii)(A) of DFARS Clause 252.204-7012 requires the contractor that is performing a contract awarded prior to October 1, 2017, to notify the DoD CIO of any requirements of NIST SP 800-171 that are not implemented at the time of contract award.

Keep in mind, the solicitation may require or allow elements of the system security plan, which documents the implementation of NIST SP 800-171, to be included with your technical proposal, and may be incorporated as part of the contract (e.g., via a Section H special contract requirement).

What is the role of the SSP and POA&M in contract formulation, administration, and source selection?

Chapter 3 of NIST SP 800-171, Revision 1, states that Federal agencies may consider the contractor’s system security plan and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization, and whether or not it is advisable to pursue an agreement or contract with the nonfederal organization.

DFARS Clause 252.204-7012 is not structured to require contractor implementation of NIST SP 800-171 as a mandatory evaluation factor in the source selection process, but the requiring activity is not precluded from using a company’s SSP and associated POA&Ms to evaluate the overall risk introduced by the state of the contractor’s internal information system or network.

The Director, Defense Pricing/Defense Procurement and Acquisition Policy guidance for acquisition personnel provide the following examples of how the government may utilize the system security plan and associated plans of action:

  • Using proposal instructions and corresponding evaluation specifics (detailed in sections L and M of the solicitation as well as the Source Selection Plan) regarding how implementation of NIST SP 800-171 (and other applicable security measures) will be used by DoD to determine whether it is an acceptable or unacceptable risk to process, store, or transmit covered defense information on a system hosted by the offeror. The solicitation must notify the offeror whether and how its approach to protecting covered defense information and providing adequate security in accordance with DFARS 252.204-7012 will be evaluated in the solicitation.
  • Establishing compliance with DFARS 252.204-7012 as a separate technical evaluation factor and notifying the offeror that its approach to providing adequate security will be evaluated in the source selection process. The specifics of how the offeror’s implementation of NIST SP 800-171 will be evaluated must be detailed in Sections L and M of the solicitation as well as the Source Selection Plan.  If you are behind in implementing the required controls of NIST SP 800-171, are unsure of how to write your SSP and POA&M’s, or need expert help complying with the requirements, Contact CyberSheath at NIST800171@cybersheath.com for immediate assistance.

As a subcontractor on a Department of Defense contract, you have likely had flow down requirements from your primes related to DFARS clause 252.204-7012, commonly referred to as NIST 800-171. Many subcontractors, as they scramble to secure their infrastructure to be in compliance before the December 2017 DFARS deadline, are also asking, “When should DFARS clause 252.204-7012 flow down to our subcontractors?”

To help you answer that question, here are some basics related to DFARS clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting (effective October 21, 2016) and NIST 800-171.

The Basics of DFARS Clause 252.204-7012

This clause is required in all contracts except for those contracts solely for the acquisition of COTS items. It requires contractors and subcontractors to:

  1. Safeguard covered defense information (CDI) that is resident on or transiting through a contractor’s internal information system or network.
  2. Report cyber incidents that affect covered defense information or that impact the contractor’s ability to perform requirements designated as operationally critical support.
  3. Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
  4. If requested, submit media and additional information for damage assessment.

What is Covered Defense Information (CDI)?

This term is used to identify information that requires protection under DFARS Clause 252.204-7012. Covered defense information is unclassified controlled technical information (CTI) or other information as described in the controlled unclassified information (CUI) Registry that requires safeguarding or dissemination controls*, and is either:

  • Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD, in support of the performance of the contract or
  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor, in support of the performance of the contract.

* Pursuant to and consistent with law, regulations, and Government-wide policies

Does DFARS clause 252.204-7012 flow down to subcontractors?

The clause impacts subcontractors when performance will involve operationally critical support or CDI. You should determine in consultation with your contracting officer if necessary if the information required for subcontractor performance is or retains its identify as CDI, and requires safeguarding or dissemination controls. Flowdown is to be enforced by the prime contractor. If a subcontractor does not agree to comply with the clause, CDI should not be on that subcontractor’s information system.

