Thursday, December 19, 2024

An introduction to CMMC for the small and medium-size contractor (CORRECTED COPY)

I was published this morning in the NH Business Review regarding CMMC for small- and Medium-sized defense contractors. Within minutes of its publish, I received LinkedIn feedback that some of my facts were mixed. Upon further review (and a telephone conversation), he was right. And I figured If this confuses me, I can't even imagine what others must be thinking. The contractor base has been listening to the cacophony of marketing and communications for years, undated with LinkedIn messaging by many, who've never been more than editors and/or self-promoted pundits.

So let's put CMMC aside for a moment. Here's the bottom line: This is directly from the source.

SPRS is required today… 15 controls for FCI and 110 (NIST 800-171) for DoD contracts. 

 

  •  ANY contractor, not just defense contractors, who handle FCI “requires compliance with 15 security requirements in NIST 800-171.
  • Defense contracts have a special bonus. They need to meet 110 security requirements specified in NIST SP 800-171

This, according to the Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations (shown below).


So what about CMMC? CMMC was described to me today, by a Cyber AB board member, as a two-step process. The first just happened. On 12/16 CMMC was announced as final in the Federal Register. The next announcement (which hasn't happened yet) will spell out timelines. This is expected sometime in 2025.


Federal contracts (including defense contracts) involving the transfer of FCI to a non-Government organizations follow the requirements specified in 48 CFR 52.204-21 (Federal Acquisition Regulation (FAR) clause 52.204-21), Basic Safeguarding of Covered Contractor Information Systems. 13 FAR clause 52.204-21 requires compliance with 15 security requirements, FAR clause 52.204-21 (b)(1), items (i) through (xv). These requirements are the minimum necessary for any entity wishing to receive FCI from the US Government Defense contracts involving the development or transfer of CUI to a non-Government organization require applicable requirements of DFARS clause 252.204-7012. This clause requires defense contractors to provide adequate security on all covered contractor information systems by implementing the 110 security requirements specified in NIST SP 800-171.

 

Defense contracts involving the development or transfer of CUI to a non-Government organization require applicable requirements of DFAR clause 252.204-7012. This clause requires defense contractors to provide adequate security on all covered contractor information systems by implementing the 110 security requirements specified in NIST SP 800-171.


"To comply with DFARS clause 252.204-7012, contractors are required to develop a SSP[15] detailing the policies and procedures their organization has in place to comply with NIST SP 800-171. The SSP serves as a foundational document for the required NIST SP 800-171 self-assessment. To comply with 48 CFR 252.204-7019 (DFARS provision 252.204-7019) and DFARS clause 252.204-7020, self-assessment scores must be submitted.[16] The highest score is 110, meaning all 110 NIST SP 800-171 security requirements have been fully implemented. If a contractor's Supplier Performance Risk System (SPRS) score is less than 110, indicating security gaps exist, then the contractor must create a plan of action[17] identifying security tasks that still need to be accomplished. In essence, an SSP describes the cybersecurity plan the contractor has in place to protect CUI. The SSP needs to address each NIST SP 800-171 security requirement and explain how the requirement is implemented. This can be through policy, technology, or a combination of both."


BREAK BREAK: What's the difference between FCI and CUI?  click here to fine out. That's another blog.


This is all very confusing. SPRS and the use of NIST 800-171 are very real. CMMC audits are coming, but for now, SPRS is required by FAR.


Need help? Reach out... staysafeonline@trustedinternet.io.









Sunday, October 27, 2024

A Stutzman Rant on Marketeer FUD messaging and a lack of Contracting speficity on CMMC requirements

Someone just sent me an article about the new CMMC 2.0 regulations and another article about the basics of conducting an audit and figuring out where your data is. They're talking about privacy information and CMMC. The article was less than a page long. It was horribly light and very generic.

CMMC is going to become law on December 16th. The time for review and discussion is over. It's time for marketeers to turn off the fear, uncertainty, and doubt marketing tactics and start being helpful. Like it or not, it's time to line up and make our contractor community cyber-safe. I'm growing tired of watching publishers, pundits, and influencers (and wanna-be influencers), many of whom have never been operational security, architects, or incident responders, repeatedly trying to sell you things through fear, uncertainty, and doubt in CMMC marketing. It's making me a little crazy.


I've talked to dozens and dozens of companies about CMMC. Here's what I know:


  • No CEO doubts that cyber requirements are a good thing. Most just don't know where to start.
  • The idea that they would have to swallow the entire cost of 110 controls to go straight to level 2 is daunting. They're looking at easily $100,000 plus audits for even some of the smallest companies.


So there's an opportunity to go to level 1 now and then level 2 as long as the contracting officers don't screw this up. The one consistent comment I've received in nearly every conversation? This worries me: Government contracting officers have yet to learn what CUI isThis was the concern in 2009 when we started having these conversations across the tables in big conference rooms: What exactly is CUI? There is a list: https://www.archives.gov/cui/registry/category-list. It's pretty generic. There's a boatload of room for interpretation, and it's easy to see why a CO might not want to try and label something CUI. It's much easier to simply overclassify.


This list can't be genericized. Not every contract requires CMMC Level 2 or a perfect SPRS score.  

If the COs do start blanket requiring everything to be CMMC level 2 (and I'm hearing that it is becoming normal to do so) because contracting officers have little or no training for what's a requirement for level 1 and level 2, you're going to drive a lot of small businesses out of work.


My recommendation for any defense contractor is, and will continue to be:


  • Get level 1,
  • Go to level 2 when required,
  • Be able to show your work.


Don't cheat. Don't cut corners. DOJ will get you. They're making it advantageous for whistleblowers to let them know that you've got a problem, and real cash prizes are involved.


If you need help, contact us. We've been working in this space. My leadership team consists of serial senior chief information security officers. We know how to write policies and procedures. We've been tracking on CMMC for a long time, and we can make this much easier for you. Better yet, we can just tell you how to get started. 


Drop us a note. staysafeonline@trustedinternet.io

https://trustedinternet.io/compliance


Monday, October 21, 2024

CMMC: Level 1 May be a Game Changer!

What is CUI? From the horses mouth...

When the Fedtraderags start publishing on CMMC showing up in the Federal Register, you 
know it's time. Today, it showed up on the Federal News Network

Defense contracts everywhere are being hacked. Cyber espionage is very real and has been for long enough for foreign adversaries to steal nearly every piece of US (and other) military tech that will come to life in the next 20 years. 

Alliances have formed, and espionage actors are targeting defense everywhere. Heck, I can even buy games today with accurate controls and flight patterns. 

Here's the deal: CMMC is now offering three levels of certification instead of that all-or-nothing 110 SPRS score for Level 2. And let me tell you, this is big news for many of you out there.

The FCI and CUI handling requirements under CMMC seem strict, but they're better than they may seem. The graphic above shows what CUI is and isn't. FCI is a bit more broad, and this is from the horse's mouth (blogs.archives.gov). It's still confusing to me, but the bottom line is, of you don't handle CUI, you may still have to comply with FCI requirements, which are significantly lower than CUI. Think CMMC Level 1. 

And CMMC Level 1 is a Game-Changer

Unless the government screws this up (by calling everything CUI, which they may very well do), is could be a real lifesaver for many of you. 

Here's why:

  1. Level 1 is all about the basics. It's like cyber kindergarten - you learn to wash your hands before you start performing surgery, if you catch my drift.
  2. Self-Assessment: You can assess yourself for Level 1. That's right; there is no need to call the cavalry for this. It's like grading your own homework, but don't get any crazy ideas—it needs to be done annually and be right. And Uncle Sam's still watching and making it potentially profitable for whistleblowers to turn you in for gun decking your self-assessment
  3. 17 Controls: Instead of that intimidating perfect 110 SPRS score, Level 1 only requires you to implement 17 controls. It's like going from a marathon to a 5K - still a challenge, but a lot more manageable.

"Jeff, why should I care?" 

Let me break it down for you:

  1. Easier Entry: This lower level means more businesses can get their foot in the DoD contract door. It's like they've lowered the height requirement for the cyber rollercoaster.
  2. Focus on Basics: Starting with Level 1, you build a solid foundation. It's like learning to walk before you run. In fact, much of the basic cyber blocking and tackling comes in at Level 1! 
  3. Scalability: As you grow and handle more sensitive info, you can move up to Level 2 or 3. It's a cybersecurity growth plan, folks.

Remember, with cybersecurity, something is always better than nothing. Level 1 might seem basic, but it's significantly better than leaving your digital door open with a "Hackers Welcome" mat.

So, to all you contractors out there, especially the smaller fish in this big DoD pond, take a good hard look at CMMC Level 1. It might just be your ticket to the big leagues without breaking the bank or your sanity.

Alright, folks, let's talk about CMMC. It's not just some fancy acronym anymore - it's the law. That's right, CMMC has hit the federal register, bringing some changes that'll make you sit up and take notice.

Here's the big news: Not all defense contractors must submit a perfect 110 SPRS score!

And now, you might not have to. 

Need more information? Contact Trusted Internet for a 30 minute consult with one of our CISOs. 

https://www.trustedinternet.io/contact.



