CMMC Demands Proper Information Handling and Sharing Practices

With the migration to the Cloud, BYOD, and COVID19 creating a world-wide remote workforce, there truly is no perimeter anymore. Now more than ever, we need a seamless way to adapt our cyber defenses to also look towards the inside and proactively secure data. For government and defense industry, the solution also has to scale to meet the demands of both the US Department of Defense (DoD) and the critical infrastructure players and map to critical controls laid out in NIST 800-171, 800-53, and CMMC – primarily CMMC Levels 3-5. Extending a Zero Trust approach used for system and application access to file access and sharing offers a promising solution.

What is CMMC and Who Does it Apply To?

The Cybersecurity Maturity Model Certification (CMMC) is a new requirement for DoD contractors, replacing the self-attestation model and moving to third-party certification. This new certification is intended to tighten cybersecurity within the defense industrial base (DIB). CMMC consists of five levels to measure cybersecurity practices of contractors.

It applies to anyone in the DIB; “the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.

The level of CMMC a DIB organization will need to meet depends on the type of information in its IT system.

Overview of the CMMC Capabilities and Maturity Levels:

  • Level 1 Safeguard Federal Contract Information focuses on “basic cyber hygiene” practices such  as using anti-virus software and  regularly changing passwords. Basically, follows FAR 52.204-21.
  • Level 2 Transition Step to Protecting Controlled Unclassified Information (CUI): Requires “intermediate cyber hygiene” and serves as a stepping stone to Level 3.
  • Level 3 Protect CUI is what the Pentagon expects a plurality of the defense industrial base to achieve. NIST SP-800-171 Rev2 compliant.
  • Level 4 Protect CUI / Reduce Risk of Advanced Persistent Threats (APT); and
  • Level 5 Protect  CUI / Reduce Risk of APTs are even more stringent and will be imposed on “very critical technology companies” working with the most sensitive information.

When an organization reaches CMMC Level 3, they also have to meet the requirements for DOD INSTRUCTION 5200.48:

Federal Control Information (FCI) – information provided by or generated for the government under contract not intended for public release.

Controlled Unclassified Information (CUI) –  information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and  government-wide policies.

The Impact of CMMC

The DoD expects CMMC to take five years to fully roll out and will really get going in 2021. DoD expects the third-party assessors to certify about 1,500 vendors in 2021, 7,500 more in 2022 and 25,000 more by 2023. By fiscal year 2026, all new Defense Department contracts will contain CMMC requirements that companies must meet to win the award.

As we now look at this new evolving operational environment that’s being tailored for the DOD, in this case, the Cyber Domain, it significantly impacts all other Warfighting Domains, and now relies heavily on secure cloud, intranets (SIPRNet/NIPRNet), collaboration portals and COTS-based network technologies, services, and applications to service the needs of the warfighter, air assets, Coalition partners and tactical communication across the battlespace. This may include the Battle Command systems, down to the soldier and weapons platforms.

There are additional moves to implement multi-domain operations/environments which will additionally impact various “Cyber AORs,” to include the Air Force Information Environment (AFIE), the Enterprise Battle Management Command and Control Systems, JADC2 (Joint All-Domain Command and Control), along with manned/unmanned (UAS/UAV/UUV) assets, along with how and what information will be shared in a multi-coalition environment.

There has also been a lot of discussion and interest in permitting unclassified users to use the SECRET High Tactical Internet to access unclassified computers connected to the commercial Internet. This capability is of particular importance to certain users, who typically use unclassified applications and data, and need to communicate in a split-based mode with large computer systems. This will inherently create even greater operational cyber risks and an even greater need for not only zero trust network solutions, but a way to extend this same level of control to application and data access.

How Zero Trust Provides the Key to Success

Extending a Zero Trust approach used for system and application access to file access and sharing ensures compliance with CMMC standards for collaboration of FUI and CUI.  Attribute-based access control (ABAC) is a Zero Trust security model that evaluates attributes (or characteristics of data and/or users), rather than roles, to determine access. It uses a data-centric security approach that evaluates each file’s attributes including security classification and permissions, as well as user attributes such as security clearance, time of day, location, and device to determine who is able access, as well edit and download files.

This gives agencies granular, real-time control over the access of information by adjusting security in real-time to determine whether the user should be given access to the requested information based on all of these parameters at that point in time. If the user scenario does not match, or appears suspicious, then access is denied, or a restricted view of the data is provided. For example, if an authenticated user is trying to access a sensitive file they own, but it is outside of business hours and they are using a BYOD device in another country, file access will be denied – effectively thwarting a hacker using stolen credentials

Extending Zero Trust to File Access and Sharing

Want to learn more? This new White Paper outlines how extending a Zero Trust approach used for system and application access to file access and sharing ensures compliance with CMMC standards for collaboration of FUI and CUI and protects against a growing threat vector; insider threats.

You will learn:

  • The information security challenges facing government and defense today.
  • Understand the CMMC requirements for collaboration of FUI and CUI.
  • How to apply the zero trust methodology to the data layer using Attribute Based Access Control (ABAC) to meet and enforce key CMMC capabilities.

Who should read this:

  • CMMC Program Leads
  • Defense Contractors
  • C3PAOs
  • IT Teams responsible for SharePoint & Microsoft Teams
  • Information Security Teams