How to go from NIST 800-171 to Cybersecurity Maturity Model Certification (CMMC)

Background:

I recently joined Nyla Technology Solutions as the Cybersecurity Fellow and Chief Information Security Officer (CISO) after retiring from the federal government. While working for the federal government, I served in a position of authority creating cybersecurity standards, which means I had insight into the intent of the Cybersecurity Maturity Model Certification (CMMC.)

One of my first assignments at Nyla was to determine what we needed to do in order to comply with this new Department of Defense (DoD) acquisition regulation that is replacing National Institute of Standards and Technology (NIST) Special Publication(SP) 800-171 for protecting unclassified information in nonfederal information systems and organizations.

First, what is CMMC?

The CMMC combines various cybersecurity control standards like NIST SP 800-171 and others into one unified standard for cybersecurity.

In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes. Aside from being a more comprehensive cybersecurity standard, the biggest change is the elimination of a self-assessment as was done with NIST SP 800-171. We are all now required to attain a third-party assessment to measure our company’s level of maturity and compliance. Despite cybersecurity changes, there are people/businesses who have still been targeted and breached. That is why there are services from law firms such as Sidley Austin that can assist with privacy and cybersecurity legalities during this time.

How is this different from NIST 800-171?

The most basic answer is that with the CMMC we must understand and practice cybersecurity, not just perform a periodic self-assessment as required by NIST 800-171. In addition, we will have to show evidence to independent assessors that we are practicing and improving our cybersecurity obligations. Proof of what we are doing and how well we are performing against the CMMC is required to compete for contracts.

Remember that from a DoD perspective, this a journey to steadily raise the cybersecurity bar over time. Many small companies will only need to attain the CMMC for Level 1 or Level 2 for their contracts, so their CMMC responsibilities could actually be less than what was documented in NIST 800-171, but the fact that everyone is practicing their required duties will vastly raise the bar.

Why do we have to do this?

The reality is that malicious cyber actors continue to target the Defense Industrial Base (DIB) sector and the supply chain of the DoD successfully stealing intellectual property and sensitive information despite the NIST 800-171 compliance regulation. The CMMC is focused on further enhancing the DIB sector’s ability to protect certain types of unclassified information within the supply chain.

How do I start?

I spent the first week grappling with the details of what was proposed in the CMMC and fortunately the CMMC Version 1.0 happened to get released that same week. While this document is big, at a whopping 338 pages, I found it to be extremely useful and well written.

There were two sections that helped me immensely. The first was Appendix E – Source Mapping which has all of the mappings between the CMMC and other items like various NIST Standards, Federal Acquisition Regulation (FAR) clauses, Center for Internet Security (CIS) controls, and more. This Appendix saved me a huge amount of time.

The second invaluable part of the document was Appendix B – Process and Practice Descriptions which clearly describes each individual process and practice in a way that most should be able to understand.

Begin by understanding that your primary goal is to protect the (government) data which means that you need to know what data you have.

There are two types of unclassified information:

FCI – Federal contract information

FCI is information not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.

CUI – Controlled Unclassified Information

Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

Side note: The CMMC – Doesn’t apply to PII.

However, our company, Nyla, is also going to use the same protections for PII as part of our corporate responsibility even though PII is NOT listed in the CMMC documentation.

PII – Personally Identifiable Information

The term “PII” refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.

Common examples of data considered to be PII include an individual’s full name, street address, social security number, passport and driver’s license numbers, credit card and bank account numbers, telephone numbers, and biometric data. Other information, such as a date of birth and place of birth, or information on an individual’s race or religion, may seem harmless, but can often be used in conjunction with other data to identify a person.

High level steps to get started with the CMMC process:

1. Know what types of sensitive data you have, and store that information in secure locations following the guidelines in the CMMC. It is very likely that the majority of your sensitive information is stored in contract and proposal shared file drives. Access to these files should be restricted, monitored, and the files and folders should be properly protected.
2. As you review your data, make a determination if you actually need access to that information and if not, archive the data as a matter of good practice. You will need to make determinations about active and inactive files, as well as the best methods to archive. Data could be purged, or moved to some other secure location. There is no point to subjecting CUI and FCI to unnecessary risk if you no longer need access to the data.
3. Start documenting! The vast majority of your processes and procedures need to be updated in your System Security Plan (SSP). You should develop an SSP if you don’t have one already.

Each CMMC Maturity Level requires an increased amount of evidence or documentation for the third party assessors. The Maturity Levels are summarized as follows:

• Maturity Level 1 – No process maturity
• Maturity Level 2 – Standard operating procedures, policies, and plans are established for all practices
• Maturity Level 3 – Activities are reviewed for adherence to policy and procedures are adequately resourced
• Maturity Level 4 – Activities are reviewed for effectiveness and management is informed of any issues
• Maturity Level 5 – Activities are standardized across all applicable organizational units and identified improvements are shared

Most small companies who wish to remain competitive for DoD contracts will likely target Maturity Level 3 compliance. Level 3 consists of 130 different practices showing that your company has managed processes for good cyber hygiene. For example, you will need documented policies for things like Access Control, Identification & Authentication, Media Protection, and more, as detailed in Appendix B.

Are you now asking – Should I get help with this?

The likely response is yes. The CMMC is critical to our nation as the theft of intellectual property and sensitive information from the DIB by malicious cyber actors threatens our economic and national security. There are no easy answers or simple fixes to thwart the adversaries efforts.

Each of us will start with a varied amount of cybersecurity knowledge and skill so I recommend taking the following steps to determine the type of help or service needed.

• Read the CMMC Version 1.0 document
• Understand what you have to do. View or attend any of the available seminars or webinars that are readily found via a web search
• Assess if you have the internal resources to prepare for an assessment, and if needed…
• SECURE the services of security professionals to guide and educate you through the process so that you can do your part to SECURE THE DATA!