Sunday, October 13, 2024

Federal Register announcing CMMC - to be published Tuesday Morning. How'd we get here?

Well, if there was ever a question...  Here's the Federal Register, which will appear Tuesday morning. 

https://www.govinfo.gov/content/pkg/FR-2024-10-15/pdf/2024-22905.pdf

OK, folks, at this point, there will be no more government mealy-mouthing, miscommunication, or fragmentation in messaging. It's real, and it will become law on December 16th.

Here's how I see it:

  1. CMMC was born only after self-attestation failed (and it was tried multiple times, starting in 2009).
  2. CMMC, while not optimal, can actually help (wait for it, this is big).
  3. I had an old boss who used to tell me "Don't let perfect get in the way of good."
So how did we get here?

I'm going to tackle point number one today. 

CMMC was born only after self-attestation failed (and it was tried multiple times, starting in 2009).

I worked at the DoD Cyber Crime Center. In 2009, we developed a self-attestation request based on a relatively straightforward set of best information security practices. It could have been better, but it was a first step, and it was mainly based on SANS Top 20 and later, as it evolved, NIST 800-171.

We sent a request to all of the large contractors and asked them to tell us what they had (mostly to help us analyze incident reports if/when necessary). Every company submitted one.

This practice was retained, and we hoped for the best. 

Sadly, as the practice grew, self-attestation, as it turns out, didn't work.

Fast Forward to 2018... 

In June 2018, a significant cybersecurity breach occurred involving the U.S. Navy and one of its contractors, resulting in the loss of sensitive data related to the Sea Dragon project [1][2]. Chinese government hackers were identified as the perpetrators of this sophisticated cyberattack [2].

The Breach

The hackers successfully compromised the computers of a Navy contractor, gaining access to a substantial amount of highly sensitive information [2]. The stolen data amounted to 614 gigabytes, primarily related to the classified Sea Dragon project [1][3][4]. This project was a closely held initiative believed to be associated with undersea warfare capabilities [4].

In addition to the Sea Dragon project data, the hackers also obtained:

  • Signals and sensor data
  • Submarine radio room information
  • Data related to cryptographic systems
  • Electronic warfare library

This breach was particularly concerning due to the nature and volume of the compromised information, which could provide significant insights into U.S. naval capabilities and technologies [2][5].

Implications and Response

The incident highlighted the vulnerabilities in the defense supply chain, particularly with contractors handling sensitive information [1]. In response to this and other similar breaches, the Department of Defense (DoD) took steps to enhance cybersecurity measures:

  • Development of the Cybersecurity Maturity Model Certification (CMMC) in 2019
  • Implementation of stricter security protocols for contractors
  • Increased focus on supply chain security

The CMMC was designed to ensure that companies working with the DoD, including contractors, meet specific cybersecurity standards based on the sensitivity of the information they handle [1].

This breach was not an isolated incident. It was part of a larger pattern of cyber attacks targeting U.S. defense contractors and universities working on military projects[1]. The Chinese government consistently denied involvement in these attacks, but the frequency and sophistication of such breaches raised significant concerns about the security of sensitive military information [1][5].

The Sea Dragon data breach is a stark reminder of the ongoing challenges in cybersecurity, especially in the defense sector, and the persistent efforts of foreign actors to obtain classified information through digital means.

(Sourced with Perplexity.ai to summarize the story of the Sea Dragon)

[JLS Comments] 

Sadly, self-attestation didn't work. When the Navy validated the self-attestation reports (as I heard it secondhand), only a few of the thousands of contractors in the program (I heard less than 3%) had actually done what they said they'd done in their self-attestations of their cyber posture. 

This is one of THOUSANDS of stories of lost data in our defense supply chain. Have a look back through my blog. Take a look at this blog: https://henrybasset.blogspot.com/2013/04/red-sky-weekly-woshihaoren.html. It's my most-read blog and showcases a beer and cigar conversation with a friend who lived this. This CISO had hackers logging into his network during business hours, leaving only when their work week was over and returning after the weekend. 

CMMC is the "Trust but Verify" model that came out from the Navy Sea Dragon story.

