DHS Exploring CMMC-Like Program: Will More Agencies Follow?

Log4j cybersecurity vulnerability
Log4j cybersecurity vulnerability

The Cybersecurity Maturity Model Certification (CMMC) program has been in effect for almost a year now. In the face of rising cybersecurity threats, the program is meant to provide more robust security standards for defense contractors and a method of enforcement via third-party assessors.

But beginning a few months ago, agencies beyond the Department of Defense (DoD) have expressed interest in following the CMMC or CMMC-like programs, and now the Department of Homeland Security (DHS) has joined their ranks. Over the next year, it’s likely that more will follow, and small business owners are concerned about the potential impact of an increased compliance burden.

In this article, we’ll take a look at the DHS’s recent special notice, its potential effects on small government contractors, and how the landscape for CMMC compliance is likely to change over the coming year.

The DHS Special Notice

On August 10th, the DHS issued a special notice, announcing its intent to “advance our process in assessing industry compliance with Cyber Hygiene clause requirements”. Cyber Hygiene clauses were first adopted by the DHS in 2015 – but until now, the agency has relied on contractor self-assessment to enforce them.

Now the agency hopes to change that with a program modelled on the CMMC. It states: “our end goal is to have a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award.” Since then, the agency has been engaged in a pathfinder assessment to determine the best way forward.

The decision mirrors a similar move by the General Services Administration (GSA), which began reserving the right to survey awardees of the Streamlined Technology Application Resource for Services (STARS) III contract for “CMMC level and ISO certification” last October. But CMMC adoption is unlikely to end there.

CMMC: The Perfect Tool for Contractor Assessment

Government agencies are facing increased cybersecurity risk, especially from ransomware and supply chain attacks. This year alone, the SolarWinds and Colonial Pipeline incidents have drawn attention to the need for increased vigilance and higher accountability, culminating in an executive order that demands both.

In this context, it’s easy to understand why agencies are increasingly relying on the CMMC: they need a way to evaluate contractors for cybersecurity preparedness, and CMMC is already designed with this goal in mind. Among other key advantages, it is:

  • Based on regulations from the National Institute for Standards and Technology (NIST), which are up-to-date, and designed to address emerging threats.
  • Divided into five certification tiers, ranging from basic cyber hygiene to protection against advanced cyber actors
  • Equipped with a ready-made enforcement mechanism through certified third-party assessment organizations (C3PAOs)

In order to cope with the federal government’s demand for increased cybersecurity, more agencies are likely to follow in the GSA and DHS’s footsteps, beginning with the largest. But how is this likely to impact contractors?

Impact on Contractors

Increased cybersecurity comes at a cost, and some businesses are concerned they won’t be able to fit the bill if civilian agencies decide to enforce the CMMC’s higher certification tiers. In June, small government contractors lobbied Congress for a more lenient certification process, asking the DoD to reserve Tier 1 certification standards for most companies in the defense industrial base (DIB).

With respect to financial impact, these concerns may be overblown: the DoD has long required compliance with NIST special publication (SP) 800-171 for all defense contractors. Under CMMC, most contractors will be required to meet Tier 3 certification or below, and Tier 3 is comparable to NIST 800-171 in cybersecurity level.

Outside the DIB, NIST 800-171 has also been adopted by the GSA, National Air and Space Administration (NASA) and other agencies on a contract-by-contract basis. For contractors of these organizations, CMMC-compliance will represent continuity with their existing cybersecurity burden.

Conclusion

Within the federal government’s service supply chain, even small businesses can represent a major cybersecurity risk: attackers can use them as an entry point for organizations further up the chain, and gain access to systems with classified information. As cyber actors become more sophisticated, a higher level of security becomes necessary across the board.

In the end, it makes a lot of sense for government agencies beyond the DoD to lean on CMMC standards. Civilian and non-DoD contractors should prepare by familiarizing themselves with the CMMC, conducting NIST 800-171 self-assessments, and partnering with experts who can help them to comply with the latest federal regulations.


