Certified CMMC Assessors click into place as just another cog in a much larger system that already exists.

Every objective that a CCA examines must already be legally met by Organization Seeking Certification. CMMC introduced no new requirements on Federal contractors. When people often complain about the cost of CMMC they do not mean the actual assessment but refer more to meeting the requirements a CMMC assessment measures.

After the continued exfiltration of data and failed self assessments A third party validation of the system security plan was added to increase the trustworthiness of systems designed to process, store, and transmit Controlled Unclassified Information.

According to NIST a system is a series of elements or components that together have a shared identity working towards a goal within the constraints of a specific environment and the requirements of the outcome.

Organization Seeking Certification engineer security in their systems through systems security engineering. Originally the Government placed trust in organizations seeking certification. However recent evidence calls into doubt the trustworthiness of self reporting. The lack of trust in System Security Plans in turns cast doubt on the trustworthiness of the overall security engineered into a system.

So through CMMC a third party assessment was added to assess trustworthiness and increase trust in the supply chain.

Trust and Trustworthiness

A CCA serves as the verification and validation method to assure with confidence that federal contractors protect the confidentiality of Controlled Unclassified Information. A CCA verifies the trustworthiness of the evidence an organization seeking certification includes in their System Security Plan. You validate that their tests to ensure the trustworthiness of their systems proves the Organization Seeking Certification

Trust is a belief that an entity meets certain expectations and can be relied upon. The terms belief and can imply that trust may be granted to an entity whether the entity is trustworthy or not. A trustworthy entity is one for which sufficient evidence exists to its claimed trustworthiness.

Verification and Validation of the System Security Plan

As a Certified CMMC Assessor you verify and validate that an Organization Seeking Certification meets the security requirements of NIST-SP-800-171. In order for a System Security Plan to be trustworthy the OSC must have a demonstrated ability to satisfy expectations of protecting Controlled Unclassified Information

Since trustworthiness is something demonstrated, you verify and validate the evidence that supports a claim or judgment of the CMMC practices being met.

As a Certified CMMC Assessor you also serve a dual role of trust. As a trained assessor the Government can put trust in your assessment. As a Certified assessor the Organization Seeking Certification can trust your credentials. Trust is value judgment based on authority and evidence.

In terms of Cybersecurity Maturity Model Certification program this means you examine the SSP and validate each CMMC practice to ensure there is sufficient evidence of trustworthiness in the claims being made by the Organization Seeking Certification.

A CCA validates the trustworthiness of each claim an Organization Seeking Certification makes about meeting the security requirements assessment of NIST-SP-800-171 to protect the confidentiality of Controlled Unclassified Information.

This means the verification and validation of each assessment objective. As an assessor you have to make sure the evidence is sufficient and adequate enough to ensure that each of the 110 security requirements has enough depth and breadth that the claims made in the System Security Plan can be trusted.

Your role in the system is to increase the assurance that the Nation’s controlled Unclassified Information gets protected. According to NIST,

Assurance is a complex and multi-dimensional property of the system that builds over time. Assurance must be planned, established, and maintained in alignment with the system throughout the system life cycle.

In your roles of dual trust as a CCA you help to build assurances in the overall supply chain system. You also verify the evidence an OSC includes in a System Security Plan and validate how an organization establishes the trustworthiness of these claims in the trustworthy context.

Trustworthy Context

The trustworthiness context involves decision making and evidence based demonstrations that a system security plan can be trusted to protect the confidentiality of Controlled Unclassified Information. The Organization documents how they develop and maintain their assurances of meeting the security requirements of NIST-SP-800-171 and how they demonstrate how the assurance is satisfied. A CMMC Certified Assessor verifies and validates the System Security Plan as a decision-making context.

When the Organization Seeking Certification writes how they meet the security requirements of each NIST-SP-800-171 objective they create an assurance case. This demonstrates how they cover the objective with enough depth and breadth to ensure we can trust the assurance case.

As a CCA you will verify and validate the evidence in System Security Plans with a variety of quality. An effective SSP acts as an assurance case playbook. First a claim is derived from from security objectives Then the OSC connects to and documents credible and relevant evidence that substantiates the claims. Often the evidence get validated through ongoing testing and good system development life cycle practices. Basically Say What you do, explain how you do it, and prove it gets done. Have an assurance case for every assessment objective.

Organizations with strong cyber hygiene present a compelling assurance case for all 325 objectives in NIST-SP-800-171.The result provide a statement that adequate security has been achieved and driven by stakeholder needs and expectations. Strong Systems Security Engineering helps to strengthen security and reduce the effort on validating and verifying assurance cases.

People panic when it comes to policy and procedures and CMMC. Rightfully so. Compliance with NIST-SP-800-171 at a miminum requires fourteen different policies and fourteen different procedures. Probably More. In fact NIST recommends 39 different plans, policies, and procedures for 171 compliance.

While policy and procedures are not explicitly assessed by CMMC practices a majority of assessment artifacts imply the need for policy and procedures through explicit mention of document based specifications.

Yet few people write policy and procedures. Even less do it well.

To help you in creating compliant policy I have developed a series of “self-assessment” checklists for each Domain of CMMC.

Why Policy

Policy defines the governance of the systems you engineer to protect the confidentiality of Controlled Unclassified Information. Let us examine configuration management.

Overall configuration management policy communicate senior management’s expectations to the company. A good policy, regardless of domain must have specific, measurable, and confirmable objectives. Policies providea top-down approach to define what is required and what is not permitted with configuration management.

While policy defines the objectives for what must get done, procedures describe how the policy objectives get met through specific actions and results. Configuration Management procedures describe the methodology and tasks for each activity that supports implementation of Configuration Management policy.

As a company meeting CMMC requirements you should document your configuration management policy and procedures during your planning phase. In fact NIST-SP-800-171 requires you to regulary review all policies and procuedres.

What makes a Good Congifuration Management Policy

You can not check CMMC Assessment guides for help with writing configuration managment. You will not find your answers in NIST-SP-800-171, but 171 will tell you where to look,

In the back of NIST-SP-800-171 you will find Appendix E. This lists all the security controls the government assumes you do or controls they assume only apply to the federal government. These controls came from NIST-SP-800-53.

The very first base control of every family in NIST-SP-800-53 is policy and procedures. If you look at NIST-SP-800-53a you can find a list of requirements for compliant policy. This provides a wonderful tool for you to assess your current policy.

As a tool however it is hard to read.

Why A Configuration Management Policy Rubric

Self-assessment works in improving technical writing skills. We know from decades of research that theese metacognitive, or thinking about thinking, guides help to improve outcomes.

To design these rubrics I went through the objectives of each Policy and Procudure for each Family in NIST-SP-800-53. This information is required but not assessed for NIST-SP-800-171 nor assessed for CMMC but required evidence for a CMMC assessment.

Organization Defined Parameters

In order to be technology agnostic and provide a more holisitic approach NIST rarely defines rules around roles, events, and freqencies. Instead your policy and procedures must have clear organization defined parameters that get enforced in policy and procudures

In NIST-SP-800-53a these ODPs get explicitly defined and displayed in a table with the requirements but off set with grey shading. These requirements are just NFOd in NIST-SP-800-171.

The Requirements in NIST-SP-800-53a then spell out what should go into each policy

I tried to take this information and turn it into a checklist a company can use to evaluate their configuration management policy.

Check it out the checklist

As we try to create online communities focused on open learning we have to recognize the troubled history open source has had with diversity, equity, and inclusion. Some bias is implicit due to systematic discrimination. You need to be well off to work for free.

Often though we have seen countless explicit attacks such as Gamergate or even death threats against those doing Open Source Intelligence work to fight right wing extremism online.Before you can even begin to create an online community focused on open learning you need trust.

For many we never engineered safety into the online communities we create and curate. Systems Security Engineering Approach to Culture

Creating a Community as Your Curriculum (Cormier, 2008) takes a systems approach to engineering trustworthiness into the spaces you design. You can also think about your classroom culture, and the overall culture of your school as a system. in fact, our educational system is nested within this much larger system that many parents and students do not rightfully trust. By choosing a framework to develop an innovate and healthy online community you in turn reduce the threats to the members of your group that will do the learning work You also help build a better world.

