islandsystems.net /articles/
Island Systems, LLC - Information Security, Compliance, and Technical Solutions
Active Web Watch

 


CMMC 2.0 Allows for POA&Ms but There’s a Catch…

Under CMMC 2.0 you can now have a Plan of Actions and Milestones (POA&M) for any control you’re not meeting 100%. While this a huge improvement over the old rules, only some NIST 800-171 controls are allowed in your POA&M. Controls with the highest weight (5 points) are NOT allowed in your POA&M! I’ll put the list at the end of this article but please read on for other important details.

Additionally, any POA&M entries need to be addressed “within a clearly defined timeline”. Can I define 100 years? It’s clear, right? That’s probably not the intent. With luck the DoD will set some boundaries but this vagueness creates fresh loopholes. Read on to see how they might be closed…

Contract Awards Will Require Minimum Compliance Scores

Prior to CMMC 2.0, there was no minimum acceptable score under the DFARS 7020 Assessment Requirement. That will change with CMMC 2.0 because “DoD will establish a minimum score requirement to support certification with POA&Ms.” In other words, you won’t be able to meet compliance requirements below a certain score and won’t be eligible for contract awards as a result.

Scores range from -203 to 110 points. What the minimum score will be is yet to be determined but it won’t likely be less than 7 (only the highest weighted controls). My guess that it will not be less than 60 (all the 3 and 5 point controls plus all the 1 point CMMC 2.0 Level 1 / FAR Basic Safeguarding controls). I would also expect this to increase over time as more contractors score higher, thereby shrinking the timeline loophole.

Contracting Officers will have a clear-cut way to evaluate which firms are eligible to be awarded contracts. This fixes a critical deficiency in the current compliance enforcement regime, which didn’t define any minimum criteria for contract award. Leaving it up to the Contracting Officer or bid evaluators to determine what score was adequate created liability problems and risked award challenges. It’s also a major reason why there’s limited true compliance to date with only around 1/2 of all contractors actually meeting the standards when professionally assessed by DIBCAC.

Contractor Executives Need to Sign-off on Compliance Scores

With CMMC 2.0, executives are now on the hook for signing off on compliance through a self-attestation requirement. Previously, the scores simply needed to be completed by the Contractor and posted to SPRS, which could be done by anyone with SPRS access. Usually, this means an IT team does the score and a contracts person uploads it to SPRS. With this change, compliance will be elevated to the C-suite, the same organizational level as the risk for False Claims Act (FCA) penalties applies. One presumes executives will ask questions before signing off, something that was possible to overlook before.

To put some teeth into the requirement, the Department of Justice recently created a new Civil Cyber-fraud Initiative that focuses explicitly on non-compliance with cybersecurity requirements by Government contractors. With FCA penalties being applied to both companies and individuals, this raises the stakes for anyone thinking about knowingly misrepresenting their cybersecurity compliance status.

Did you know…

  • Whistleblowers typically receive 15% to 30% of the recovered amount under the False Claims Act qui tam cases
  • Penalties are 3x damages plus between $11,665 and $23,607 per claim
  • Each invoice submitted under false terms is subject to a separate FCA claim (e.g. 12 monthly invoices could cost you $283,284 plus 3x damages)
  • Whistleblowers are protected from reprisals
  • Hotlines are set up for every civilian agency and the DoD

What About CMMC Waivers?

Lest you think a waiver is your ticket out, let me throw cold water on that idea. While waivers are allowed, they come with major restrictions:

  • Applied to entire CMMC requirement, not individual cybersecurity practices
  • Allowed on a very limited basis in select mission critical instances, upon senior DoD leadership approval
  • DoD program office submits a justification package that includes specified timeline and associated risk mitigation plan
  • Timelines imposed on a case-by-case basis to achieve CMMC compliance

Clearly, they intend this for a very few specific situations. If you truly can’t meet the requirements, including using “alternative measures”, say due to some specialized manufacturing system, then it’s worth giving it a go but otherwise, I’d say forget it.

Are You Struggling to Meet NIST 800-171, DFARS 7012, or CMMC Requirements?

Before we get to the list of disallowed controls, let me pitch our solution: Compliance Island provides an already CMMC 2.0 Level 2 compliant solution and is designed to process all types of CUI and FCI data, include export controlled, nuclear, and other sensitive categories. If you have DFARS Clause 7012 in your contracts, skip the POA&Ms, unpredictable costs, and worries. Contact us to see how we can help you get, and stay, compliant in just days at a low fixed cost.