Based on our years of experiencing conducting assessments for compliance with NIST regulations like SP 800-53 and SP 800-171 which form the basis of CMMC, Securicon can perform readiness assessments and mock audits to help your organization prepare for the real thing. With a DoD background, our world-class experts are ready to take stock of your IT assets and build a security response plan that is tailored to your organization’s needs. Contact us to learn more.

 

Everything Government Contractors Need to Know About CMMC and NIST 800-171

After its release in January 2020 and after many delays, the new Cybersecurity Maturity Model Certification (CMMC) has not yet been enforced in contracts from the Department of Defense or any other agency. This is expected to change this month, following updates to the Defense Federal Acquisition Regulation Supplement (DFARs). While contractors have until then to prepare for compliance reforms, many are still unaware of CMMC, DFARs, or how they both relate to a single document: the National Institute for Standards and Technology (NIST), special publication (SP) 800-171.

In this article, we’ll review the basics of SP 800-171, how it relates to CMMC, and explain why every federal contractor handling Controlled Unclassified Information (CUI) needs to be compliant.

NIST 800-171: What is It?

Since 2017, any federal contractor working with the Department of Defense (DoD) has been required to comply with the standards outlined in SP 800-171, formally titled: Protecting Unclassified Information in Nonfederal Information Systems and Organizations. Based on the more comprehensive SP 800-53, the document outlines strict rules for systems that handle sensitive information and data not meriting a “classified” designation.

NIST 800 and CMMC

This CUI is broad in scope, encompassing almost any data – scientific, financial, or operational – exchanged in the course of a government contract. Since compliance with NIST 800-171 was rolled into DFARs – a supplement to the FAR rules – it has been adopted by state and federal agencies outside the Defense department including GSA, NASA and others.

Full compliance with SP 800-171 entails the implementation of a System Security Plan (SSP) for all systems handling CUI during a contract, including email, FTP, content management platforms (CMPs), cloud platforms, project collaboration tools and more. Earlier this year, a minor revision (Rev. 2) to the regulation was released, but the basic security requirements in chapter 3 have not been affected.

NIST 800-171: Why Does it Matter?

The vulnerability of protected information has been a growing national security concern. Federal agencies are under constant attack from Advanced Persistent Threat (APT) groups and other malicious actors who may represent foreign adversaries attempting to gain an advantage over the United States. In recent times, these threat actors have shifted their attention to the massive Defense Industrial Base, seeking opportunities to steal and otherwise exploit sensitive information intercepted by government contractors.

Just this March, a Colorado-based Aerospace firm fell victim to a ransomware attack which exposed data from customers including Lockheed Martin, General Dynamics, Boeing and SpaceX. Such incidents go to show that – without adequate security controls – the supply chain of federal services can easily be compromised, representing a threat to the businesses who are targeted, their clients, and ultimately the government.

There is a good reason CUI is a protected asset under ITAR, right along military technology, arms and services: information is power, and that power becomes deadly in the hands of an enemy. Contractors entrusted with CUI or any other form of sensitive information must wield it responsibly as a protection to themselves and their customers, and that is the ultimate purpose of regulations like NIST 800-171.

How CMMC Changes NIST 800-171 Compliance

In light of evidence that a woefully small percentage of defense contractors were actually complying with NIST 800-171, the DoD began rolling its security requirements into the CMMC in 2019. The first major change is that self-assessment will no longer be enough: after October, contractors will be required to undergo third-party review to demonstrate their compliance with DFARs.