Once a framework is chosen systems engineering requires a set of iterative steps.

Collect baseline data
Identify goal you will engineer
Acknowledge and identify blockers and variables of interest
Develop a solution to address the goal without negatively impacting other systems
Monitor the progress. Evaluate variable of interest.
Iterate on the process

When engineering for community we have to everyone recognize the cultural importance of safety. When trying to increase the overall hygiene of online communities you curate ,and thus engineer better trust in your system, you must first focus on the trust of potential and existing community members

Dr. Kimberly Young-McLear, who won the 2017 Captain Niels P. Thomsen Innovation Award Winner for “Cultural Change for leveraging social media for large-scale disaster response.: has created the framework for a healthy and innovative workplace. Psychological Safety

Psychological safety is paramount to good community culture. Dr, Young-McLear defines psychological safety as, “a service culture where all members have the confidence to serve as their authentic selves where self-knowledge, initiative, creativity, and self-empowerment are rewarded in an environment of interpersonal risk-taking.”

The Internet has not always been a welcoming place as demonstrated in current news stories about harassment and stalking. Unrepresented populations need to feel safe in your community no matter their role. Online spaces improve when systematically marginalized groups of people share their perspectives and contribute to organizational solutions without fear of marginalization, retaliation, bullying, or discrimination. This can not happen without psychological safety.

The model Dr. Young-McLear created integrates survivors of sexual assault, harassment, and racism. Marginalized groups are often ignored or for reporting incidents of abuse. The Web reflects our reality. The internet has never been a safe place for all. We must all work to create a places, online and in person where everyone feels safe and valued. This will increase the trustworthiness you engineer into your online community. Moral Courage

Engineering an innovative and healthy environment also requires moral courage. This means all community members must feel compelled toward action to intervene against any culture or practice that inhibits the safety of any of our members. member of your organization must report violations of laws, policies, or your company’s mission, vision, and core values. Talk to potential members who have faced racism and discrimination in the past. Encourage a speak up culture. Cultural Competencies

As you engineer an innovative and healthy workspace focus on growing key cultural competencies in your online communities

Valuing diversity
Having the capacity for cultural self-assessment
Being conscious of the dynamics inherent when cultures interact
Having institutionalized cultural knowledge
Having developed adaptations to service delivery reflecting an understanding of cultural diversity

Developing cultural competence systematically within a workforce requires subject-matter expertise and involvement by systemically marginalized groups. Over time as you grow your community may need to rely on experts in race, gender, gender identity, sexual orientation, religion, ethnicity, education, and ob position. In terms of addressing the systemically marginalized in online learning can look at the language used, the discourse patterns of leaders, and do recruitment outside of 24 hackathon events Inclusion

According to Dr. Young-McLear inclusion is “individuals perceiving acceptance within the organization, as well as the ability to bring unique contributions to the workplace. Once your organizers have done the hard work of building psychological safety, moral courage, and cultural competencies feelings of inclusion will increase.

We need more voices in for our online environments to thrive. We need communities explicitly inclusive to those who have faced trauma. Inclusion helps with both recruitment and retention. More importantly it makes your company safer. Research has shown diverse teams make better decisions. Diversity and Equity

Diversity and equity share traits but have different impacts on the learning spaces you design. Diversity in the workplace means workers who are different from each other or come from different backgrounds. Diversity can involve constructs such as race, gender, age, etc. You need to think in terms of cultural, physical, and cognitive diversity.

Only when your online spaces invest in diversity and equity can we hope to improve efforts to recruit, retain and members from systematically marginalized groups into technology. Diversity work often involves doing personal work more than outreach. Do not ask marginalized communities to put in extra effort to help you overcome their oppression. Mission Readiness and Innovation

Once the foundation of psychological safety, moral courage, cultural competence, and diversity and equity get engineered into your systems the overall mission readiness of your online space may improve. Then innovation will follow. No matter the focus of your online community when people feel safe and there is a healthy exchange of free ideas innovation thrives.

Many people might stare with wide eye confusion at the naming conventions Microsoft has used in rebranding. Some of the services used in the government and by government contractors have a new moniker.

Yet when you think about the changes the logic makes sense in terms of keeping compliance and security engines purring.

Microsoft has a long established partnership with the Cybersecurity Maturity Model Certification community.

In fact for the last five years, going back to when the System Security Plans (SSP) did not have their trustworthiness verified by a third party, the Seattle based company has retooled much of their information architecture to help the Government transition to the cloud and away from on-premises and boundary based protections.

Microsoft has also created new tools to help with security and compliance. These efforts have lead to a rebranding of services companies will use for CMMC. Microsoft wanted to make a distinction between services for security and those for compliance.

When you consider the Risk Management Framework (NIST-SP-800-37 and 39) that form the backbone of the 171 security requirements we think about a business at three levels:

• Level One: Governance and Organization
• Level Two: Business Processes
• Level Three: Technical and Business Systems

At each of the three level different assets, which include people, will have privileged and non-privileged roles. This means a user can access something at a specific tier other users can not access.

In terms of the IA (information architecture) a company deploys they need to consider the Microsoft tools they choose for compliance and those they choose for security.

Microsoft Azure and Microsoft 365

The compliance and security services that Microsoft offers will cut across two different cloud platforms that people often confuse, Microsoft Azure and Microsoft 365. They each have different security and compliance needs and impact what controls a customer inherits from Microsoft or more like a Managed Service Provider. Microsoft 365 is a Service as a Software cloud (SaaS). This means all of your tools like Microsoft Office, Microsoft PowerPoint, and Visio. An organization seeking certification has limited responsibility with SaaS tools. You need to control access and training but Microsoft handles almost all the other security requirements.

Microsoft Azure is more an Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) depending on how an organization seeking certification deploys the service. Usually with IaaS a company does not control all their hardware or need to purchase the hardware. PaaS get used when you establish hybrid environments or create an enclave, for Controlled Unclassified Information, for example.

Azure also gets used when Managed Service Providers, or security providers build apps in the cloud. For the end user the tool is a SaaS cloud model , outside of Microsoft, but for the company designing the tool they use Azure as a PaaS.

As Microsoft focused on improving their services for CMMC they identified assets in both Microsoft 365 and Azure that an organization may use for security and those tools that will get used for compliance. These tools were rebranded and sorted into two different buckets.

Security and Compliance

When working on services that provide security to a Microsoft cloud deployment companies will work with the Microsoft 365 Defender portal. As part of a cloud first approach Microsoft has stopped the level of bifurcation between branding of their services. Azure Security Center is now Microsoft Defender for Cloud and Microsoft 365 Security Center is now Microsoft 365 Defender

When working on services that provide governance, risk management, compliance (GRC)services, a cloud user will access the Microsoft Purview Compliance portal.

Current name	New name
Azure Purview	Microsoft Purview
Azure Purview portal	Microsoft Purview governance portal
Microsoft 365 compliance	Microsoft Purview
Microsoft 365 compliance center	Microsoft Purview compliance portal
Azure Purview Data Catalog	Microsoft Purview Data Catalog
Azure Purview Data Insights	Microsoft Purview Data Estate Insights
Azure Purview Data Map	Microsoft Purview Data Map
Azure Purview Data Sharing	Microsoft Purview Data Sharing
Azure Purview Data Use Management	Microsoft Purview Data Use Management
Microsoft 365 Advanced Audit	Microsoft Purview Audit (Premium)
Microsoft 365 Basic Audit	Microsoft Purview Audit (Standard)
Office 365 Advanced eDiscovery	Microsoft Purview eDiscovery (Premium)
Office 365 Core eDiscovery	Microsoft Purview eDiscovery (Standard)
Microsoft 365 Communication Compliance	Microsoft Purview Communication Compliance
Microsoft Compliance Manager	Microsoft Purview Compliance Manager
Customer Key for Office 365	Microsoft Purview Customer Key
Double Key Encryption for Office 365	Microsoft Purview Double Key Encryption
Office 365 Customer Lockbox	Microsoft Purview Customer Lockbox
Office 365 Data loss prevention	Microsoft Purview Data Loss Prevention
Microsoft 365 Information Barriers	Microsoft Purview Information Barriers
Microsoft Information Protection	Microsoft Purview Information Protection
Microsoft Information Governance	Microsoft Purview Data Lifecycle Management
Microsoft 365 Insider Risk Management	Microsoft Purview Insider Risk Management
Privileged Access Management in Microsoft 365	Microsoft Purview Privileged Access Management
Records Management in Microsoft 365	Microsoft Purview Records Management

Do not let new naming conventions confuse you. The rebranded services from Microsoft provide the same catnip we have all come to love when dealing with Cybersecurity Maturity Model Certification.

