October 5, 2022
This week I have some more interesting info from various sources to share with you all.
CMMC breaking out of DoD
It has widely been anticipated that CMMC would be adopted by other federal government agencies, and the first serious hint of that came out last week, when the GAO released a report on the National Nuclear Security Admininstration, indicating that NNSA is expecting to require CMMC certification for all contractors and subcontractors in the next version of its SD 205.1, "Baseline Cybersecurity Program," currently under review.
Most common failures
Nick Delrosso (DIBCAC) shared many informative slides at the recent Cyber AB Town Hall Meeting. He stated that the two most common failiures in the Voluntary Assessments that started in August are FIPS 140-2 validated encryption (50% failure) and multi-factor authentication (38% failure). If you have any doubt whether you understand and have correctly implemented SC.L2-3.13.11 and/or IA.L2-3.5.3, I suggest you seek some expert guidance.
How much will CMMC L2 cost, and how long will it take to be compliant?
These are probably the most common questions I get from potential new clients. The answer to both questions, of course, is always "It depends." Because it depends on so many factors: How large is your organization? How large is the scope of your CUI environment? What type of business do you operate? What is your tolerance for change? Do you favor technical solutions or policy-based solutions? Most important of all: How far along the CMMC journey are you now?
John Ellis, DIBCAC director, told us at CMMC Day that the overall failure rate for DIBCAC "High" assessments is 78%, and that the average length of time required for a contractor to close out all POAMs is 1.4 years. This tracks pretty well with the "you should plan for this to take 12-18 months" we have been telling our clients. There are no quick solutions to 800-171 compliance, no magic bullets, and you literally cannot write a check big enough to make you compliant in three days (despite what some of those misleading advertisements may say).
As for cost, it's important to remember that CMMC is descriptive, not prescriptive: it tells you where you need to be, but you make your own choices on how to get there. Many organizations will prefer to add technology solutions to their environment, while others will opt to implement more policy and procedure changes. Some will bring in outside expertise, while others will try to do it all on their own. These decisions will have a large impact on the overall cost (and time) required to achieve compliance.
VDI is not a "get out of CMMC free" card
Many organizations have developed a locked-down (no data transfer, no printing, no screen capture) Virtual Desktop Infrastructure (VDI) solution to reduce the scope of their CUI environment. Under CMMC 1.0, it was believed that in this scenario, local endpoints would be out of scope entirely. Under CMMC 2.0 however, we have multiple asset categories defined in the scoping guides released in December, and we now know that local endpoints (even those that cannot store CUI locally) are Contractor Risk Managed Assets (CRMA). What does this mean?
CRMA must be:
- Documented in your asset inventory
- Documented in your SSP (showing how you manage this risk with your policies, procedures and practices)
- Documented in the network diagram of CMMC Assessment Scope
- May be “spot checked to identify risks” by the CCA during your assessment
CRMA do not have to be assessed against all the CMMC practices, and they do not have to be addressed in every practice in your SSP.
At CMMC Day, Amira Armond (Kieri Solutions, an authorized C3PAO) said with respect to VDI: "Assessors want to see a lot of security on those endpoints. Antivirus, patch management, and logging! We want assurance that CUI isn't leaking out of the VDI to the local endpoint."
Even organizations without VDI may have CRMA in their environment, so it's an important concept to understand. You need to be able to (accurately!) categorize every asset in your CUI environment in order to achieve compliance.
Want to learn more? Check out my fall virtual workshops.