While that means that organizations will have to tighten up their compliance strategy, a second development will make the burden easier to bear: a single standard for compliance will no longer be applied to all defense partners. Under CMMC, there are five security levels and – while all require NIST 800-171 to be followed in some degree – that degree changes between levels:

  • Level 1 Basic Cyber Hygiene – requires basic safeguarding of information systems which encompass 17 security requirements listed in NIST 800-171.
  • Level 2 Intermediate Cyber Hygiene – requires an additional 55 controls for protection of CUI, coming to a total of 72 security practices.
  • Level 3 Good Cyber Hygiene –adding 58 security practices bringing the total to 130 practices. Contractors at this level must document each practice and establish a plan for maintaining compliance.
  • Level 4 Proactive – at this level, all contractors must review and measure their practices while sharing findings with upper management and establishing response procedures to changing techniques. A total of 156 security practices, including new ones from Rev. 2.
  • Level 5 Advanced – at this level, all previous requirements must be met, and contractors must have a standard process to defend against Advanced Persistent Threats (APTs).

After pending updates to the DFARs rule, compliance with NIST 800-171 will expand to second and third-party businesses and vendors working with a Defense contractor, and – at level 3 and beyond – the contractor will be required to ensure that their partners are compliant. Consequently, DFARs requirements will soon be extending to a much larger group of businesses than those working directly with the DoD.

How to Prepare

Since many businesses will have to comply with NIST 800-171 even if they are not working directly with the Defense Department and other agencies, we recommend that they prepare to comply with as much of the regulation as possible. To that end – in conjunction with a copy of CMMC V.1 – they may consult the NIST Handbook 162 to conduct a self-assessment ahead of taking on contracts under CMMC.

However, while self-assessment is a useful tool for preparation, it won’t be enough in the long run: before you are vetted by a third-party, consider partnering with veteran cybersecurity experts to make sure that your organization is meeting the requirements set down by NIST and the DoD.

To become NIST SP 800-171 compliant and avoid costly violations, organizations must take security seriously, take stock of their IT assets and fix vulnerabilities before they can be exploited. With a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!

5 NIST Updates That Will Impact Security Professionals in 2020

NIST Updates, ics warning
NIST Updates, ics warning

It’s fair to say regulations from the National Institute of Standards and Technology (NIST) are a cornerstone to the security of our federal government: NIST documents set the standard for business operations in both the public and private sector, ranging from information security controls (SP 800-53) to cybersecurity practices (CSF). As time goes by, these documents are frequently updated, and keeping track of them can be difficult.

As we mentioned in a recent article, technology has a tendency to change faster than policy can keep up – but that doesn’t mean NIST won’t try. Every year, the agency works diligently to keep its standards current, seeking the advice of industry professionals to produce new documents ahead of future trends. With a new decade ahead of us, NIST is already hard at work, announcing new standards for IoT, privacy and much more.

To ensure your organization is prepared for the next generation of risk and compliance, keeping up with NIST’s activity is vitally important. Our staff is among the industry organizations that advise NIST, in this article, we’ll share five of the biggest updates to recently come from the nation’s foremost authority on Federal and commercial enterprise technology.

1. CMMC to Supplant SP 800-53 for DoD Contractors

The Cybersecurity Maturity Model Certification (CMMC) is by the far the biggest change to policy impacting federal partners in 2020. Although for now it mainly applies to contractors working with the DoD, that may change with time, and organizations should prepare before it goes into effect later this year.

CMMC has three major goals:

  • Consolidate – and therefore supersede – multiple cybersecurity standards, including NIST documents SP 800-53 and SP 800-171, and several international standards like ISO 27001
  • Prevent organizations from winning a contract until they can demonstrate cybersecurity preparedness
  • Gauge the maturity of a company’s cybersecurity practices and processes, as they have been institutionalized

With five gradually escalating certification tiers, in some ways the CMMC will ease the burden of compliance for federal contractors. In other ways, it will raise the bar for what it means to be “compliant,” forcing organizations to take responsibility for risk and adopt a mindset of cybersecurity across its departments. As a military contractor ourselves, we too are adapting to comply.

2. Draft for IoT Standards

The IoT security gap remains one of the greatest threats to security across federal agencies. Thanks to a lack of security controls from IoT vendors – and a lack of awareness from organizations – most IoT devices suffer from multiple vulnerabilities that can be used for espionage, data theft and much more.