Img credit: Confused flickr photo by slava shared under a Creative Commons (BY) license

Systems security engineering, establishing security by considering the problem, solution, and trustworthiness of all key components in a business, begins with stakeholder interest and the business outcomes.

A business that cannot turn a profit cannot remain a business for long. This remains the greatest risk to the system and drives decision making. Business owners have assets, people, technology, and facilities with value that have costs, bring in revenue and that present risk. A risk-based approach must get applied to protect these assets.

We must consider security as a tangible asset, and not a cost constraint in a system we engineer. How we engineer security into the requirements of other assets depends on how we categorize the asset and the risk it faces.

ASSETS AND RISK MANAGEMENT FRAMEWORK

Systems security engineering utilizing a risk management framework require us to consider assets at three levels.

As an organization meets the security requirements of NIST-SP-800-171 they make continuous improvement in the organization’s risk-related activities across three different tiers. Tier one is the organizational level and sets the governance necessary to engineer secure systems. It includes the organization risks of profit and loss and decisions about investment in security as an asset.

In tier 2 the work gets done. It represents the mission/business processes a business relies on. This also includes how Controlled Unclassified Information, and all data moves through a system. Processes must be in place to meet security requirements. At this tier you deploy Inventory and Asset Management System and the reference architecture built to a baseline.

Tier three represents the information systems that enable the business processes to occur based on the governance and risk established. This includes many of the continuous systems that exist throughout their life cycle. Security requirements that align to the risk set in tier and utilizing the processes of tier two get met in order to protect assets that move through an information system.

Assets, anything with defined value, will exist at all three tiers. Security requirements, constraints, and in-scope assets of a CMMC assessment will exist across all three tiers.

By utilizing Systems Security Thinking from a risk management framework an organization seeking certification can engineer Inventory and Asset Management systems that help to increase the trustworthiness of asset categorization through automation and continuous monitoring.

ASSET CATEGORIZATION AND CMMC

Organizations who engineer security using proactive and reactive loss prevention will not only have better security, but they also control the cost and ease of a CMMC Assessment.

The goal of systems security thinking is to develop immutable architecture through baseline enforcement, moving access controls more from the boundary to the asset identity, and deploying continuous monitoring through automation and machine-based scanning.

Design based thinking requires establishing a baseline and we begin with inventory and asset categorization. Once security-based solutions for asset inventory get engineered a company should begin on asset categorization. In fact systems security engineering, and not just a NIST-SP-800-171 assessment, rely on asset categorization:

This means proactively planning and designing to prevent the loss of an asset that you are not willing to accept; to be able to minimize the consequences should such a loss occur; and to be in an informed position to reactively recover from the loss when it does happen.

For CMMC Level 1, only assets classified as FCI are considered in scope.

CMMC Level 2 assessments are conducted when an organization transmits, stores, or processes CUI. Often these organizations also have FCI. If an organization, for example, uses two different enclaves – one for FCI and one for CUI – then they will need two different assessments. If the FCI and CUI get comingled in the same system, an OSC should seek a single assessment from a C3PAO.

A Certified CMMC Professional, can help companies with complex systems and small budgets save money if they can categorize assets as either in-scope or out-of-scope. A CCA will want to understand how asset categorization fits within an organizations Inventory Asset Management policies and procedures. There are specific controls that require any authorized user to be tracked and for attempts at unauthorized access to get logged.

More importantly, in a CMMC assessment not all assets fall in scope. The scope of the people, technology, and facilities will change at the three different tiers of risk management. At each level you will have users with more privileges than others. You will have assets that require greater protections. Policies need to be accounted for in level one, reference architecture at level two and fine grain security requirements down to the last endpoint at level three. Any assets in the system must get categorized, the security requirements identified, and their life cycle documented.

This requires serious counting and then organizing what gets counted.

Sometimes an organization’s assets are such that it is more economical to grow the scope so that the entire company is a controlled environment rather than trying to limit the scope to one or more enclaves. This holds especially true for many small manufacturers who cannot add separation between CUI assets and normal business practices, such as by using an Enterprise Resource Planning (ERP) tool.

A CCP, will work with companies to develop their asset inventory to provide details of the assets the company owns. This can cover a range of asset types, from tangible fixed assets such as property and equipment, to intangible assets such as intellectual property. An assessment team member, CCP, CCA, or Leader assessor will use the asset inventory and categorizations to verify the scope of the environment and to scope the assessment.

But within the asset categorization you must think behind the wall. Physical asset management systems can tell you the location of a computer, but cannot answer questions like:

“What operating systems are our laptops running?”

“Which devices are vulnerable to the latest threat?”

Effective ITAM solutions, driven by asset categorization, tie physical and virtual assets together, and provide management with a complete picture of what, where, and how assets are used. ITAM enhances visibility for security analysts, which leads to better asset utilization and overall system security.

People, technology, and facilities can be in scope as any of the five asset categories at the three tiers of the system. At tier one policies inform the configuration management. The authorized holder of the CUI will have a privileged role. People with incident response and disaster recovery will also have privileged roles. Elevated assets often fall in scope.

At tier two you need to categories any configuration management procedures of in scope assets. Baselines, reference architecture, and threat monitoring procedures exist at this level. Privileged users will collect data about risk to assets and pass that up to in scope people in tier one.

At tier three all the people, facilities, and technology that make up your system need to meet the security requirements. Most of the assets categorized for a CMMC assessment will exist at this level. This includes every endpoint, training records, key physical and logical boundaries. You may have systems to separate out of scope assets from CUI.

In security systems engineering the in scope assets exist at mainly at level one, the procedures to secure those assets exist at level two. The data about the current state of the asset and its lifecycle get pushed back up to threat monitoring at level two. If an adverse risk is noted the policies and regulations categorized in tier one kick in.

As an organization engineers asset categorization into their Inventory and Asset Management systems they need to consider if the labeling will happen manually, automatically, or at provenance of the asset. Manual means someone physically has to enroll and de-enroll an asset from the system. Even with automation good security practices require manual authorization for an asset to first connect to a system. Your key boundaries will also exist and need protection at the third tier. People who maintain the security and all in scope users will need specific training. None of this can happen without categorizing assets based on risk.

In terms of determining the scope of a CMMC assessment we must think about five types of assets.

• Control Unclassified Information Assets-Assets that process, store, or transmit CUI.
• Security Protection Assets-Assets that provide security functions or capabilities to the contractor’s CMMC assessment scope even if these assets do not store or transmit CUI.
• Contractor Risk Managed Assets-Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures and practices in place.
• Specialized Assets-Assets that may or may not process, store, or transmit but are out of scope of CMMC beyond documenting risk mitigation in the SSP through security policy, procedures and practices.
• Out of Scope Assets-Assets that cannot process, store, or transmit CUI.

CONTROLLED UNCLASSIFIED INFORMATION

Controlled Unclassified Information assets make up the heart of a CMMC assessment. Any asset categorization system should attempt to identify CUI to ensure it meets the security requirements spelled out in DFARS.

NARA has identified many categories of CUI but a contractor in the Defense space will mainly handle controlled technical information, critical infrastructure security information, naval nuclear propulsion, and unclassified controlled nuclear information.