What does DFARS Clause 252.204-7012 require?

Simply stated, this DFARS clause mandates adequate security. The contractor shall provide sufficient security on all covered contractor information systems. To provide satisfactory security for covered contractor information systems that are not part of an IT service or system operated on behalf of the Government, at a minimum, the contractor must implement NIST SP 800-171, as soon as practical, but no later than December 31, 2017.

What is NIST SP 800-171?

This standard:

  • Enables contractors to comply using systems and practices likely already in place.
  • Significantly reduces unnecessary specificity, as requirements are performance-based, and more easily applied to existing systems.
  • Provides a standardized, uniform set of requirements for all CUI security needs.
  • Allows non-federal organizations to consistently implement safeguards for the protection of CUI (i.e., one CUI solution for all customers).
  • Allows contractors to implement alternative, but equally effective, security measures to satisfy CUI security requirements.

If you are struggling with interpreting these requirements or need help implementing the security controls, CyberSheath can help you determine a path forward for achieving compliance ahead of the December deadline by conducting a gap assessment of your compliance with NIST 800-171, writing the required System Security Plan (SSP) and leading your remediation efforts.

There are less than 100 days left until the mandatory compliance deadline for implementing the DFARS required controls of NIST 800-171. Is your organization ready?

If you have been focusing on other strategic business initiatives and have not yet dedicated resources to NIST 800-171 compliance, you still have time. It will take a lot of work, but your organization can have a documented plan in place to guide your efforts and make material gains towards compliance this quarter.


Month-by-Month DFARS Compliance Guide

To remain competitive in your pursuit of new contracts with the Department of Defense, you should:

  1. Assess your current state and create an implementation plan for your needed controls.
  2. Formulate a DFARS-required System Security Plan (SSP).
  3. Achieve DFARS compliance.

Here’s how to accomplish that by the end of 2017.

October

  • Conduct security assessment – You might be tempted to save time and skip this step – but don’t assume that you already know what work needs to be done. Execute an internally or externally-led gap assessment against the fourteen families of controls in NIST 800-171. Document your compliance with each family of controls. Be sure to record the people, processes, technologies, and related artifacts involved and demonstrate that your security program is implementing the required controls as a part of your day-to-day operations.
  • Unsure of how to proceed? Work with a vendor – If you are struggling with the interpretation of the controls, enlist the help of a skilled outside party to execute the gap assessment.
    • Find a vendor – Look for a services provider with specific NIST 800-171 experience, both assessing compliance and implementing remediation programs to achieve compliance. Get references and make the vendor provide proof of past success in helping defense contractors achieve compliance. Query the vendor about the deliverable from the assessment and be clear that you are looking for more than best practice recommendations – you require information specific to your internal operations.
    • Leverage the third-party vendor to engage your executive team – Have your vendor work with your executives and get answers to the inevitable questions around DFARS compliance. You probably have already had a talented team that has been briefing NIST 800-171 internally for some time. Often the same message from a trusted third party with past experience can jumpstart the conversation at the executive level and secure the support your team needs.

November and December

  • Create a project plan and start implementing controls – Using the results of your gap assessment, create a project plan and start implementing controls that don’t currently exist in your organization and remediating the ones that fall short of meeting the requirements.
  • Be proactive in engaging procurement – If you have to purchase tools or engage a third party to assist in remediation, make sure that your purchasing is streamlined. With less than 100 days left there is little time for delays related to procurement processing. Ideally, you will have already spent time to get executive buy-in on this effort and have created the required sense of urgency around meeting the December compliance deadline.
  • Start writing your SSP – In parallel to your remediation efforts, start writing your SSP. It’s a requirement of compliance – and it will force you to be strategic about long-term compliance and not get lost in the tactical details of getting specific controls implemented before December. Your SSP should be a true reflection of your NIST 800-171 compliance program. You should plan to review and update this document annually.

CyberSheath is skilled at performing security assessments, creating remediation plans, writing SSPs, and most importantly actually implementing the required controls. If you need assistance achieving DFARS compliance before the deadline, Contact Us today.