In response, NIST has released a draft of IR 8259, titled Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline. The document contains policies focused on bringing IoT vendors in line with the security needs of their customers with controls like data protection, authorized software updates, End-of-Life policies and – most importantly – secure firmware designed to prevent unauthorized device access.

While compliance with IR 8259 is completely voluntary for the time being, a proposal to put NIST in charge of IoT standards remains before the House of Representatives, and may be passed at any time.

3. Privacy Framework

Federal contractors handle a lot of sensitive information, ranging from the personal data of their employees, customers and clients to levels of classified information from government agencies. As emerging data privacy laws seek to mitigate the risk of data incidents across public organizations, NIST is doing its part to prevent them in a federal context with the Privacy Framework (PF).

While the PF is only 39 pages long, it is jam-packed with advice and procedures to defend data security from threats both inside and outside of an organization. Divided into five basic sections, it is also aimed at helping organizations stay prepared for technology advancements and new data use cases:

  • Identify risk to individuals
  • Govern risk management priorities
  • Control privacy risks at a granular level
  • Communicate with stakeholders
  • Protect data from “privacy events”

Version 1.0 of the PF was released at the end of last month, after being available for public comment since September of last year. It has already been adopted by organizations outside the government and should gain wider adoption in the coming months.

4. Supply Chain Risk Management Updates

Released in 2015, SP 800-161 has existed to mitigate risks in the information and communications technology (ICT) supply chain throughout federal organizations. Now, NIST seeks to update Supply Chain Risk Management Practices for Federal Information Systems and Organizations for a new decade, following changes in federal law regarding the acquisition of ICT products in 2019, especially from foreign vendors.

In its pre-draft call for comments, NIST stated its goal to “deliver a single set of cyber supply chain risk management practices to help Federal departments and agencies manage the risks associated with the acquisition and use of IT/operational technology products and services in a way that is functional and usable.”

The ICT supply chain can introduce risk to organizations through poor design, lack of security controls and even backdoors for espionage. Since changes to SP 800-161 will be accompanied by updates to NIST SP 800-37, and SP 800-53, all federal contractors will be affected, and they should stay informed as new information becomes available.

5. Standardization of Cybersecurity Regulations

Ever feel like there are just too many security regulations to keep up with? NIST agrees: in a draft report for the National Cybersecurity Online Informative References (OLIR) Program, it states “the fields of cybersecurity, privacy, and workforce have a large number of documents, such as standards, guidance, and regulations”.

Through the OLIR, NIST aims to simplify compliance procedures through a centralized online repository of cybersecurity legislation complete with cross-references between documents, and advice from subject matter experts. Depending on the extent of the OLIR, it could change the workflow of security professionals throughout the industry and make the adoption of new standards much easier.

NIST accepted public comments on its first draft until February 24th, but we don’t know how long it will be until OLIR goes into effect, but it’s safe to assume something will be up and running by the end of this year.

Taking Responsibility

Every new update from NIST points to developing trends in technology and legislation. While keeping up with them can be difficult, the best way to stay ahead of regulations is to stay on top of risk.

Don’t stop at checking off boxes: in 2020, organizations who take responsibility for their business processes, IT infrastructure and insider threats will be the most likely to succeed on the road to full compliance.


Take stock of your IT assets and fix vulnerabilities before NIST tells you to: with a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!

NIST 800-53 Rev. 5: What it Is, and Why You Should Care

NIST, security and privacy controls
NIST, security and privacy controls

Later this year, the National Institute for Standards and Technology (NIST) will release revision #5 to Special Publication SP 800-53 Security and Privacy Controls for Information Systems and Organizations, a key framework documenting recommended security controls for federal information systems. Soon, government agencies, contractors and FedRAMP certified vendors will be rushing to update their systems before the guidelines go into effect.