If the contractor sells a commercial off the shelf product it is not Controlled Unclassified Information. COTS can still come with export controls and be considered ITAR and need to meet security requirements from the State Departmnt but this would be out of scope of a CMMC assessment. Next an organization seeking certification needs to determine if the data gets created, processed, transmitted, or stored is the result of a contract with the DFARS 252.204-7012 clause. Without this clause you do not handle CUI on behalf on a Defense contract. If you receive CUI as a result of a contract without this clause you have no security or incident reporting requirements.

Most CUI will not get labeled. The data labeled or unlabeled, by being controlled unclassified information, is controlled by some federal law or regulation. Your next step is to examine any assets with limited distribution statements of that is considered ITAR. Any ITAR or data marked for limited access because of a contract with the 7012 clause is almost always CUI.

Asset categorization must pay particular attention to CUI assets if an organization is trying to use enclaves or to keep out of scope assets separated from CUI. You will want to categorize the people who have authorized access to the CUI. You also need to count the things that protect CUI

SECURITY PROTECTION ASSETS

We must also consider the Security Protection Assets (SPA). These are all of the cybersecurity hardware and software a company uses and pays for to protect their systems. A CCA may fail an Organization Seeking Certification if SPAs go unaccounted and thus unpatched. Your cybersecurity, or SPA inventory should:

• Gather data from any source that provides detailed information about assets
• Correlate that data to generate a view of every asset and what is on it
• Continually validate every asset’s adherence to the overall security policy
• Create automatic, triggered actions whenever an asset deviates from that security policy

Automated asset management has significant advantages over manual asset inventory. Mainly, all your data lives in one place rather than in a variety of spreadsheets, clipboards, or bar code systems. Warranties, receipts, user manuals, STIGS, and baseline configurations get stored in one place. As a CCP, you should help a company inventory all of the important documentation required for all five types of CMMC asset categories.

An Assessment Team member, whether a CCP or a CCA , will assess if an organization uses asset inventory software, or build procedures into their existing systems. They will check on the ability to schedule maintenance automatically. A CCA will make sure Patching gets included in the lifecycle of a SPA.

For example, in environments that use a commercial cloud organization may use configuration management tools. These cloud services allow you to write, manage, and compile to create a Desired State Configuration (DSC). The inventory features built into built into these tools allows for tracking of virtual machines hosted in commercial clouds, on-premises, and other cloud environments. As part of Inventory and Asset Management lifecycles assets get tracked using these scripts. This asset therefore provides security protection to CUI assets and gets categorized as in scope. If you mess with the scripts that count and categorize assets a threat can hide their tracks.

Many inventory software systems, especially mobile device management tools, allow privileged users to perform remote updates and inspections of IT assets. You can inventory devices such as laptops or tablets. This saves the IT staff valuable time and resources. Most manual inventory processes end up hurting the company’s bottom line because the IT staff could be better using their time in support of the IT infrastructure. Other organizations may have no IT staff at all.

Inventory software helps to reduce loss through theft of valuable assets via physical verification and tagging of fixed assets. This, in turn, helps to protect the confidentiality of CUI – the goal of the CMMC program. Asset inventory software can produce the most accurate inventory. Discrepancies get identified and resolved quicker and cheaper than by manual methods. CCPs may want to consider doing assessments and contracts especially around the automation of ITAM.

CONTRACTOR RISK MANAGED ASSETS

Contractor Risk Managed Assets can process, store, or transmit CUI but an organization plans to keep CUI out of these assets. This requires an inventory of the security policy, procedures, and practices in place to protect these assets NIST-SP-800-171 is neither a framework or a security plan. A CMMC assessment only verifies that you meet the security requirements of NIST-SP-800-171 to protect the confidentiality of CUI. You will need a risk based security plan to categorize CRMA. Contractor Risk Managed Assets are not required to be physically or logically separated from CUI Assets.

They are part of the CMMC Assessment Scope. These assets just get managed using the contractor’s risk-based information security policy, procedures, and practices that sit above CMMC in the tier one of the system. If properly categorized CRMA and are not assessed against CMMC practices.

Facilities may often fall under contractor risk managed access as ab organization may not own the building or utilities coming inside. A conference room, for example, may hold meetings that process CUI. This CUI then gets locked away and protected by one physical barrier. The lockbox is inscope but the conference room is a risk managed asset.

SPECIALIZED ASSETS

Specialized assets may or may not process, store, or transmit Controlled Unclassified Information. If they do handle CUI the asset must provide a very specialized function. It should configured to do just that one function and if possible be physically or logically separated from in scope systems. Internet of Things, Operational Technology, Restricted Information systems, Government property, and test equipment get excluded.

An asset categorization system must account for specialized assets. The security plan must detail how an organization accounts and controls the risk to the asset. In essence specialized assets require tailoring from a Risk Management Framework from NIST-SP-800-37 and 39 using Systems Security Engineering in NIST-SP-800-160. When you have a highly specialized asset you tailor a set of controls if the asset can not not meet the required security baseline.

OUT OF SCOPE ASSETS

Out of scope assets do not handle CUI. They are not in scope of a CMMC assessment. Your asset categorization however should account for any asset. Remember an asset is defined as anything with value. If something has worth and organization should count it. Adversaries want to steal your IP and PII as much, if not more, than Controlled Unclassified Information

HELPING COMPANIES WITH ASSET CATEGORIZATION

A CCP or CCA need to work with your clients on identifying data flow within their companies and understanding how this data flow impacts the five asset categories of a CMMC assessment. This will be essential when scoping the assessment.

An implentor will want to work with clients to leverage their existing expertise and systems for inventory to help them automate IT Asset Management. A Certified CMMC Assessor will want to work with organization that have effective asset categorization.

On Microsoft Systems a CCA will often analyze evidence collected using Azure Automation. Asset categorization and Inventory Asset Management may occur Microsoft Defender. In Apple environments people may use a third party vendor such as JAMF to only install approved apps. Other organizations may drive their inventory through a SIEM and vulnerability scanning.

Long term, once the risk based analysis is completed, the assets inventoried and categorizes Systems Security Engineering will drive us to a baseline and reference architecture. Categorizing assets across the lifecycle of deployment enables this goal. At the same time good reference architecture will help to automate asset categorization.

---

This is the sixth post on a series on using NIST-SP-800-160 Systems Security Engineering to meet the requirements of SC.L2-3.13.2 – SECURITY ENGINEERING

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

First post: Evaluating Organizations Seeking Certifcation: Document Based Requirements to Start a Conversation

Second Post: CMMC and Systems Security Engineering

Third Post: CMMC and Asset Inventory

Fourth Post: CMMC Assessment: In Systems Security Engineering the Environment Drives Evidence

Fifth Post: https://flickr.com/photos/cowbite/820720997 shared under a Creative Commons (BY-SA) license by jgmac1106 shared under a Creative Commons (BY-SA) license

In systems security engineering requirements and constraints drive the design choices we make. They will send signals in a CMMC assessment. The constraints and requirements of an environment determines the type of evidence an assessor needs to verify. Organizations Seeking Certification and Certified CMMC Assessors will more than likely have to deal with many environments that utilize cloud deployments.

What is the Cloud?

According to NIST cloud computing enables, “ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) ,“ and that these resources take minimal configuration by the users.

The Federal Government, using this definition for their cloud migration efforts defined five key characteristics of cloud environments.

• on-demand service-Employees can access from any device
• broad network access-Employees can access anytime or anywhere
• resource pooling,-Employers share servers and infrastructure
• rapid elasticity-Can scale to almost unlimited users
• measured service-A third party maintains the system

Cloud computing provides a developer agnostic pathway to building controlled environments, meaning there are multiple solutions in a variety of forms of deployment. According to according to NIST this includes:

• Private Cloud- Provisioned for a single organization.
• Community Cloud-A cloud provisioned for specific groups of users withn a company
• Public cloud-provisioned for general community use and not used in business setting often
• Hybrid Cloud-A combination of any two above

Cloud Security Requirements

The shared services layer introduced into the system will impact the security engineered into the system and the assessment procedures used by a Certified CMMC Assessor. This service layer depends on the cloud service model used by the organization.

According to CISA’s Cloud Security Technical Reference Architecture the service model will determine security requirements.