In less than five months your organization needs to be DFARS NIST 800-171 compliant. If you have already formulated a remediation plan to help you address your deficiencies, continue working through your prioritized roadmap to meet the compliance deadline. If you haven’t yet begun planning, get started today. Don’t jeopardize your ability to secure and execute DoD contracts by being non-compliant.

Three Areas to Focus on as You Craft Your Compliance Roadmap

After you’ve assessed your organization against the 110 security controls in NIST 800-171, you’ll need to build a plan to address your compliance gaps. An effective plan will have components that address these three areas.

  1. Multi-Factor authentication
    • What it is: Multi-Factor authentication (MFA) is a security measure where more than one method of authentication from independent categories of credentials is required to verify the user’s identity for a login or other transaction. It is an important component of any security plan as increasing authentication from a single factor greatly improves the security of your systems.
    • What you need to do: Procure an identification and authentication service that complies with the DFARS security requirements. Make sure the MFA solution is scoped and implemented to address the unique requirements of your environment. Also, work with stakeholders and end-users to conduct use-case and validity testing. Integrate with your authentication management processes to administer the user lifecycle. Make sure you have access to training, maintenance, and support of your solution.
  1. Privileged Account Management
    • What it is: Privileged account management (PAM) is managing and auditing account and data access by privileged users, who are individuals with administrative access to critical systems. Better managing access to privileged accounts can help prevent cyber adversaries and rogue insiders from going after privileged credentials as a way to gain broad and undetected access to your information systems.
    • What you need to do: Ensure your PAM solution provides automated, monitored, and controlled privileged access. Elevate administrative access to avoid granting excessive access to privileged accounts. Require the verification of a ticket or an approval to ensure administrative access is only granted when it is required for a specific activity. Work with engineers who are well versed in fine-tuning the configuration of the PAM suite and who can provide technical expertise and customization for your unique project.
  1. Vulnerability Management
    • What it is: Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities in your security infrastructure. It is important that your organization continually be monitoring for vulnerabilities to ensure you stay ahead of potential threats.
    • What you need to do: A DFARS compliant vulnerability management program will continuously assess your environment for vulnerabilities and patch compliance. Make sure your solution performs monthly vulnerability scans, as well as scans after any significant changes are made, of all your internal and public-facing systems. Also, ensure you receive a monthly report detailing new findings and findings from the previous month(s) which have yet to be remediated. Verify implementation of patches or workarounds for each fix with follow-up scans as needed.

Plan, Provision, and Outsource if Needed to Meet the December 31, 2017 Deadline

Determine what you can reasonably accomplish with your internal resources and what you need to outsource to meet the December deadline. Also, as part of your roadmap, make sure you plan for a post-compliance world where you need to maintain the controls you’ve implemented.

Regardless of where you are in your DFARS compliance process, time is of the essence. Continue your efforts or get started now – five months is not much time to affect the change mandated by NIST 800-171 compliance.

If you need support, contact us for a FREE consultation.

Achieving compliance with NIST 800-171 before the mandatory December 2017 deadline can look like a daunting task. With only 6 months left in the year, time is running out to understand, evaluate, and implement the more than 100 DFARS controls. Where do you start – and how do you efficiently deploy resources to ensure success?

