With its new Cybersecurity Maturity Model Certification (CMMC) standard, the Department of Defense is getting serious about protecting the supply chain that protects the nation. The CMMC’s enhanced security requirements will require an estimated 300,000 companies to earn third-party certification of their security posture. By 2025, every DoD contract will require vendors to meet some level of CMMC compliance. And true to its governmental nature, CMMC presents a dizzying labyrinth of acronyms, levels and due dates.
To help companies understand how CMMC affects them, we talked with Pratum Senior Information Security Consultant Ben Hall, who recently completed coursework to be a Registered Practitioner with the CMMC Accreditation Body (CMMC-AB). That makes him one of the nation’s first wave of private contractors trained to help companies prepare for their CMMC audits. We asked Ben for some real-world advice on how to implement CMMC efficiently.
This is a test you definitely want to pass on the first try for your desired or required maturity level. You’re going to invest significant time and money preparing for your assessment, and failing your assessment means you won’t get the contract.Ben Hall Pratum CMMC Registered Pratitioner
Tell me in 30 seconds what I need to know about CMMC.
If you produce something in a supply chain that ends with a product delivered to the DoD, you’ll probably need to get CMMC-certified at some point in the next four years. And you can’t just declare yourself secure. It’s a significant process that ends in assessment by a certified third party. If you don’t do this, any company that ultimately serves the DoD will have to stop using you as a vendor. For more details, I recommend taking a couple of minutes to read the FAQs Pratum recently posted. This roadmap provided by the CMMC-AB also offers a great, quick summary.
If I’m not a prime contractor to the DoD, do I still need to worry about this?
Probably. Prime contractors must ensure their subcontractors are certified at the required CMMC level prior to awarding subcontracts. The only exceptions are companies that solely provide commercial off-the-shelf products (COTS, as the government calls it). Items meet the COTS criteria if they are mass-produced, rather than customized for government use. But to be honest, if you’re unwilling to take the security steps required to meet even Level 1 of CMMC, many larger companies won’t feel safe doing business with you anyway.
What does it mean that you just became a Registered Practitioner for CMMC?
I’m trained to help organizations prepare for the CMMC certification process, which is a test you definitely want to pass on the first try for your desired or required maturity level. You’re going to invest significant time and money preparing for your assessment, and failing your assessment means you won’t get the contract. During my coursework administrated by the CMMC-AB, I learned all the details of how CMMC works. So I can help companies understand exactly which level they’ll need to reach, identify where they’re currently falling short of the requirements and make a plan to get everything ready in time.
Can you personally certify a company as CMMC-compliant?
CMMC rules require that you have two different people handle the prep process and the actual assessment. The CMMC-AB’s official assessors are known as Certified Assessors (CA) that work for Certified Third-Party Assessing Organizations (C3PAOs). One person can be both a Registered Practitioner (who handles the prep process) and a Certified Assessor (who does the assessment). But I’ll be focusing on preparing clients for review by a Certified Assessor.
So just to be clear: I can’t do a self-assessment anymore?
Correct. That’s actually one of the driving forces behind CMMC. Under the DoD’s Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, companies could do a self-attestation of their security posture and submit their score. CMMC requires you to get a third-party evaluation.
Is something like this going to be applied to government contracts beyond the DoD?
Probably. Most industry watchers expect CMMC or something very similar to it to become the standard for all federal procurement.
How long will I have to make changes if I barely miss the grade on my assessment?
Unfortunately, you don’t get a grace period. This is a pass/fail situation. If the DoD puts a required CMMC level in a contract, it will only award the contract to a vendor who has that certification done at the time the contract is awarded. While many previous government standards allowed you to fix shortcomings through a Plan of Actions and Milestones (POAM), CMMC doesn’t allow for POAMs.
Got it: I need to plan ahead. How soon do I need to worry about this showing up in RFPs and contracts?
A handful of prime contracts have already been issued with CMMC requirements. The DoD will continue to gradually require CMMC compliance in a rollout stretching from 2021 to 2026. Right now, it looks like about 15 new prime contracts will include CMMC in 2021.
Where should I start my preparation?