NIST defines four services models as illustrated in the figure from CISA’s Cloud Security Technical Reference Architecture:

• On-Premsises
• Infrastructure-as-a-Service
• Platform-as-a-Service
• Software-as-a-Service

Regardless of the service model all cloud environments must get engineered to meet the same basic security requirements as spelled out in Federal law and regulation.

Shared Responsibility Matrix

An assessor, in conversation with the OSC, must determine what and who is in scope. The majority of security requirements these assets introduce will all get documented in a shared responsibility matrix. An assessor will want to verify the FedRAMP equivalency seeing a document that outline who manages what security requirement if the cloud assets store, transmit or process unencrypted CUI. All cloud deployments, regardless of the service model, require a shared responsibility matrix for a CMMC assessment. Any FedRAMP authorized CSP must submit a responsibility matrix as part of their authorization package. Many organizations use that document to build their CMMC 171 SRM.

NIST-SP-800-171

These service models influence the security requirements engineered into a system and move the shared responsibility of meeting the requirements from the Organization managing them to the vendor managing the requirements. Regardless of the shared service layer engineered into the system the Organization Seeking Certification is always responsible for documenting and meeting the requirements.

Export Control

If an organization holds export-controlled data under ITAR or EAR new security requirements get introduced. This data requires data sovereignty for the cloud or must meet encryption requirements inside of a controlled environment and then remain encrypted the entire time in the cloud. Meaning never available in a readable format to anyone until downloaded and unencrypted back in the controlled environment. Only the organization and not the vendor should hold the keys to the data. Any vendor support must get restricted to US persons.

FedRAMP-Moderate

Cloud services, based on DFARS 252.204-7012(b)(2)(ii)(D), that store, process, or transmit Controlled Unclassified Information must meet the FedRAMP Moderate baseline or its equivalent. Thus if an organization uses a cloud service to support security such a s a SIEM, that tool does not need FedRAMP Moderate equivalency because it does not store, process, or transmit CUI.

Incident Reporting

In scope cloud service providers that store, process, or transmit CUI must also meet the incident reporting requirements of DFARS 252.204-7012(c-g). Any incident must get reported to the Department of Defense within 72 hours and images of the system must get preserved for 90 days. The DoD may want access to the equipment. This means a Cloud vendor must accept the contractual flow down of DFARS 252.204-7012

A CMMC assessment only verifies the trustworthiness of 171 security requirements. It is not a DFARS or EAR compliant assessment. That being said an assessor may verify if your Incident Response Plan meets DFARS requirements. If your policy and plans state you are in compliance with other security requirements the assessor will verify the procedures and evidence to ensure “you say what you do and do what you say.”

Cloud Environmental Constraints

Migrations take time if an organization thinks they may hold CUI in the future. A Prime contractor may demands compliant environment regardless if they flow CUI down to an organization in a contract. In these situations an OSC should consider a compliant cloud environment given the time migration takes. Time is often the toughest constraint in systems security engineering.

Regardless of deployment, cloud often refers to connecting to servers maintained by other organizations. How an organization utilizes the cloud depends on stakeholder needs and system constraints. A company inherits, or shares much of the security responsibility with a cloud vendor. This often gets represented in a shared responsibility matrix.

Thus an Organization Seeking Certification and a Certified CMMC Assessor will need to understand how employees connect to the cloud based infrastructure. Security requirements around encryption are very specific in CMMC. The baseline policies must apply constraints on users in how they access the cloud. You must also determine if a managed service provider is in scope and if they have access to the CUI stored in the CSP.

The world of IT, or Information Technology, has faced monumental shifts in the last three decades. We have moved from fixing a spool on a dot matrix printer to proving audit logs on endpoint detection.

From a Systems Security Engineering perspective, this changing relationship between IT companies and members of the Defense Industrial Base introduces to requirements and constraints on security of your business.

When creating a system for the way Controlled Unclassified Information flows through your networks an Organization Seeking Certification must understand the difference between key partners. Incorrect decisions could leave a third party and their systems in-scope of your assessment. This not only greatly increases costs but puts data at greater risk. The service models depend upon the people behind them.

CSP, MSP, MSSP What is the difference?

Utilizing NIST definition of cloud based computing we know that cloud solutions cut across five characteristics, three service models, and four deployments

Characteristics	Service   Models	Deployments
On-demand   self-service     Broad   network access     Resource   Pooling     Rapid   Elasticty     Measured   Service	Software as   a Service     Platform as   a Service     Infrastructure   as a Service	Private   Cloud     Community   Cloud     Public   Cloud     Hybrid   Cloud

This defines the software, but what about the people? CMMC-AB and NIST go out of their way not to define the difference between Cloud Service Provider, Managed Service Provider, and a Managed Security Service Provider. The scoping guidance refers to all external service provider the same and the NIST page lists the definition of Clous Service Provider as none.

NIST-SP-171-800 and CMMC scoping rely on a data centric model and the vendor delivering services does not change the security requirements. The people you choose to work with do change the evidence collection needs to meet the requirements and do introduce new constraints.

As an Organization Seeking Certification you need to consider these requirements and constraints as you evaluate partners. An Assessor will need to evaluate the requirements and contraints of an environment when developing assessment procedures.

What is a Cloud Service Provider?

A cloud service provider gives you access to computing networks and servers that they own and maintain. Google Docs SaaS that Google provides as a cloud service provider. Microsoft is a cloud service provider with different levels of security.

CSPS have their own requirements when it comes to establishing the trustworthiness in the system an Organization Seeking Certification throws. The evidence you must collect will change. Afterall Cloud Services Providers manage SaaS (Software as a Service), PaaS (platform as a service) or IaaS (infrastructure as a service) for users. This introduces new requirements and constraints to your system security engineering.

A cloud service provider hosts all of your data and thefore must meet the requirement of protecting CUI while in transit and at rest. Some types of CUI must require the data get stored in the United States. There are even requirements for cloud computing spelled out in Defense Federal Acquisition Regulation Supplemental.

What is a Managed Service Provider?

The contrast between MSPs and cloud services providers revolves around access control. MSPs manage and maintain technology that you own or license, whereas CSPs offer access to technology that they own. MSPs may manage both on-premises and cloud-based infrastructure for their customers. The MSP, however, does not own or control the underlying cloud infrastructure that stores your data or Controlled Unclassified Information.

MSPs also have their own requirements when it comes to developing evidence for compliance with CMMC Practices. They often act as IT Departments for companies that do not have them. An MSP acts as a partner and they may handle important tools such as Active Directory, data backup, anti-virus, and other IT functions. All of these fall in scope in a CMMC assessment.

Whether an MSP falls in scope of your assessments will depend on the services they provide. Some my partition systems but through asymmetric key encryption never have access to any credentials or assets. Other MSPs may have physical access to networks and a company may treat these technicians as in scope employees. The service level agreements and shared responsibility matrices will drive your security requirements.

What is a Managed Security Service Provider?

A managed security services provider (MSSP) provides oversight of specific security tools. These tools may not store or access CUI but they protect assets that do fall in scope. An MSSP focuses security services, such as firewalls, virus protection, and intrusion detection, They may provide a SIEM, or Security information and event management. MSSPs often specialize in a particular area, such as managed firewall service providers.

According to the CMMC Level Scoping Guide “Security Protection Assets are part of the assessment scope and are required to conform to applicable CMMC practices, regardless of their physical or logical placement.”

The scoping guidance spells out that an MSSP falls in scope for all-applicable CMMC practices. Yet the same can be true of a CSP or MSP as well.

As you apply systems security engineering to meet the requirements of a CMMC assessment you must evaluate your partners. Examine the service level agreements you have, consider the time of deployment and migrating between a cloud or service provider. You need to choose compliance partners when evaluating vendors.

What is Hybrid?

A hybrid deployment combines onprem servers with cloud-based servers. Some organization may want to keep control of servers that store credentials for cloud computing. Others may have out of scope on prem servers they maintain but provision a private cloud for employees authorized to handle Controlled Unclassified Information.