BT

I am the CEO of Trusted Internet, LLC, a Managed Security Service Provider that services defense contractors. We have no government contracts and don't handle CUI, but we can show you our POAM toward completed NIST 800-171. We've done the work to help small contractors survive this. For more information, contact us at staysafeonline@trustedinternet.io or sign up for a no-cost baseline assessment workshop at https://trustedinternet.io/compliance

Citations:

[1] https://redriver.com/security/navy-contractor-hacked

[2] https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html

[3] https://www.nexusitc.net/sensitive-data-stolen-from-naval-contractor-by-chinese-hackers/

[4] https://www.c4isrnet.com/cyber/2018/06/08/chinese-hackers-steal-sensitive-navy-program-data/

[5] https://www.reuters.com/article/world/china-hacked-sensitive-us-navy-undersea-warfare-plans-washington-post-idUSKCN1J42MK/


Saturday, October 12, 2024

CMMC Final Rule: What Defense Contractors Need to Know and Do Before December 2024

The final rule for the Cybersecurity Maturity Model Certification (CMMC) program is set to be published in the Federal
Register on October 15, 2024. Once it does, it will become law in 60 days. 

The final CMMC rule represents a significant step in enhancing cybersecurity in the defense sector. While it introduces new compliance requirements, it offers a more flexible and cost-effective approach for many contractors, especially small businesses handling only FCI. Companies should start preparing to meet the necessary requirements when the rule takes effect. 

 

Here's a breakdown of what this means:

 

CMMC Overview

 

CMMC is a program designed to enhance cybersecurity across the Defense Industrial Base (DIB). It aims to verify that defense contractors comply with existing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) protections.

 

Key Changes and Benefits

 

Simplified Certification Levels

  • Level 1 (Foundational): Requires 15 basic cybersecurity practices
  • Level 2 (Advanced): Requires 110 security practices from NIST SP 800-171
  • Level 3 (Expert): Requires 110+ practices from NIST SP 800-171 and a subset from NIST SP 800-172

The new structure potentially reduces costs for many small businesses:

  • Level 1: Allows for annual self-assessment, which is more cost-effective
  • Level 2: May require third-party assessment or self-assessment, depending on the program
  • Level 3: Requires government-led assessment

 

This tiered system allows companies to implement security measures commensurate with the sensitivity of the information they handle.

 

 Impact on Contractors


  • Contractors must determine their expected CMMC level(s) for future contracts. In most cases, they will be told by their prime, which will be mandated by the contract.
  • They need to ensure all information systems supporting DoD contracts are accounted for in compliance planning
  • Subcontractor compliance must be assessment
  • Internal policies and procedures should be reviewed and updated to ensure compliance

 

Implementation Challenges and Solutions

 

The implementation of CMMC presents significant challenges, particularly for smaller defense contractors. 

 

Here's an overview of the situation and potential solutions:

  •  Even Level 1 certification requires a substantial investment, which can be difficult for smaller companies to manage
  • Cyber security requirements have been law since 2012, but they were never taken seriously. Government waffling and poor communications left companies uneasy about the potential spend. As a result, it was not considered a business necessity, and many companies are still not adequately prepared due to poor communication and multiple delays
  • Smaller companies often need more in-house expertise to implement complex cybersecurity measures.

 

For many small defense contractors, outsourcing CMMC compliance to a specialized Managed Security Service Provider (MSSP) like Trusted Internet is generally the fastest and most cost-effective route to compliance. 

 

What’s the difference between your current MSP and an MSSP? 

 

  • An MSP (Managed Service Provider) focuses on general IT management, including network administration, software updates, and helpdesk support. 
  • An MSSP (Managed Security Service Provider) specializes in cybersecurity and offers services such as threat monitoring, incident response, and compliance management. 
  • MSPs ensure IT efficiency, while MSSPs protect against cyber threats.

 

How does Trusted Internet help?


Trusted Internet offers a no-cost CMMC Baseline Assessment Workshop: Trusted Internet offers a comprehensive workshop to help small defense contractors achieve CMMC compliance:

  • A half-day in-person or online session where contractors answer assessment questions using a virtual dashboard
  • Participants receive a scorecard and a detailed spreadsheet outlining the necessary steps for compliance.
  • The workshop provides baseline policies written for the chosen compliance level.

At the end of the day, contractors will leave with a baseline assessment, written policies, simplified roadmap compliance, and a control-by-control spreadsheet that can be copied into SPRS.

 

What comes next? The final steps involve:

  • Procedure Development: Creating specific procedures based on the policies.
  • Technology Implementation: Implement Trusted Internet's comprehensive technology stack within 3-4 weeks to rapidly enhance your organization's security posture and meet CMMC compliance requirements.

The CMMC final rule presents challenges, especially for small defense contractors. However, outsourcing your security to Trusted Internet and participating in specialized workshops can provide a cost-effective and much more efficient path to compliance than going it alone. These approaches offer small businesses the expertise and resources to meet CMMC requirements without overwhelming their internal capabilities or budgets.

 

Want to sign up for a Trusted Internet CMMC Workshop? Sign up here to be notified of upcoming events. 

 

GET CMMC HELP NOW