The DoD unveiled its proposed Cybersecurity Maturity Model Certification (CMMC) to prevent supply chain attacks

Cyberattacks on the U.S. government’s vast network of contractors and subcontractors pose a serious threat to national security, and the DoD is taking action. The agency tasked NIST with developing a set of guidelines addressing advanced persistent threats against contractors who handle high-value data assets, and it recently unveiled plans for its own set of standards, the Cybersecurity Maturity Model Certification (CMMC).

What is the CMMC?

The CMMC will be developed in partnership with Johns Hopkins Applied Physics Lab and Carnegie Mellon University Software Engineering Institute. The goal is to combine a number of existing cyber security control standards, such as NIST 800-171, NIST 800-53, ISO 27001, ISO 27032, and FedRAMP, into one unified standard.

In addition to assessing a contractor’s implementation of controls, the CMMC will also assess the maturity of the company’s institutionalization of cybersecurity practices and processes. Assessments will be conducted by third-party auditors, and companies will receive a score indicating the maturity and sophistication level their controls. There will be five CMMC levels, ranging from “Basic Cybersecurity Hygiene” to “Advanced.”

The DoD has indicated that the CMC will be a dynamic framework so that it is able to adapt to new and emerging cyber threats. A neutral third party will be responsible for maintaining the standard.

How will the CMMC affect DoD contractors?

DoD prime contractors have been held to higher cyber security standards since 2017, but typically, those primes outsource some of their work to subcontractors, who then have subcontractors under them. It’s these contractors, at tier two or below, that the CMMC is primarily aimed at. Many times, they are small companies that do not have robust cyber security defenses, which is why hackers target them. However, while the DoD has stressed that all areas of the federal supply chain must be secured, they have not yet gone into specifics regarding how the CMMC will flow down to subcontractors.

The DoD wants to implement CMMC in January 2020, include CMMC level requirements in RFIs by June 2020, and include them in sections L and M of RFPs by September 2020. CMMC levels will be used as a “go/no-go decision.”

The CMMC level required will depend on the nature of the CUI (controlled unclassified information) the contractor will be handling or processing. However, all companies conducting business with the DoD will be required to be CMMC certified, even if they do not handle CUI.

Recognizing that smaller subcontractors may be on tight budgets, the DoD is striving to make CMMC certification affordable. Additionally, IT security will be an allowable expense on contracts moving forward, so companies can modify their rates to reflect the new standards.

Getting ready for the CMMC

The DoD is conducting a “CMMC Listening Tour” to solicit feedback from defense contractors; sessions are currently scheduled through August.

Early preparation for the new requirements will be the key to success. Now is the time to reevaluate your data environment, cyber security policies and procedures, and compliance processes. Since the CMMC will be partially based on NIST 800-171, ensuring that your company meets at least those standards will make the CMMC certification process smoother.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

IT Compliance and Cyber Security: Understanding the Differences

IT compliance and cyber security are often used interchangeably, even within the cyber security and compliance fields. This is the basis for the completely incorrect and dangerous notion that achieving compliance automatically equals being secure.

While there is some overlap, and the two fields complement each other, IT compliance and cyber security are not the same, and being compliant – with HIPAA, FedRAMP, PCI DSS, or any other framework – is not the same thing as being secure.

What is cyber security?

Cyber security is the protection of computer hardware, software, systems, networks, and data from cyberattacks. It is a very broad field that encompasses an enterprise’s policies, processes, end user education, and technical controls to address the following areas:

• Application security – securing software and apps
• Information security – securing data, including customer data, employee data, and confidential business information
• Network security – securing the ports and databases within a network
• Operational security – classifying information assets and determining the controls needed to secure them
• Cyber incident management and response

What is IT compliance?

There is much overlap between the goals of IT compliance and cyber security, which is the root of the confusion. They both address securing hardware and digital assets. However, unlike cyber security requirements, which are developed internally, IT compliance requirements are mandated by a third party, such as the government, an industry regulatory body, or a client.