NIST 800-171 Rev. 2 Controls That Cannot be on a POA&M

Under CMMC 2.0, the highest weighted (5 points) requirements cannot be on POA&M list. If you have a POA&M for any of these controls, prioritize getting them implemented before CMMC 2.0 rulemaking is completed:

Control Security Requirement
3.1.1* Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
3.1.2* Limit system access to the types of transactions and functions that authorized users are permitted to execute.
3.1.12 Monitor and control remote access sessions.
3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
3.1.16 Authorize wireless access prior to allowing such connections.
3.1.17 Protect wireless access using authentication and encryption.
3.1.18 Control connection of mobile devices.
3.2.1 Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
3.2.2 Ensure that personnel are trained to carry out their assigned information security- related duties and responsibilities.
3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems.
3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
3.5.1* Identify system users, processes acting on behalf of users, and devices.
3.5.2* Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
3.5.10 Store and transmit only cryptographically- protected passwords.
3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
3.7.2 Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
3.7.5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
3.8.3* Sanitize or destroy system media containing CUI before disposal or release for reuse.
3.8.7 Control the use of removable media on system components.
3.9.2 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
3.10.1* Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
3.10.2 Protect and monitor the physical facility and support infrastructure for organizational systems.
3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
3.12.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
3.12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
3.13.1* Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
3.13.5* Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
3.13.15 Protect the authenticity of communications sessions.
3.14.1* Identify, report, and correct system flaws in a timely manner.
3.14.2* Provide protection from malicious code at designated locations within organizational systems.
3.14.3 Monitor system security alerts and advisories and take action in response.
3.14.4* Update malicious code protection mechanisms when new releases are available.
3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
The highest weighted NIST 800-171 Rev. 2 controls are disallowed in CMMC 2.0 POA&Ms

* FAR Basic Safeguarding Controls (applies to all Government contractors, not just those handling CUI)

The DoD describes this list as a “small subset of requirements that cannot be on a POA&M”. No argument from me that it’s a subset and, yes, it’s smaller rather than larger, but 45 out of 110 doesn’t seem “small”.

NB: This article was written on November 7, 2021. CMMC 2.0 is currently a proposed rule that is just beginning the rulemaking process. If you’re reading this after rulemaking has finished, please confirm the details before taking action.

The post What’s in Your POA&M? appeared first on Island Systems, LLC.

Whether your trying to score 110 points in your NIST 800-171 self-assessment, or seeking CMMC Level 1 or CMMC Level 3 compliance and certification, this article is for you.

The key to successful CMMC implementation is reducing the scope of the compliance effort. What is compliance scope and why does it matter?

Note: Where I mention CMMC, it generally also applies to NIST 800-171 and CMMC levels 1 through 3.

What Is Compliance Scope?

Scope defines the boundaries around what must meet the compliance requirements and what is out-of-scope. Here are some examples:

  • You handle CUI data on your office computer, although others don’t handle CUI. The entire office network is likely in scope.
  • You exchange regular unencrypted email containing FCI with another contractor or project sponsor you’re working with. Every system that touches the email is in scope – including the internet (oops!).
  • You share files containing CUI with the project team, including prime and subcontractors, using a secure cloud service. The cloud service, and any device you access it from, is in scope. (Note: the other contractors have the same compliance requirements you do per DFARS flow-down requirements.)
  • You process FCI from home to using a personally owned computer connected to the office VPN via your home WiFi network. Your home systems and network are in scope.

Why Does Limiting Scope Matter?

CMMC compliance is complex, costly, and time consuming to implement and maintain. All of those factors can be reduced by minimizing what’s in scope for compliance purposes.

For example, consider how much more limited the scope of processing CUI on a standalone laptop that you lock in a safe when not in use would be. Only the laptop would seem to be in scope but it’s not quite that simple. CMMC has other requirements, such as backup, and you’re probably going to need at least some removable media for system updates, so the scope is going to expand a bit. Even so, this is about the minimum scope you can achieve.

In practice, a standalone laptop isn’t likely to meet your needs. You’re not going to be able to communicate with your sponsors, subs, or primes, let alone your own team without a more complex system.

If you’re like most organizations, you have FCI and CUI in a variety of places throughout your network and systems putting pretty much everything in scope. I’ll cover what “everything” means in more detail later on.

Limiting Compliance Scope Using Encryption

Encryption, particularly network and message encryption, is a key factor in determining what’s in scope and what’s out of scope. Imagine using regular email to send CUI to your sponsor. Email is normally unencrypted. At many points, as the email gets routed from network to network, that email message is recorded in log files where it can be viewed by unauthorized parties.

The simple fact of it being unencrypted means the entire internet email system comes into scope. Obviously, that’s not going to be a compliant solution.

By encrypting the email (message encryption), you narrow the scope down to your email system, the network it’s connected to, and the devices you access it from.

The same situation applies to anywhere CUI or FCI is transmitted. You can limit scope to a significant degree by encrypting the data using secure communications protocols like TLS, which you’re using right now to communicate with this website. It won’t automatically remove your entire network from being in scope but it is critical to ensuring the entire internet is out of scope.

