DoD requires Defense Industrial Base (DIB) companies to become CMMC compliant, to safeguard the DIB supply chain and mitigate the risk of theft of sensitive Controlled Unclassified Data (CUI) which not only is a big national security concern. For DIB companies it also leads to the loss of intellectual property potentially causing billions of dollars of losses in revenue each year for US DIB companies.
As a small and medium business, you believe that the CMMC compliance requirements are an additional cost and to minimize the cost you want to work with your existing network and IT support staff to implement it. Before you make such a decision, we want to walk you through all the different capabilities you would need to build to be able to fully comply with the requirements.
Depending on the type of work you currently or business you operate at a very basic level you would need the following computers (desktops or laptops) for your employees to work with, a network with all its switches, routers, etc. that the employees can connect to, an email system to communicate internal and with your clients or vendors (unless you fully operate using snail mail), physical controls on the doors of your buildings to manage the access to your physical factories or offices. This is how many of the small and medium businesses have operated till date, but DoD now requires more cybersecurity maturity which means it wants you to implement the NIST 800-171 controls and also prove to them through third party audits how effective those controls are.
The NIST 800-171 controls family have a lot of technical and management controls, quite a few of them are policies and procedures for example having a physical access policy which states that you will document anyone who comes in an out of your building without a badge and this is easy, but there are other controls that are not so easy. Here is discussing some of those challenging controls.
For Access Control do you have an idea of who is access what systems when and from where. Do you know if they have the authorization to access those systems, have you implemented least privilege policies so that users are not able to see more than they are authorized to see, have you implemented session locks on your systems? Do you know which third parties are connecting to your systems?
For Audit controls do you controls logs of all system activities, do you control logs of all systems accesses, do you know if any data has been updated or deleted from your applications, do you know which systems are talking to which systems within your environment. Can you ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions and lastly do you protect the audit logs data to prevent tampering of this critical data which will be needed for any investigation?
For Identity and Authentication controls which are closely tied to access controls, can you identify all your information system users, processes acting on behalf of users, or devices, can you authenticate (or verify) the identities of those users, processes, or devices, before allowing access to organizational information systems, have you implemented multi-factor authentication for privileged accounts.
For Incident Response controls, do you have a Security Incident and Event Monitoring (SIEM) system in place to detect and report events, do you have the technical capability to investigate a suspicious event to determine if it is an actual event and if so; do you have an automated way to convert it to a ticket which can be tracked to resolution, you can certainly do it manually but do your really want to, is a digital ticketing system not better?
For Risk Management, Configuration Management and Security Assessment controls do you have a baseline inventory of all your systems and equipment within your organization, do scan these systems for vulnerabilities on a regular basis, do you patch the systems on a regular basis, most hacks occur because the systems have not been patched for a long time keeping the doors open for hackers to use known methods to penetrate the network.
For Systems and Communication Protection controls do you keep your CUI encrypted in motion and at rest, do you have firewalls in place to manage traffic flowing in out of your network, do you segmentation or internal systems from public facing ones, your websites for examples or your third-party portal.
One can keep going on and on, as there are 14 control families and 110+ controls to be implemented which realistically require multiple different technologies, software engineering, security engineering, incident monitoring, compliance management, systems assessment and security monitoring skills are needed which will require you to invest in a variety of very difficult to find highly skilled labor who are very costly. Do you really want to attempt to DIY CMMC compliance?