A hybrid cloud infrastructure may connect to a public cloud platform from a trusted third-party provider. Hybrid deployments may also utilize a private cloud partitioned on premises. A company may utilize hosted private cloud provider and allow employees to connect to the servers. A CMMC Assessor will often find an in-scope managed service provider may maintain the hybrid environment.

Hybrid Environmental Requirements

Like all environments the hybrid cloud must meet the same security requirements. The use of the hybrid environment just changes the metrics and evidence used to ensure the security requirements of NIST-SP-800-171.

The people who maintain the environment introduce evidentiary requirements. Any on-prem deployment of tools will need a focus on the privileged users who can access those tools. Hybrid deployments can either introduce the most complicated requirements to document or help an organization shrink their scope by utilizing a cloud-based service. They are difficult to maintain but can provide benefits to those who take advantage of increased on-prem solutions with the scalability of cloud services.

For example, you will need to think about the access to both the logical and physical barriers that store servers. A company will need to make sure their inventory disposal polices align with the requirements set out in the Media Protection domain. Many smaller companies may try to utilize a hybrid approach managed by an MSP. Some organizations keep their access control logs and Identify Managament systems onprem and data in the cloud. This will impact the evidence collected to demonstrate security requirements get met.

An MSP may or may not be in-scope or have access to your Controlled Unclassified Information in an unencrypted state. If they provide security to systems that protect CUI either on-prem or in the cloud you will need to show how the MSP handles the applicable security requirements they manage.

Hybrid Environmental Constraints

Hybrid environments can bring all the environmental constraints of on-prem or cloud deployments while leaving a managed service provider in scope. On the other end of the spectrum hybrid environments in a private cloud using asymmetric keys for authorization can shrink a company’s scope down to a few assets.

The difficulty in maintaining hybrid environments introduce many constraints. First you need to make the relationship and boundaries visible in all your data flow and network diagrams. Cost and time always act as constraints in systems security engineering. In hybrid solutions you may have to support two disparate solution who do not “talk computer together.” This introduces bespoke coding and architecture that presents a new threat vector. If these systems have data interoperability constraints even more challenges get introduced.

At the same time Hybrid solutions can often help small businesses who may have only limited exposure of CUI in their on-prem environment. So if a manufacturer only had two to three machines that process CUI they may utilize a hybrid environment to share controlled technical information with remote employees. The CUI gets encrypted before it goes to the remote employee. The remote employee only works on a local device not connected to their network. They rencrypt the file before sending back within the onprem physical boundary.

Hybrid environments managed by high quality MSPs can provide flexibility, reduced cost, and the ability to scale.

What is On-Prem?

An on-premises environment, often on-prem for short, means all in scope software and systems exist withing the physical and logical boundaries of an organization. The organization seeking certification is responsible for managing, maintaining, and supporting all systems and the security of the assets who access those systems to process, store, or transmit Controlled Unclassified Information.

On-Prem Environmental Requirements

On-Premises environments can bring the same regulatory and security requirements of Cloud and Hybrid deployments but the organization is responsible for managing all the security requirements of the software and hardware. The vendor has no responsibility.

The network diagrams and data flow diagrams will dictae what evidence a Certified CMMC Assessor must collect to assess on-prem environments. An IT department or External Service Provider must maintain layers security, encryption, and protection of key boundary points.

On-Prem, however, is not a unified deployment. Companies may have multi-site environments that connect to these systems. Overall on-site staff or contracts must maintain all software, hardware, access control, and physical security. This introduces specific evidence requirements for a CMMC assessment.

On-Prem Environmental Constraints

A company maintains all the servers, firewalls, and routers. The necessary resources create a sever constraint on maintenance. The cost of deprecating equipment may have advantages to cloud environments. The over reliance on Managed Service Providers that maintain IT systems may increase the scope of security requirements.

NIST-SP-800-171 approach to security relying on logical and physical boundaries meets the constraints of on-rem deployments for many companies. However recent security guidance and costs often drive businesses towards the cloud.

Considering the ease of compliance for on-prem deployments may influence the design decisions and organization seeking certification makes. Other companies may choose on-prem solutions out of sheer size of their organization. A Certified CMMC Assessor will need to pay attention to the privileged access users have to key boundaries that protect physical access to servers. Organization who utilize on-prem solutions, will also need to detail who maintains the security updates to any of these assets. Most importantly they will have a reference architecture that explains the separation techniques that protect CUI.

Right Fitting your Cloud Deployment

Almost all organizations will have some element of cloud in their systems. From a Systems Security Engineering persepective each service model impacts the requirements and constraints a company must consider in their risk based awareness plan and daily operations.

Systems Security Engineering broadcasts that an organization takes their security requirements serious regardless of the contrainsts they face.

---

This is the fifth post on using NIST-SP-800-160 Systems Security Engineering to meet the requirements of SC.L2-3.13.2 – SECURITY ENGINEERING

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

First post: Evaluating Organizations Seeking Certifcation: Document Based Requirements to Start a Conversation

Second Post: CMMC and Systems Security Engineering

Third Post: CMMC and Asset Inventory

Fourth Post: CMMC Assessment: In Systems Security Engineering the Environment Drives Evidence

Img Credit: lost in transmission flickr photo by savoryexposure shared under a Creative Commons (BY-SA) license

From A Systems Security Engineering perspective, the environment will drive the evidence collected to ensure an organization seeking certification meets security requirements.

For both the assessor and the contractor considering the impact of scope on how their systems gets deployed will be the largest driver in the cost of engineering a system and meeting security requirements. An Organization Seeking Certification must collect to meet the 320 objectives of a CMMC assessment. Assessors will need to consider the environment and the separation techniques used when deciding on what assessment procedures to use.

Systems rely on the separation of physical and logical boundaries to ensure only those with a legal and authorized need access Controlled Unclassified Information. In fact, when designing controlled environments as part of our systems we must consider the environmental constraints of each possible deployment.

The security requirements for storing, processing, or transmitting CUI for any deployment are the same. The requirements for export-controlled data are the same regardless of the environment. Incident reporting requirements are the same no matter the system an OSC engineers.

You have a CMMC assessor come and verify the trustworthiness in your meeting the security requirements of NIST-SP-800-171. The environments used in the system will have an impact on the evidence used to justify a rating. The assessment procedures used by a certified CMMC assessor will change based on the environment.

By analyzing constraints and requirements across the life cycle of a contract, thus utilizing systems security engineering, an organization identifies the type of evidence a Certified Assessor may collect to verify the trustworthiness of the System Security Plan based on their deployment

Environmental Constraints and Separation Techniques

When engineering a system an organization must consider how Controlled Unclassified Information does or does not move through logical and physical boundaries. Utilizing separation, or “system architecture design concept that can provide physical/logical isolation of assets that process, transmit, or store CUI from assets not involved with CUI” an organization can protect CUI from unauthorized disclosure.

When an OSC accounts for different environments and their constraints they collect the unique evidence needed to demonstrate the security requirements get met.

Where Do In Scope facilities Exist?

Modern deployments range from on-premises where an organization maintains responsibility for all software, equipment, and physical to cloud based software-as-a-service platform where the organization maintains only limited control over domains such as access control and the vendor handles all other security requirements.

Unless organizations utilize separation, techniques and keep all CUI in a system with security measures such as DMZ , layered boundary protections, and air gapped systems or an organization keeps an entire system in scope an assessor will be working with cloud environments.

“Cloud Smart,” rather than “Cloud First” was initiated in 2017 as a result of the Report to the President on Federal IT Modernization. Cloud Smart emphasizes the three pillars of security, procurement, and workforce. These three principles work in systems security engineering while also introducing specific requirements and constraints to the environment.

The biggest impact Cloud has on a CMMC assessment is introducing a shared services layer to the environment. As soon as an organization uses a cloud vendor for in-scope services or uses security tools in the cloud they share the security requirements and must document who and how they get met across the organization. The CSP is not assessed during a CMMC assessment, but the assessor will need to establish the trustworthiness of shared responsibility.

These requirements and constraints have an impact when assessing organizations. As you engineer a system that meets the security requirements of NIST-SP-800-171 you need to determine your environment and consider the constraints and requirements across the lifecycle of your deployment.