Limiting Compliance Scope Using Data Segmentation and Enclaves

Data segmentation is the process separating different data classifications, like separating Covered Data from your internal data, into separate systems or subsystems, often called an “enclave”.

By setting up an enclave specifically for FCI and CUI, you can reduce compliance scope to the the enclave and it’s components. All your non-FCI/CUI data stays where it is and you move all your FCI and CUI into the enclave.

What’s different about an enclave than a standalone system or fully isolated network (such as when handling classified data), is that it can still interact with systems outside of the enclave. For example, you conveniently access the enclave from your usual computer, typically via a remote desktop application or web browser.

Enclaves can greatly limit compliance scope but are very complex to build to satisfy all the NIST 800-171, CMMC, and other compliance program requirements.

Compliance Island Enclaves

Before we get into what it takes to build your own enclave, I want to talk about our ready-to-deploy enclave solution, Compliance Island. In addition to learning about our offering, you’ll pick up some ideas should you decide to build your own enclave.

As you’ll see in a moment, a lot goes into building an enclave that satisfies all the NIST 800-171 and CMMC Level 3 requirements. With that challenge in mind, we thought a ready-to-deploy, off-the-shelf solution would be of great benefit to many organizations. Standardized enough to keep costs down but flexible enough to meet varying contract requirements, we think Compliance Island will meet the needs of most contractors. Where it doesn’t we’ll be happy to say so and point you to other firms that might better suit your unique situation.

With Compliance Island, compliance scope is limited to the Compliance Island solution, which is already compliant, fully documented, and, for CMMC Level 3, includes compliance services like risk, change, and incident management. Scope on your local system is limited to the devices you use to access Compliance Island and they only need to meet the simple requirements of FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems, which you probably do already.

Access to Compliance Island is via a secure Remote Desktop session, either through an app installed on your device or web browser. Communication between your device is always secured via TLS encryption. No CUI or FCI data is ever kept on your device.

Inside Compliance Island, you interact with a familiar Windows 10 desktop where all the applications, such as Microsoft Office 365, your organization needs to meet it’s contract requirements are installed. Email, OneDrive, and Teams are available and secured, with email encryption enabled by default.

Add-ons include: Linux, graphics, and developer workstations; high-performance compute; application servers; and most Microsoft Azure services. For these add-ons, you’ll treat your Compliance Island Windows 10 Desktop as a “jump box”. This approach provides an extra layer of security, reduces risk, and simplifies the compliance process greatly.

Learn more about Compliance Island.

How to Build a CMMC Enclave

Designing and building a basic enclave isn’t hard but when you need to meet CMMC requirements, things change. A lot.

Without CMMC requirements, it’s simple to build an enclave: simply sign up for Windows 365 Business and call it a day. Unfortunately, a basic solution like that won’t satisfy your compliance requirements.

Windows 365 Enterprise gets you closer but it’s just a starting point and not a full ready-to-deploy solution. Compliance Island uses the same underlying Azure Virtual Desktop solution but builds out all the features and components needed to meet CMMC requirements.

Below are the key CMMC technology areas that will need to be addressed for your CMMC enclave. This is by no means a complete list but it’ll give you a starting point:

  • Physical Locations
    • Everywhere you store, process, or transmit FCI/CUI
    • Offices
    • Private Data Centers
    • Cloud Providers (must meet FedRAMP Medium Baseline or FedRAMP High Baseline for export controlled CUI)
    • Remote device / workstation locations
  • Devices
    • Workstations
    • Servers
    • Mobile Devices
  • Data
    • Disks and Storage Systems
    • Backups
    • Removable Media
    • Files, Databases, and Logs
  • Software
    • Operating Systems
    • Email (with encryption e.g. S/MIME)
    • Collaboration / File Sharing
    • Productivity and Other Applications
    • Malware and Device Security Software
  • Networking
    • Routers
    • Firewalls
    • Subnets
    • VPN / Remote Access
  • Encryption
    • Data at Rest
    • Data in Transit
    • Certificate and Key Management
  • Security
    • Authentication and Authorization
    • Multi-factor Authentication
    • Logs (with increase logging detail and long retention periods)
    • Security Incident and Event Management (SIEM)
    • Intrusion Prevention / DDoS Protection / etc.
  • Disaster Recovery
    • Automated Backup / Restore

There are thousands of details that are needed to build out a CMMC compliant solution, regardless of whether you’re building your own enclave or trying to bring your current environment into compliance. To put your level of effort into perspective, know that we’ve invested thousands of hours architecting, developing, and documenting Compliance Island using an experienced expert team and heavily leveraging Microsoft Office 365 and Azure.

Hopefully you can see why we built Compliance Island and why we say that it’s the easy way to CMMC compliance.

The post Why You Should Use a CMMC Compliant Enclave to Protect CUI and FCI appeared first on Island Systems, LLC.