As the de facto standard for compliance with the Federal Information Security Management Act (FISMA), SP 800-53 directly applies to any federal organization (aside from national security agencies), and indirectly to non-federal organizations via SP 800-171. In this article, we’ll summarize the contents and newest revisions.

Establishing Security Controls

To maintain security, any IT system must observe basic security controls to prevent threat incidents and establish proper responses. On an ongoing basis, NIST compiles and documents controls recommended to it by research groups including the Information Technology Laboratory (ITL).

The most recent edition (Rev. 4) of SP 800-53 includes 212 controls distributed across 18 control families designated by acronyms, such as “AC” for “Access Control,” “IR” for “Incident Response” and “CM” for “Configuration Management”. Controls are ranked according to three (3) tiers of impact ranging from “low” to “moderate” to “high,” and fall into three types:

  • Common – used throughout an organization
  • Custom – specific to an application or device
  • Hybrid – standard control customized by an organization

SP 800-53 is very useful as reference material for designing security plans, and its controls are used as a basis for other special publications/regulations. However, to actually protect an organization it must be implemented according to a Risk Management Framework (RMF).

The NIST RMF

SP 800-53 contains outlines for a standardized Risk Management Framework. For this purpose, it is commonly used in conjunction with SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems:  A System Life Cycle Approach for Security and Privacy which details the formal certification and accreditation process.

The NIST RMF guides organizations through a comprehensive risk management and response plan in six (6) stages:

  1. Categorize – determine the category of information systems based on type of information processed and threat impact
  2. Select – select baseline security controls to mitigate risk
  3. Implement – implement and describe how the security controls have been deployed
  4. Assess – assess performance, correct implementation, and outcome of the security controls
  5. Authorize – authorize operation of the system based on its overall risk to an organization, its assets, mission, and personnel
  6. Monitor – monitor security controls on a regular basis and record performance, reporting concerns to appropriate organizational officials when necessary

Due to its methodological rigor, the NIST RMF gives organizations a high degree of precision in determining risk, mitigating threats, and maintaining accountability before regulatory bodies.

Who Does SP 800-53 Apply To?

SP 800-53 directly applies only to federal agencies. However, the publication is used as the basis for many other programs and should be referred to by anyone to whom they apply. This includes:

  • – Cloud Service Providers (CSPs) authorized under a FedRAMP program are required to use SP 800-53 controls to secure their services and facilities
  • – since SP 800-53 is used as the basis for FISMA[BS1], state agencies and any contractors partnered with the federal government will also have to comply
  • Defense Federal Acquisition Regulations (DFARS) – while  SP 800-171[BS2]  initially imported security controls from SP 800-53, the controls have since been adjusted to better protect controlled unclassified information (CUI) specifically. Nevertheless, SP 800-53 is recommended as a useful reference for non-federal businesses required to comply with DFARS, and is more and more being used as a reference for non-Federal security programs, such as to form a baseline for protection of Industrial Control Systems (ICS) in some industries.

In general, it is safe to assume that as an organization conducting any business with the U.S government, SP 800-53 or some portion of it will apply to information systems used during the contract.

Changes in Revision 5

Because SP 800-53 applies to all U.S. agencies and government partners, it goes without saying that compliance is mandatory, and systems should be updated to reflect new revisions as soon as they are released.

Revision 5, to be released later this year, brings with it a new emphasis on privacy, expanded security controls and changes to control categories:

  • Outcome-based (as opposed to impact-based) controls
  • New emphasis on privacy: integration of privacy controls with security controls, and better integration with cybersecurity/risk management
  • Separation of control selection from actual controls
  • New controls based on threat intelligence

Revision 5 will go into effect in 2020, a year from the date of its official release. In the meanwhile, preparing to comply will help your organization to be ready. To learn more about the latest version of SP 800-53, view the draft on NIST’s website.


Securicon Can Help

To become NIST 800-53 compliant and avoid costly violations, organizations must take security seriously, take stock of their IT assets and fix vulnerabilities before they can be exploited. With a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!