CMMC, NIST 800-171 and Security Assessments
Do you understand the process of developing, attaining, and maintaining CMMC compliance yet? Find out everything you need to know in our latest webinar, featuring Loren Larson from Dell Technologies.
It has been a while since the DoD has released its Cybersecurity Maturity Model Certification—do you know what’s expected of you?
If you don’t, it’s time to figure it out. For an overview, check out our latest webinar, led by our very own Mike Shelah, and Loren Larson from Dell Technologies:
What Is NIST 800-171?
NIST 800-171 refers to the National Institute of Standards and Technology Special Publication 800-171. It governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations, providing a framework of cybersecurity standards.
For certain government agencies, most notably the DoD (Department of Defense), GSA (General Services Administration) and NASA (National Aeronautics and Space Administration), a revised set of rules for NIST compliances took effect on December 31, 2017, requiring anyone who works with CUI from those agencies to implement specific security measures for how they handle data and report non-compliance to the agencies CIO.
The minimum cybersecurity standards are described in NIST Special Publication 800-171 and broken down into fourteen areas:
- Access Control: You must limit system access to authorized users.
- Awareness & Training: You are required to promote awareness of the security risks associated with users’ activities, train them on applicable policies, standards and procedures, and ensure they are trained to carry out their duties.
- Audit & Accountability: You must create, protect, retain and review all system logs.
- Configuration Management: You are required to create baseline configurations and utilize change management processes.
- Identification & Authentication: You must authenticate information systems, users, and devices.
- Incident Response: You’re required to develop operations to prepare for, detect, analyze, contain, recover from, and respond to incidents.
- Maintenance: You must perform timely maintenance of your information systems.
- Media Protection: You must protect, sanitize and destroy media containing CUI.
- Personnel Security: You’re required to screen individuals before authorizing their access to information systems, and ensure these systems remain secure upon the termination or transfer of individuals.
- Physical Protection: You must limit physical access to and protect and monitor your physical facility and support infrastructure that houses your information systems.
- Risk Assessment: You are required to assess the operational risk associated with the processing, storage, and transmission of CUI.
- Security Assessment: You must periodically assess, monitor, and correct deficiencies and reduce or eliminate vulnerabilities in your organizational information systems.
- System & Communications Protections: You must monitor, control and protect data at the boundaries of your system, employ architectural designs, software development techniques, and system engineering principles that promote effective information security.
- Protection System & Information Integrity: You’re required to identify, report, and correct information and any flaws in your information in a timely manner. You must also protect your information systems from malicious code at appropriate locations, and monitor information security alerts and advisories so you can take appropriate actions.
What Is CUI?
CUI is any unclassified, but sensitive, information from the U.S. government. This information is shared with government agencies, government contractors, and subcontractors, and it could include anything from financial information to product patents to research data to medical information, etc.
NIST Compliance 101
With NIST 800-171, it’s the contractor’s responsibility to safeguard all data and information related to any work performed for the DoD, including:
- Controlled technical information (CTI)
- Information that would be described as controlled unclassified information (CUI)
- Covered defense information (CDI)
If you’re not compliant, you’re technically no longer qualified to contract with the DoD—no matter which contracts you have in place or the professional relationships you’ve built over the years.
Complying with NIST is a matter of following these seven steps:
- Locate and Identify CUI
- Categorize CUI
- Implement Required Controls
- Document a System Security Plan
- Train Your Employees
- Monitor Your Data
- Assess Your Systems and Processes
What Is CMMC?
The Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) developed the Cybersecurity Maturity Model Certification (CMMC) framework in order to enhance the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) on the Defense Industrial Base (DIB).
This system measures cybersecurity maturity with five levels and aligns a set of processes and practices with the type and sensitivity of the information to be protected by the DIB.
The CMMC model encompasses the basic safeguarding requirements for FCI specified in the Federal Acquisition Regulation (FAR) clause 52.204-21 and the security requirements for CUI specified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 per Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012.
Moving From Self-Assessment To Third-Parties
There are five key steps in attaining your CMMC certification:
- Self-Assessment: You need to know where you stand. Have you evaluated how well you’re protecting FCI and CUI, in line with CMMC’s requirements?
- Pre-Audit Support: This is where an expert third party like Advantage Industries comes in. We can assess your current processes and determine where you may be vulnerable. We’ll provide you with a detailed assessment that pinpoints areas of concern that you’ll need to address prior to your audit.
- Remediation: Using the information gathered in our assessment, we’ll address any potential vulnerabilities and transition your organization to a fully CMMC compliant state.
- Audit: The next step is to hire a Certified Third-Party Audit Organization (C3PAO), and provide them with the results of your self-assessment and the changes made with assistance from our team.
- Certification: Congratulations—you’re now CMMC certified.
How Dell Can Support CMMC Compliance
Our partner Dell can assist with critical CMMC compliance tasks, starting with a Gap Analysis. This process will examine your current state and develop a roadmap to CMMC compliance, detailing each and every upgrade or change you need to make.
Furthermore, Advantage and Dell can guide you through the roadmap and remediation phase, which could include:
- Standing up Office 365 Tenants
- Implementing Vulnerability Monitoring and Remediation Services
- Configuring endpoints to achieve maximum endpoint and data protection
- Assisting with the monitoring of data and endpoints through Microsoft ATP
- Developing endpoint protection through Carbon Black, Dell Data Security, or other Solutions
- Developing Policies and Procedure documents
- Providing expert guidance and strategy support through vCISO services
Make sure to check out the webinar recording above for the detailed walkthrough of Microsoft’s CMMC product placemat with Mike and Loren.
Need Expert Assistance Implementing CMMC & NIST Compliance?
Looking for expert assistance with your CMMC compliance planning?
Advantage Industries is now a Registered Provider Organization (RPO), and two of our staff members, Kevin Dubois and Matt McGinty, are now fully certified CMMC Registered Practitioners (RP). With our partner Dell, we can help you determine where your non-compliance risks are, and eliminate them.
Let’s get started on your compliance processes right away.