Based on the kind of information you use in the course of doing business, you should be able to determine which of the five CMMC levels you’ll need to achieve. Then you can review the requirements for your level and start figuring out what you’ll need to do to achieve certification.
Can I get the government to help pay for any of this new process?
The DoD has laid the groundwork for grants that will help small and medium-size businesses pay some of the CMMC costs. The National Defense Authorization Act for 2021 includes a section authorizing the secretary of defense to allocate funds to the MEP Centers mentioned below so they can help business get their certifications. Talk with the MEP Center in your state to get the details on what’s available and how you can apply.
Advisors at your local PTAC (see below) can also help you determine how much of your CMMC process you might be able to build into contracts as an allowed expense.
Where can I get help with all this?
That's what I'm here to do! A cybersecurity consultant like Pratum will help with a gap analysis and a plan to get you ready in time for the contracts that apply to you. Check out our CMMC consulting page or get in touch with us.
You also can get advice from governmental bodies tasked with helping manufacturers and other companies navigate the government procurement process. Each state has a Manufacturing Extension Partnership Center that can help you with CMMC. You can look up yours at https://www.nist.gov/mep/centers. You can also work with one of about 300 Procurement Technical Assistance Centers nationwide. You can find a nearby PTAC at https://www.aptac-us.org/.
The traditional term “supply chain” hardly captures how modern companies—even small ones—interact with customers and suppliers. “Supply ecosystem” more accurately describes how sensitive information flows in all directions among companies that depend heavily on each other in daily operations. And just like an oil spill at sea, a data breach anywhere in a business’ ecosystem can quickly cascade through other organizations, shutting down operations and creating significant costs.
That means businesses must take an active interest not only in their own information security posture but in the security of companies they rely on. Most companies now face outside data security concerns from three directions:
Because of all this interdependency, companies increasingly demand that suppliers and partners provide actual proof that they maintain an acceptable security posture. The days of simply declaring that you have things under control are quickly fading. Today, responsible companies require at least completion of a very detailed questionnaire specific to their concerns. And frequently, proving your security position means earning an independent, standardized certification such as SOC2.
Pushing back against the verification requirements of major companies and government entities may cost you the contract. “You may be providing toilet paper, and someone’s asking you to fill out a cybersecurity questionnaire,” says Pratum Founder and CEO Dave Nelson. “If you don’t, I guarantee there’s someone out there who will do it and take that contract.”
Rather than fighting it, we recommend leaning into the requirements and turning them into a business advantage. Many Pratum clients have leaped ahead of their competitors by staking a position as early adopters of key security standards. In this case study, one marketing company attributes 33% of their current customer portfolio to an advanced security mindset that helps them get more RFPs and win more deals.
Attention in this area currently focuses heavily on the new CMMC standard that the Department of Defense is applying to every vendor in its supply chain. More than 300,000 companies will need to get certified at one of CMMC’s five levels, depending on the information they access in the course of executing their contract.
Evolving breach notification laws also drive much of the urgency around securing supply chains. Under these laws (which vary greatly by state), companies face potentially costly legal requirements to notify customers if hackers access sensitive information held by the company. Some organizations are pushing their suppliers to shore up their security as protection against inadvertent leaks of sensitive information when it travels to other companies.
As you consider how to secure your supply chain, consider these potential risks:
A first step in securing your supply chain is identifying your critical vendors (and recognizing when you ARE one for your customers). A critical vendor typically:
As you begin planning your vendor management approach, consider the following steps:
– Require vendors to fill out a cybersecurity questionnaire and management attestation of their security posture. .
– Require third-party attestation audits such as ISO 27001, SOC2 or CMMC.
– Require external audits by your team or a selected third-party auditor.
To understand what makes a successful digital forensics investigation, imagine assembling a jigsaw puzzle—without the box to show you the image you’re trying to create. Pratum Founder and CEO Dave Nelson compares an investigator’s first steps to dumping all the pieces of a mystery puzzle onto a table.
“Sometimes you don’t know what picture you’re trying to assemble,” Dave says. “Sometimes you get a few pieces together and realize that the pieces aren’t even from the same puzzle. The more we know about what the puzzle should look like, the easier it gets to know we have the right pieces.”