Here are 4 Simple Steps to Assess, Implement, Measure, and Maintain Compliance

  1. Conduct a gap assessment of your current security program. Using a trusted third party or internal resources, perform a binary, pass/fail assessment and make sure results are supported by artifacts and technical validation. Taking a pass or fail approach to each required control ensures an honest assessment and efficient process. Countless vendors have “proprietary” assessment methodologies that are ultimately subjective marketing documents. The NIST 800-171 controls are either implemented or they aren’t. This approach saves you time and endless debate that doesn’t move the needle on compliance.
  2. Turn your gap analysis into a remediation plan. Review your assessment results and start the process of remediating non-compliant controls. The project plan should identify the people, processes, and products required for control implementation. Your plan should be a “project management 101” kind of document that gives you a realistic view of cost, schedule, and performance. If you have budget constraints, look for opportunities to implement manual processes until you can automate with tools. Be sure to account for the documentation of your policies and processes as part of the plan.
  3. Execute your plan. Run your implementation of NIST 800-171 like a project with dedicated internal or third party resources if the workload requires them. Track project progress weekly and keep management informed. Be sure that after a control is fully implemented you have a way to continuously measure compliance. Like any other regulatory mandate, DFARS compliance is an ongoing requirement and not a one-time effort. This monitoring can be done manually or with a GRC (Governance, Risk, and Compliance) tool like RSA Archer or TraceCSO. If you are budget-constrained, use Excel or SharePoint to get the job done.
  4. Maintain compliance across your enterprise. Implement dashboard views of near real-time compliance and a process for on-boarding new contracts with CUI/CDI (Controlled Unclassified Information/Covered Defense Information). Budget for and perform an annual assessment to validate your compliance.

The Bottom Line

NIST 800-171 is an effective cybersecurity hygiene guide for DoD contractors. Controls like multi-factor authentication and encryption are heavy lifts initially but relatively easy to maintain after implementation. The interpretation of the controls may seem intimidating, but the pragmatic approach laid out above will go a long way in helping you meet the December 2017 deadline.

Get started! It’s likely your team is already overburdened with other work and adding this to their plate with only 6 months of the year remaining won’t be easy. That’s why CyberSheath exists. We’ve helped dozens of global companies achieve compliance – and we can help your organization too. Contact CyberSheath today for a FREE consultation.

There’s a lot at stake right now with your company’s DFARS / NIST 800-171 compliance. What you do – or don’t do – in the next six months could impact your ability to secure and execute DoD contracts.

Is your company compliant with all 110 security controls in NIST 800-171?

As a supplier, chances are you’ve received a letter from one of your Prime’s asking if you are compliant with the DFARS mandate and reminding you of the compliance deadline of December 31, 2017. If your Prime uses Exostar as their sourcing and collaboration tool as the major Defense Contractors do, you will have to fill out a DFARS questionnaire before a PO can be issued for your part of the contract.

There are three ways to handle the situation:

  • Misrepresent the truth about your organization’s infrastructure security and answer the questionnaire in a knowingly untruthful way and claim compliance in the hopes that the truth is never discovered and that your firm is never flagged for a security audit.
  • Determine where you are non-compliant and develop a plan to become compliant by year’s end.
  • Write a letter to the DoD explaining where you are not compliant, and why.

Of these options, I think we can agree that the first is ill-advised, and the third is not a way to build trust and foster confidence in your firm. That leaves the second option – becoming compliant. How do you proceed?

What exactly is the DFARS mandate and why it’s important?

NIST Special Publication 800-171 Protecting Covered Defense Information in Nonfederal Systems and Organizations, otherwise known as DFARS (Defense Federal Acquisition Regulation Supplement), details the fourteen families of security requirements for protecting the confidentiality of Covered Defense Information (CDI). This document outlines each of the controls your firm needs to meet in order to be able to continue providing services and products to your Prime and ultimately to the DoD.

The fact is, the controls outlined in DFARS are security measures that your firm should already be implementing as part of maintaining good security hygiene. Each item on the checklist helps your firm safeguard important information and, ultimately, helps your firm protect the confidentiality of CDI.

What should you do to keep your current contracts?