---

This is the fourth post on using NIST-SP-800-160 Systems Security Engineering to meet the requirements of SC.L2-3.13.2 – SECURITY ENGINEERING

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

First post: Evaluating Organizations Seeking Certifcation: Document Based Requirements to Start a Conversation

Second Post: CMMC and Systems Security Engineering

Third Post: CMMC and Asset Inventory

img credit: Drive flickr photo by astarothcy shared under a Creative Commons (BY-SA) license

You cannot protect what you do not know you have.

Systems security engineering, as a method to meet the security requirements of CMMC requires an Organization Seeking Certification (OSC) to provide the means to locate, identify, and log the inventory of assets. Organizations must also engineer methods to verify the trustworthiness of data and provide it as evidence during a CMMC assessment. This closed feedback loop helps to strengthen the hygiene of an organization seeking certification.

Yet asset inventory, from a lens of systems security engineering means, more than just counting computers. It does not end at endpoints. Inventory refers to more than even physical or logical boundaries. Management involves more than logging. You also must assess the risk these assets face. Taken together, like any element in a system, asset management requires a security first philosophy.

Many, if not all, of the CMMC domains require you to do inventory. Any time you define, identify, or list items as part of an assessment objective under a practice, good inventory matters. Basically, don’t just think about counting the things that plug into the wall. You also need to count and manage all the assets that move data in between the walls, buildings, and networks.

Companies need to apply and understand the design principles behind asset management. If an organization takes an interdisciplinary approach to asset inventory, managing anything with value, as part of overall business success rather than seeing cybersecurity see it as an IT problem the company can begin to apply systems thinking.

By applying systems security engineering to asset inventory an organization will automate many of the elements that go into good inventory, create processes for Inventory and Asset Management (IATM), design IATM from a security first principle, and account for each stage of the asset lifecycle.

Systems Security Thinking

Inventory, emerges from a system. It requires technical and non-technical processes to come together.

System engineering thinking refers to interacting elements that achieve a business goal or stated purpose. Anyone who has owned or worked in a business knows how critical inventory systems are for overall success.

If an organization places security as central to their systems thinking, where they consider the implication of any asset or system across its lifecycle the company has focused on the principles of system security engineering.

No specific CMMC practice requires companies to adopt system security engineering but in reality collecting the real time records of all the assets a company has in scope would be difficult without relying on these principles. The amount of data needed to ensure the trustworthiness of an environment handling CUI is too much for any manual attempt. Further the data collected as part of IATM influences every aspect of security such as access control.

NIST-SP-800-160 SYSTEMS SECURITY ENGINEERING: A Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems lays out ways to apply security to all assets and processes throughout a business goal.

Problem	Solution	Trustworthiness	Analyze
Identify and plan for enabling systems for IATM Define metrics of success Identify CMMC practices impacted by inventory Update SSP	Develop IATM Policy Create baseline for enabling systems Deploy enabling systems Create a lifecycle for any asset Identify stakeholder assets and asset categorization Apply security metadata tagging Develop a RACI model for any asset and enabling system or process Update SSP	Develop a scenario on how IATM system should work. Compare and identify assets from data collected during vulnerability scans Create traceability of inventory Update SSP and POAM	Analyze how enabling systems can further automate IATM Analyze impact on reference architecture if any systems got updated, removed, or added Update SSP and POAM
Continuous Feedback Loop	Continuous Feedback Loop	Continuous Feedback Loop	Continuous Feedback Loop

Systems security engineering puts a security baseline as a goal for stakeholders who own a system. A system consists of different elements or assets and the assets and elements that support the system. While you can count by hand good inventory requires system security engineering.

What Goes into Inventory?

• Unique Identifier-Each asset needs its own name
• Platform type-Windows, Mac, Server
• Asset Categorization-Type of CMMC asset per scoping guidance
• Owner of asset-who is the non-privileged or privileged user of asset
• Admin of asset-Privileged employee or a third party through shared responsibility
• The applications and processes that manage the inventory of this asset
• Network Connections-ways the asset connects
• Regulations-Laws that govern this asset
• Practices/Controls Met-CMMC practices that protect the asset
• Assets role in business
• Contractual Availability-Any rules that spell out access to asset
• Assigned Maintenance-Who maintains asset or third party relationship
• Link to Maintenance Plan

Asset inventory needs to be a living document fed by automation and cared for with good policy and procedures. An Organization needs a system to automate asset discovery. They need to collect up to date information on your assets, such as patching or log-ons. Some assets, like computer programs, may come with a software bill of materials that contain important information that gets automated.

In other words a successful CMMC assessment requires that organizations understand and utilize IT Asset Management from a systems security engineering mindset.

What is IT Asset Management (ITAM)?

IT Asset Management (ITAM) applies systems security engineering principles to manage the life cycle of inventory and the entities responsible for ownership. Key aspects of ITAM programs include:

· Asset inventory – Getting a comprehensive inventory of all hardware, software, and network assets

· License management – Ensuring all assets are running properly licensed software

· Lifecycle management – Deciding which assets should be decommissioned, managing the software licenses on these assets, and updating the inventory

· Patch management – Ensuring the latest security patches are in place on all systems that need them, and understanding which systems have existing vulnerabilities that must be mitigated if no patches exist

Properly conducted, IT Asset Management will help drive cybersecurity hygiene. You must understand an organization’s topography to understand the flow of Federal Contract Information and Controlled Unclassified Information. A Certified CMMC Assessor scoping an assessment will work with clients to answer the question: “Do you know where CUI resides and how the data flows through your organization?”

Manual inventory will fail when you consider that you must count your inventory, manage any license, track the lifecycle of equipment, make sure users keep equipment patched, and know who “owns” each asset. When companies attempt to track this manually the data gets stale.

Instead IATM requires a living document based on principles of security system engineering. This living document informs vulnerability scans and attempts to access by non-authorized users.

IATM and System Security Thinking

A living document takes engineering. A systems security thinking approach to IATM requires planning and designing to prevent the loss of an asset. You must understand how to handle and recover from an incident or loss. A CMMC Assessor will want to know if an organization approaches security from a system thinking approach. A CMMC Certified Professional providing consulting services need to embed security first thinking in the design of the systems they create with an OSC.

In essence you cannot have system security thinking without applying design principles to IATM. At any given time, an Organization Seeking Certification needs to know the users connected to a system and the processes connected on behalf of those users. Patch management logs must be up to date. An OSC needs to track assets from purchase to disposal.

ITAM and Asset Lifecycle

Applying system security thinking to IATM requires you to consider security starting at blocking drip campaigns from vendors, to product evaluation, through acquisition, lifecycle management, knowledge management and more. Each in scope asset for a CMMC assessment includes business processes around agreements and acquisitions, project specific processes, technical requirements, and technical processes. In a typical lifecycle, an asset lifecycle includes the following phases:

• Enrollment
• Operation
• End-of-life

NIST-SP-800-160 lays out concepts, development, staging, production, deployment, code review, and support. For a developer contractor asset lifecycle can include code or repos. This requires a different approach to asset lifecycle than an an industrial environment where Operational Technology gets run by specialized assets with an out of date operating sytem. Other in scope organizations may provide services or support staff to the Government. The requirements and constraints of the environments will impact asset lifecycle.

The asset lifecycle while going through the three stages will focus much more heavily on the people assets. In industrial environments asset lifecycles must also include all of the out of scope operational technology and include how a company secures those assets.

Enrollment

No matter the constraints of different environments constraints enrollment may involve manual activities performed by IT staff such as assigning and tagging the asset with a serial number and barcode, loading a baseline IT image, assigning the asset to an owner, and, finally, recording the serial number as well as other attributes into a database.

An admin should manually authorize assigning an asset to an owner. Many Mobile Device Management (MDM) devices or corporate buying programs, such as those through Apple, help to automate the enrollment process and might also include primary location, hardware model, baseline IT image, and owner. This could also mean giving employees access to a code repo or a Kanban board by a project manager. As Certified CMMA Assessor you will collect evidence that makes the relationship between, IATM, asset life cycles, and access control quite evident.

