Quirky Notes about the CMMC

Having wrapped up my training for the Certified CMMC Professional credential, I found myself dwelling on some of the quirks in the #Cybersecurity Maturity Model itself. As a reminder, the #CMMC consists of certifying an organization's security practices adhere to a specific level, 1 through 5. Level 1 is "easy" with 17 practices and 58 observations needed. Level 3 tracks NIST 800-171 and adds a few practices for a total of over 650 observations needed. The #DoD estimates that most organizations will need either a L1 or L3 certification.

The Domains fall into what we would expect. Access Control, Asset Management, Audit and Accountability, etc. Each domain has a set of practices; basic statements of the behavior expected. For example, "Encrypt CUI on mobile devices and mobile computing platforms." Then, there are observations about that practice an auditor will assess. For the previous example, the assessor will look to see if a) mobile devices are identified and b) encryption is used.

OK, so that is a basic overview. Here are a few (and I'm sure more will reveal themselves over time) of the quirks I find interesting.

No Level 2 Organizations

As mentioned, CMMC comes in 5 different levels that are cumulative, meaning, Level 3 encompasses all the requirements of Levels 1 and 2 plus additional controls. Organizations need to get assessed and certified by independent assessors and authorities. Moving from Level 1 to Level 2 is a significant undertaking as there are 58 observations at Level 1 and over 300 at Level 2. Level 3 has over 650.

The DoD does not anticipate requiring any organization to have a Level 2 designation. It is going to ask for L1, L3, L4, and L5 only on contracts. L2 was added as a "stepping stone" to help organizations get from L1 to L3. Again, the vast majority of organizations are expected to be at these two levels with fewer than 75 organizations in the Defense Industrial Base needing L4 or L5. With the vast majority of organizations at L1 and L3, the requirements of L4 and L5 must be significant right? Basic and Medium cybersecurity practices are all contained in L1 and L3 with super advanced, "high speed, low drag" requirements in L4 and L5 you would think. But that is not the case.

Rogue Access Points AC.5.024

It is not until we hit Level 5 where the CMMC requires an organization to monitor for rogue access points (RAPs). This is a known physical threat in an organization also referred to as an Evil Twin attack. I deploy an access point and give it the same name as others in your organization. Users connect to it and I can start to gleam information.

RAP protection is rather easy and is a basic cybersecurity control. It should certainly be Level 3 of CMMC to protect the Controlled Unclassified Information.

Security Awareness Training AT.4.059

Cybersecurity has been pushing for years to have all staff receive detailed awareness training. Level 4 AT.4.059 specifically calls out training on "social engineering, APT actors, and suspicious behaviors."

AT.2.056 at L2 calls for users to be made "aware of the security risks associated with their activities" and includes activities like phishing training and URL use.

CMMC promised it was not going to have redundant practices but here we seem to find one. L4 and L5 Assessment Guidance has not been made available so we are stuck with a conundrum on this one.

Incident Response IR.5.108

Another fascinating find is that only the estimated 33 organizations at Level 5 will be required to have Incident Response teams capable of responding to incidents within 24 hours. Lower levels, such as IR.2.092, call for the organization to have "incident-handling" capabilities but it is only at L5 where a team must be established and responsive within 24 hours.

Supply Chain Risk RM.4.148

This one surprises me the most. Sadly, clarification on it is not available at this time but the title lends itself to third party risk mitigation. "Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain." As we have seen in recent breach/incident history, the supply chain, aka third party providers, are a huge risk to organizations. The SolarWinds and Microsoft Exchange incidents of recent past give us all the evidence we need to question why only organizations at L4 need to manage this risk.

Moving Forward

My hope is that CMMC is a living framework and some of the higher level requirements will, after some time, move into the lower maturity levels to bolster the cybersecurity of those organizations. Regardless of an organization's L3 certification, they can certainly adopt some of these common practices for their own protection.

Feel free to reach out if I can assist you on understanding or implementing CMMC in your organization. Implementing NIST 800-171 and the additional practices won't be difficult. Preparing for your assessment is a whole new level of complicated! Don't go it alone.

Chris

Reference: https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf