The latest iteration of the Cybersecurity Maturity Model Certification (CMMC) just came into force, and there is much to discuss about how security professionals can get up to speed on meeting its requirements.
Who is this blog for?
Are you working for an organization that acts as a prime or subcontractor for the Department of Defense (DoD)? Is your company a member of the Defense Industrial Base (DIB)? Does your company manage Controlled Unclassified Information (CUI) and or Federal Contract Information (FCI)? Have you been assigned to make your organization CMMC-compliant?
If the answer to any of those questions is yes, then this article is for you.
What is this about?
This blog is to help you understand how to best approach your CMMC compliance project from day one. If you need more information on CMMC, read this DOD article.
A lot has changed since version 1
We are currently at CMMC version 3. The biggest difference from the original is how it categorizes the level of security required from complying entities. Overall, there are 3 levels, and depending on the severity of the data you are handling, you are more likely to comply with a higher level.
Level 1: Consists of 15 basic security hygiene techniques and focuses on FCI but not CUI security.
Level 2: 110 requirements that come straight from NIST SP 800-171 and focus on CUI protection.
Level 3: 134 requirements coming from NIST SP 800-172 focusing on CUI yet again, but the key difference is that all implemented tools, policies, and procedures must be DoD approved.
Okay great, what now?
So, we understand what the levels are, but we need to make sense of it to see which one is relevant to your organization. For that let’s evaluate the type of data you manage.
For future reference here are the official government definitions for Federal Contract Information FCI and Controlled Unclassified Information CUI.
In short, FCI is Information provided by or generated for the U.S. government under a DoD contract that is not intended for public release. It can be contract specifications, technical proposals, internal project reports, or communication with DoD agencies.
Meanwhile, CUI is: is sensitive but unclassified information that requires protection under federal laws, regulations, and policies. It can be anything such as technical drawings, schematics, and engineering data export-controlled information (ITAR, EAR, etc.), personnel records and PII (e.g., military personnel information), procurement documents (RFPs, contracts, DoD reports).
What level am I?
The best thing to do at the start of a CMMC compliance project is to decide what type of information your organization manages. Is it FCI, is it CUI, or is it both? If it is only FCI you need to comply with CMMC on level 1 as simple as that. If it is CUI, you have then it depends on its severity. If the information you possess could, in any shape or form, threaten US national security, you likely need to aim for level 3; otherwise, level 2 is your best bet.
How do I decide?
The best way to start is by doing a data classification sweep on your entire infrastructure. Identify all the data you have, where it resides, and who has access to it. This way, you first can label them all accurately (e.g., it is PII, it is FCI, or it is CUI). Next, you can assign confidentiality levels to it, meaning how business or nation-critical it is. Then you can see where it is currently sitting in your environment. Is it exposed to public access or not? Finally, you can define who can access it and to what degree. Good classification should always be accompanied by a good old rights-based redaction.
The last thing you want is to have some of your data eventually showing up on a War Thunder forum.
One down at least 109 to go
Identifying your data, its location, and the people who can access is a great jumpstart, but this is only where the fun begins. Coming from someone who read CMMC at least 5 times already, the difference between NIST 800-171 and 172 isn’t as much as one thinks. It only incorporates 24 extra requirements that already exist in 171 but are described in a stricter format.
The best bet for everyone, regardless of the level you are meant to meet, is to treat it as a level 2 first. If you need to be below it then just focus on the 15 requirements that are relevant to you. It is still worthwhile doing it according to 800-171 as it makes later transitions to level 2 much easier. Meanwhile, if you need to aim higher than first meet a level 2 and adjust the remaining ones afterward. The reason for both is simplicity and easier transition in the long run.
How do we help?
I wouldn’t do my job justice if I didn’t mention how we can help organizations comply. If any company ever tries to tell you that they will solve all your compliance needs, you are probably talking to a liar. Sadly, there is no such thing as a one-box compliance solution.
But companies like Netwrix offer multiple solutions, each covering different security and regulatory areas, that combined can cover a significant portion of the CMMC requirements, whether 800-171 or 172-based.
Here is a quick rundown of how our portfolio supports CMMC requirements. If you would like to know more, check out our detailed compliance mapping documents here.