To a top-notch investigator, the pieces on the table start revealing a picture based largely on what isn’t in a data log. And they can quickly zero in on what’s missing if a company followed digital forensics best practices before the breach. In a typical case, our clients call us with an idea of what happened and ask us to confirm whether it really occurred. But a good digital forensics investigator knows to look in the gaps.
“It would be great if we could do an investigation and see when it started, who was involved and what was impacted,” Dave says. “But that never happens. There’s always something missing. We have to ask why. Was the data never created in the first place? Or did someone delete it?”
Reading missing tea leaves becomes especially critical in legal proceedings stemming from a data breach. In a civil court case, you could be held liable for something that probably happened, even if no one can prove that it definitely happened.* As you write your company’s security policy, consider the following tips from digital forensics investigators to get your data house in order before your next breach happens.
“There’s a reason why digital forensics in a poorly prepared organization can get so expensive,” Dave says. “It’s like pulling a string on a sweater.” If your data policies leave an investigator blindly searching for clues, the hours quickly pile up. But, Dave warns, “You don’t want to look like you stopped too soon. That’s worse than going deep and finding something worse.”
Good investigators see red flags when steps go missing in an expected chain of actions. “Sometimes we never see the user log in, but we see them log out,” Dave says. “That makes us question what happened. Was there a malfunction? Has the user been logged in for a very long time, meaning the attack may have happened outside of the short window we’re looking at?”
Clues like missing logins/logouts lead to more questions: Did the hacker wipe out other critical information? Are normal day-to-day activities missing? To an alert investigator, that feels like a jungle where the birds have gone silent, meaning a panther could be skulking around somewhere down there.
The lack of data can be more concerning than when you see a specific act.Dave Nelson CEO- Pratum
Along with costing you operational time, breaches can trigger potential fines and lawsuits. In breach situations, the key legal concept is “burden of proof.” Most people know the phrase “beyond a reasonable doubt” from courtroom dramas, but that’s a criminal case standard. Data breaches are typically civil cases, where the burden of proof is much lower: a “preponderance of evidence.”
“All someone has to prove is that there’s more than a 50/50 chance that something happened,” Dave says. “If you have no logs to prove it didn’t happen, there can be problems.”
Let’s say you’re certain that a hacker got into your system, but there’s no sign that they exfiltrated data. Time to relax, right? Not quite. Can you prove that they didn’t steal information? If your data logs have big gaps, a plaintiff may convince a jury that something could have happened in that fog.
Your defense could get even more difficult if a regulatory agency gets involved. “In those situations,” Dave says, “you could face the very subjective opinion of the regulator deciding whether they think you did what you should to protect the data.”
Even without a smoking gun, you need enough evidence to show that it’s more likely that nothing was stolen than that something was stolen.
Your actions before and after the breach also can help your civil case involving a breach. Your defense gets stronger if you can demonstrate that you showed due diligence both in preparing for breaches and in dealing with those that actually happen.
Before a breach occurs, you need written information security policies and proof that you actually enforce them throughout your organization. Make sure you’re following your industry’s best practices for information security.
Once a breach occurs, make every reasonable effort to fully investigate what happened. Acting quickly when a breach happens is a great way to show that you’re taking it seriously. So is following up on suspicious activity. Maybe your forensics investigator looks at a compromised server and finds no evidence that data was tampered with. Don’t stop there. Did the hacker jump to another server? Did they exfiltrate data to other files, workstations, etc.?
Talk with a digital forensics team like Pratum’s in advance about the kind of data and audit logs they would want to see in an investigation. Windows and Linux enable many useful tracking settings by default, but that still won’t capture the whole story. On the flip side, tracking everything on your network would create an unusable flood of data (and a big data storage bill). So it’s critical to make smart choices about what to track.
By building a profile in advance, you know what should show up in an audit log. If elements are missing, you know that either your system failed or that someone intentionally tampered with the log to hide their actions.
For help with creating your overall information security policy and deciding how to create accurate data logs, contact Pratum.* Pratum’s consultants are not attorneys, and the information in this article should not be construed as legal advice. Consult your attorney for specific legal guidance.