Right now your firm is probably compliant with about half of the 110 controls within NIST 800-171. Chances are the areas your company is deficient in include:

  • SIEM (security information and event management)
  • Multi-factor authentication
  • Applied encryption, both at rest and in-transit
  • Policies and written authentication for your security procedures and protocol

While addressing these deficiencies may seem onerous, it’s important to remember that becoming compliant is good for your company – and good for your bottom line. Perhaps you think you don’t have the resources, budget, or buy-in needed to move forward. Keep in mind that the path to compliance is the only viable option you have. Here is a plan on how to address and achieve DFARS compliance:

  • Get a security assessment to help you interpret what is required and if your company is in compliance with each of the 110 controls.
  • Create a plan to achieve compliance on all the items identified as deficient in your security assessment. Your remediation plan should solve for operational issues as well as protect covered defense information in a manner that demonstrably shows compliance. Note that remediation typically takes about 6 months – so you need to get started now.
  • Partner with a trusted, experienced company that:
    • Has truly walked a mile in your shoes and has experience implementing the controls required for DFARS compliance.
    • Tailors the control implementations to fit your reality and achieve compliance.
    • Understands the practical realities of implementing controls like multi-factor authentication in an operational environment on a limited budget.

CyberSheath uniquely understands the DFARS security requirements and can assist you with assessing compliance with these DoD mandated security requirements and creating a road map of how you can become compliant by December 31, 2017.

The clock is ticking. Get started on your DFARS compliance today.

Don’t scramble to do research to address your security shortcomings. Get your current security state assessed now and formulate a plan to become compliant – before your Primes come to hold you accountable to this new mandate.

Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!

In December of 2016 the National Institute of Standards and Technology (NIST) finalized the first revision to it’s Special Publication 800-171, Protecting Controlled Unclassified Information (CUI) in Systems and Organizations. The updated document, NIST SP 800-171 Revision 1 is the new standard for which government contractors who store, transmit or process CUI, are required to comply with by the December 2017 deadline for compliance.

While many of the updates are verbiage changes to clarify the defined scope of the current controls, there are two major changes that need to be noted by those who are required to adhere to the regulation.

In the original 800-171 release, Control 3.1.19 specified the requirement to encrypt CUI on mobile devices. In the updated revision, the control is amended with the additional stipulation to include mobile computing platforms. Further, mobile devices and mobile platforms are more clearly defined to include smartphones, tablets, E-readers, and notebook computers. This additional specification is intended to remove any doubt as to the scope of the control. Encryption of mobile devices and mobile computing platforms is an instrumental step to help limit a data breach as these devices are often lost or stolen. If you are interested in additional information I have covered the importance and scope of the encryption of data at rest requirements required by the 800-171 in a previous blog post.

At the time of the original release, in June of 2015, NIST SP 800-171 was published with 14 Control Families which contained 109 security controls in total. The newly released revision publication has added just one control bringing the total number to 110. This added requirement is contained in the Security Assessment Control Family (3.12) and is defined as follows:

3.12.4-  Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Additionally, SP 800-171 Rev 1 notes there is no prescribed format or a specified level of detail for ‘system security plans’. However, organizations must ensure the required information in Control 3.12.4 is appropriately conveyed in the plans that are developed.

Aside from the requirement being imposed to have a formally documented security plan, having such a plan is a good indicator of the maturity of your organization’s overall security program. No matter how large or small your company is, it is important to have a plan to define the security of your information assets. The plan development process will help make you think more holistically about your organization’s security and will bring the many elements of your security model to one place. This will help provide the framework for keeping your company at the desired security level required by the 800-171.

It is important to understand the new control requires the following components in a security plan:

  • Documentation of its systems and environments of operation, including boundaries
  • Description of how security measures are implemented to satisfy the controls of the regulation
  • Definition of relationships with, and/or connections to other integrated systems

While these elements meet the minimum requirements for the new control, it is imperative to recognize this is only a baseline. A security program plan is never ‘done’ per se and should be a living document. The new control further reinforces that thought by requiring organizations to ‘periodically update’ the plan. This concept is also true for the 800-171 regulation itself, shown with the release of the current revision we are discussing. The ever-changing nature of the document ensures your organization is continuously adapting to the dynamic IT environment and the associated threats that we are faced with every day.

Does your organization need assistance becoming compliant with NIST SP 800-171 before the December 2017 DFARS compliance deadline? CyberSheath has the expertise to provide you with the specialized guidance you need and deliver industry-leading solutions. We have a specialized team of Cybersecurity Professionals with proven experience to guide and assist your business in achieving compliance.

Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!

FAQs:

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.