• Organizations operating in the healthcare industry in the U.S. must comply with HIPAA, a federal law
• Organizations around the world that wish to accept major payment cards must comply with PCI DSS, a set of standards mandated by the major credit card brands
• The U.S. federal government requires organizations that wish to sell cloud services to federal agencies to comply with FedRAMP
• Many private-sector businesses require their cloud services vendors to release an SOC 2 attestation

The takeaway is that enterprises implement cyber security controls for their own protection; they undergo IT compliance audits to satisfy a third party.

What are some additional differences between cyber security and IT compliance?

While many IT compliance standards, such as FedRAMP and SOC 2, are quite rigorous, they are not meant to provide full cyber security protection on their own. There’s no way they could.

• The cyber security threat landscape is dynamic; it changes on a daily basis. IT compliance frameworks change very slowly, typically annually or less often.
• Every organization’s data environment and risk profile are different. No IT compliance framework could comprehensively address every possible eventuality at every organization.

Additionally, some IT compliance regulations, such as the GDPR and the California Consumer Privacy Act, focus more on data privacy (giving individual consumers control over the data enterprises collect from them) than cyber security (protecting enterprise assets).

IT compliance complements cyber security

With the costs of IT compliance skyrocketing, some enterprises view compliance quite negatively, as a list of line items that must be checked off to conduct business in a certain industry or with certain clients. However, IT compliance complements enterprise cyber security and provides numerous benefits.

Compliance with certain standards, such as FedRAMP and SOC 2, is seen as a “gold standard” of data security by companies seeking to purchase cloud services, and compliance with the GDPR is seen by some consumers as a testament to a company’s commitment to data privacy. The process of undergoing a compliance audit also helps companies identify issues with their cyber security and data governance that may have otherwise gone undetected. Finally, IT compliance frameworks provide a good starting point for enterprise cyber security.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Understanding FedRAMP security impact levels and baselines

You would never pay $1,000 upfront and $30/month for a security system to protect a shed containing $100 worth of lawn equipment. However, you wouldn’t hesitate to spend that much or more to protect your home and family. The same concept applies in information security. Different kinds of data necessitate different levels of security, which is why FedRAMP security impact levels exist. A government agency that deals with data that is widely available for public consumption doesn’t require as many security controls as an agency that works with classified data.

There are three FedRAMP security impact levels: FedRAMP Low, FedRAMP Moderate, and FedRAMP High. They are based on the three FISMA security objectives outlined in the Federal Information Processing Standard (FIPS199):

• Confidentiality: Protect personal privacy and prevent the unauthorized disclosure of proprietary information.
• Integrity: Prevent the unauthorized modification or destruction of information.
• Availability: Prevent disruptions to information access or use.

FedRAMP Low Security Impact Level

The FedRAMP Low Impact Level applies to cloud service offerings (CSOs) that will be used to work with data that is already publicly available; a breach of this data would not cause significant damage to the government agency or its operations, assets, or individuals. FedRAMP defines two baselines within the Low Impact Level category, the standard Low Baseline and what is known as the LI-SaaS Baseline.

The LI-SaaS Baseline applies to Low-Impact SaaS applications that do not store personally identifiable information (PII) other than what is generally required for login credentials, such as email addresses, usernames, and passwords. The LI-SaaS Baseline has fewer security controls that require testing and verification than the standard Low Baseline, and the required security documentation is consolidated.

FedRAMP Moderate Impact Level

This is the most common impact level, accounting for about 80% of CSOs that attain FedRAMP authorization. It applies to CSOs being used for data that is largely not available for public consumption, such as PII. If Moderate Impact data is breached, the agency’s operations, assets, or individuals would suffer serious adverse effects, such as operational damage, financial loss, or individual harm (though not physical harm or death).

FedRAMP High Impact Level

The FedRAMP High Impact Level, which was released in 2016, applies to CSOs being used by agencies that handle the most highly sensitive unclassified government data, such as law enforcement, emergency services, financial systems, and healthcare systems. A data breach could have catastrophic results, including loss of human life and economic crises. FedRAMP High systems must comply with 421 controls and reduce the probability of human error as much as possible by automating as many processes as possible.

When pursuing FedRAMP authorization, cloud service providers must ensure that they choose the correct security impact level for their CSOs. For example, cloud service providers whose CSOs qualify for standard Low Baseline or LI-SaaS would not decide to pursue a JAB P-ATO, which is more appropriate for CSOs that are Moderate and High Impact.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.