Over the last several years, I have personally written SSP’s (System Security Plans) for close to 50 DIB (Defense Industrial Base) organizations of every type and size that one might imagine. The smallest were for one or two person shops, and the largest have been for global behemoths, including a Spanish company that started out making cannons in the 1400’s.
Point being, I have “seen a thing or two, so I know a thing or two”, to borrow from a certain insurance company that has a very large marketing budget. We at Appalachia might not be as funny as an insurance company, but we can explain all day long how to put a big fat dent in your CMMC compliance efforts. Personally, I could prattle on about the subject for hours without any slides.
If you are just getting started on your CMMC compliance voyage, you may feel a bit overwhelmed and that is understandable. “Getting compliant” is like trying to lose 40 pounds when you are old enough to remember the Soviet Union and sit at a desk all day. Not at all easy, but it’s certainly possible and worth the trouble for a lot of reasons.
So, let’s say that you don’t have an SSP, or you’ve not had an assessment done, but you want to start getting started. If you were heading off to basic training in two months and needed to get ready, you would start running, doing push-ups, and sit-ups, right? Think of this list like that.
1) Identification. It’s very common to find clients that don’t have a very good handle on what they have in their IT environment, and at times there are MAJOR differences between what the clients think they have and what they actually have. Start a full inventory now, and not just of your equipment. Inventory all hardware and all software, all system accounts, all people, and all organizations that have some presence in your IT environment. Audit your network and firewalls so we know what traffic is is/not allowed and where. Always keep the list current and accurate. If you have a more complex environment, there are many tools available to help automate this process. We cannot keep you adequately secure if we do not know exactly what and where we are securing. Every cybersecurity framework I am aware of, including the CMMC, views Identification as foundational.
2) Train your people. I’d say probably 2/3rds of the clients I have worked with do not have any formal cybersecurity training in place. In a pinch, have all your people take the DoD “Cyber Awareness Challenge”, which is free and publicly available. Print out the certificates of completion and maintain them on file. This is easy and free but doesn’t scale well. If you have a lot of people to train, it’s better to use a paid solution that can track all the training automatically and send reminders and such. There are several of these training solutions on the market with competitive pricing and features.
3) Physical security. There are a handful of controls in the CMMC that speak to this. I’d say that about 1/3rd of the clients I have worked with did not have adequate physical security in place. The CMMM’s physical security requirements are not over the top or anything – think your standard BACS (Building Access Control System) where all doors are electronically controlled, and each employee has a separate access fob or card. You’ll need cameras on key areas, and also a building alarm system that is monitored. If you don’t have any of this, reach out to your local security companies and get some proposals to chew on. I’ve had a few clients that had to spend a lot of money here, so be prepared for that if your physical security is inadequate. Also, make sure that you are performing some kind of background checks on your employees, particularly the ones who have access to sensitive data.
4) Patch and vulnerability management. Nearly every company I have worked with does a poor job of this, and it is a major problem literally the world over. Simply using automated patching and hoping for the best is about as smart as running into traffic with a bag over your head. Get a dedicated vulnerability scanner such as Nessus, Rapid7, Qualys, etc. While I have my biases, my favorite is Nessus – that is what the DoD uses on their classified networks. Even if you do this yourself, expect to spend at least $2500 per year on the scanner license and feeds alone.
I guarantee that what you find the first time you live scan your network will be about as appetizing as what one would find under the seats of a 20-year-old minivan that was purchased at auction for 500 bucks. Here is a primer from SANS on standing up a formal VMS (Vulnerability Management System):
Implementing a Vulnerability Management Process | SANS Institute
5) Protective Technologies. In the 90’s, we used anti-virus, automated patching, and firewalls to keep the soft interior of a network “secure”. A lot of companies still do it this way, and it’s not nearly enough. The CMMC recognizes this problem and prescribes additional protective technologies including SIEM (Security Information and Event Monitoring), IDS (Intrusion Detection) and the aforementioned vulnerability scanning. SIEM and IDS do for your network, what your building alarm does for your building. If someone was scanning your internal network, would you know? If someone created a domain admin account on your server at 2AM on Christmas, would you be alerted? Probably not, and that is where these technologies come in. If you don’t have any of the three, it’s best to just bring in a UTM (Unified Threat Management) solution such as Alien Vault. Alien Vault alone would knock out more than 15 of the 130 controls in the CMMC.
6) Data classification. Know what data you have, and where it is, especially high-risk information such as CUI (Controlled Unclassified Information), FCI (Federal Contract Information), and others such as PII, (Personally Identifying Information), CDE (Cardholder Data Environment), PHI (Protected Health Information), etc. Once you know what data you actually have and where it is, we can start talking about where to deploy the necessary protections. Don’t hoard data!! More data = more risk, so do not keep data that you no longer need.
7) Mobile assets. Make sure all laptops are encrypted using AES-256 encryption. We still see unencrypted laptops pretty often, and it’s just sloppy. Retrieving information from unencrypted drives is a trivial task – I watched my 12-year-old do it with old computers he bought on Craigslist. Tuck in your shirt and encrypt your laptops. This applies to smartphones as well – most of the modern ones are encrypted by default, but don’t take that for granted. If you allow company e-mail on smartphones, you’re going to need some mix of administrative and technical controls which are beyond the scope of this discussion. Remember that when it comes to security, less is more, so if you can operate without this stuff, even better.
8) Change Management. Probably about half of the clients I have worked with don’t do any formal change management at all, and changes to IT and security are made pretty much on an ad-hoc basis. For starters, disallow changes of any kind without a service ticket, and make sure all changes are captured in a ticketing system. I can’t teach you change management in a blog, so familiarize yourself with ITIL (Information Technology Infrastructure Library) ITSM (Information Technology Service Management), etc.
9) Removable Media. I’ve seen a few companies that do a very good job controlling removable media, but most do not and a lot of them are a free-for-all. What is to stop an employee from copying who-knows-what onto a USB stick and walking out with it? If you do not need to use optical media or USB sticks, disallow them by policy and then use GPO’s and/or endpoint protection to disable them. If you must use them, they need to be tightly controlled using a mix of administrative and technical controls. Again, less is more.
10) Policies and Procedures. Do an Organizational Risk Assessment using a recognized methodology such as NIST 800-30, Guide for Conducting Risk Assessments. Make sure you have an IRP (Incident Response Policy). If you don’t have an IRP, contact us and we’ll provide one free.