Operations

As the asset goes through the operations phase, changes can occur. Such changes could include introduction of new or unauthorized software, the removal of certain critical software, or the removal of the physical asset itself from the enterprise.

When applying system security thinking to IATM we know the changes to an asset must get tracked and recorded. Therefore, asset monitoring, anomaly detection, reporting, and policy enforcement must occur in services, developer, or industrial environments. Tracking change logs is in fact a requirement for Level Two Certification. Systems thinking and asset lifecycles is critical to security and IATM.

A CMMC Certified Assessor will often rely on systems that monitor change logs and lifecycle data using installed agents that reside on the asset, as well as network-based monitoring systems that scan and capture network traffic. These monitoring systems collect data from and about the assets and send periodic reports to an analytics engine. Each monitoring system sends reports with a slightly differing emphases on aspects of these enterprise assets. Reports get collected regarding installed and licensed software, vulnerabilities, anomalous traffic (e.g., traffic to new sites or drastic changes in the volume of traffic), and policy enforcement status. Once again we have specific CMMC practices that require the collection and reduction of this dats.

End-of-Life

As an asset reaches the end of its operational life, it goes through activities within the end-of-life phase. These will differ based on the constraints of the in-scope environment. For devices across most organization this includes returning the asset to IT support for data removal. As a CCA you need to know who is responsible for overseeing the decommission of a device. Often organizations may not have an IT department, and this gets conducted by Human Resources or the CEO.

The unique identifier such as a serial number then gets removed from registration database and other associated databases such as your asset inventory. Finally, the asset is prepared for physical removal from the enterprise facility.

A CCP or CCA must know the CMMC practices associated with the end of life stage of the asset lifecycle. Especially for CUI assets. The Media Protection domain spells out specific requirements for the destruction of CUI in order to comply with CFR 32 Part 2002, the federal regulation defining CUI.

Planning for the Future: Configuration as Code

As a company engineers their IT Asset Management system they will want to automate this process as much as possible. For example, this may mean writing a Powershell script to inventory software and checking the current state of patches. Another script may get written to limit roles allowed to specific Teams meetings. Other companies may automate inventory utilizing their vulnerability scanner to count authorized devices.

Evidence collected through IATM also gets created through the system. A major goal of engineering for automated inventory is to create evidence of trustworthiness of the people and processes with authorized access to CUI. By understanding the practices that secure each asset IATM automates the collection of evidence needed to verify the procedures in a System Security Plan.

Both the automation of inventory and the collection of data benefit from system security engineering and make up an important process in the overall risk plan of an organization. Overall organizations should move to configuring IATM processes through baseline configurations. configuration as code allows those assets assigned DevOps roles to monitor and control configuration discrepancies. These efforts all come together in a reference architecture an organization builds to meet the requirements of NIST-SP-800-171 and constraints of the business environment.

The more we move to a zero trust model that authorizes at the asset level and not the boundary level through configuration as code the more secure we will all be. You still need to count what you protect. Just automate the process as much as possible.

---

This is the third post on using NIST-SP-800-160 Systems Security Engineering to meet the requirements of SC.L2-3.13.2 – SECURITY ENGINEERING

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

First post: Evaluating Organizations Seeking Certifcation: Document Based Requirements to Start a Conversation

Second Post: CMMC and Systems Security Engineering

image credit: Logistics Specialist Seaman William Swan, from Virginia Beach, Virginia, assigned to the aircraft carrier USS Gerald R. Ford (CVN 78), inventories repairable parts. flickr photo by Official U.S. Navy Imagery shared under a Creative Commons (BY) license

Every organization has a philosophy behind their system security plan.

These may range from an idea that, “Compliance is not security,” to “DFARS is an unfunded mandate, “ or ” “CMMC did this to me.”

Other organizations may have their SSP reviewed on a quarterly timeline, and they have biweekly security meetings to analyze any changing threats or to address open items in a plan of action. Even with no full time IT staff the CEO may have made security a central system principle. Another organization may be moving their technology to designs based zero-trust architecture.

These leaders made a philosophical choice.

The organizations they lead have designed a security program explicitly or implicitly utilizing the principles laid out “NIST-AP-800-160 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems” published by NIST.

Philosophy and Cybersecurity

Choosing a design such as zero trust and then applying systems thinking is a philosophical choice. Apathy, or willful ignorance, is also a philosophical choice. Both will impact the assets and opportunities for an organization.

When evaluating whether to adopt or change a computing environment to meet the requirements of NIST-SP-800-171 a company needs to consider the impact to business outcomes at every stage of the system lifecycle and the processes that lead to profits.

A large company with contracts across many different federal agency may choose a hybrid deployment where users access assets in the cloud, servers and software somewhere else, but any software handling authorization runs “onprem,” a server located at the business and maintained by IT.

Another company may sell software and they connect to a cloud through VDI. No matter the deployment each company must meet the same security requirements. Everyone must demonstrate compliance with NIST-SP-800-171 through a CMMC assessment. Applying systems thinking ensures that when a system or asset gets authorized, we can trust the security.

Systems Thinking

Systems thinking is a lifecycle approach to examine each stage as contributing to an overall goal. Usually this goal is a business output that should result in a profit after margins get considered. Systems thinking leads to the development of a common mindset for any system.

Systems thinking drives outcome-oriented results and utilizes an iterative engineering process to deal with the complexity of business. Systems engineering, driven by this thinking, is data- and analytics-driven to create metrics to inform decision making. When comparing cloud, on-prem, or hybrid environments, for example, a company needs to consider the impact on all other systems within the organization.

In turn, regardless of choice in environment, we must consider how any asset impacts security while also embedding requirements at each stage of the asset or system’s lifecycle.

System Security Engineering

Systems Security Engineering, when layered on top of engineering systems, creates a “system of systems” that helps to increase the “trustworthiness” that an organization meets the 320 security requirements in the 110 practices of NIST-SP-800-171.

Basically the security concerns of any system and the assets that make up those system get integrated into the technical and nontechnical processes. Security becomes part of the philosophy built into all systems. This in turn leads institutionalizing of security and the use of security as a proactive contributor, and not just a cost, to the business outcomes.

Lifecycle of System Security Engineering

Regardless of the chosen computing environment a design philosophy requires an organization to establish a lifecycle for their System Security Plan. Like any system the SSP, which lays out how you meet the security requirements of NIST-SP-800-171.

Through engineering thinking we move the security of a system to an asset from a problem to a solution state while increasing the trustworthiness through deployment. At each stage an organization analyzes the security impacts to understand the security requirements, collect relevant data, align to business outcomes, and ensure fidelity for deployment.

A company’s risk-based security plan, acts as a system of systems on systems that integrate with all other systems in a business. Within that system the trustworthiness of evidence that the security requirements of NIST-SP800-171 get tracked in the SSP, or system security plan.

The SSP needs to be seen as a living document that reflects the security design philosophy while producing evidence of trustworthiness. An organization should consider the SSP and Plan of Action and Milestone on an organizationally defined timeframe such as six months.

When the time period elapses the system gets evaluated against the security requirements of NIST-SP-800-171 and a POAM gets published and triaged. Once the CMMC rule goes live in DFARS the allowable time on the POAM will not exceed 180 days and can only apply to a limited number of practices.

The System Security Plan

The SSP must act as a tool in the feedback loop of systems security engineering. You begin by first collecting all the security requirements of different assets. What laws and regulations govern these requirements? You then map, in the instance of complying with 171, how CUI data flows your system and create separation between in scope and out of scope assets. This is the problem context.

Once organizations have an understanding of assets they can then build out a reference architecture and complete an SSP and POAM. You implement technical solutions through policy and procedure that align to your design philosophy. This is the solution context

Following an initial publishing, or an update of the SSP and POAM if a new system is introduced the closed feedback loop kicks in. Having a C3PAO come in to complete a third party assessment adds the trustworthiness component to systems security engineering.

System Security Engineering and Compliance

No CMMC practice or assessment objective from NIST-SP-800-171a requires you to utilize system security engineering in efforts to comply with DFARS requirement. Yet companies who apply a security first principle from acquisition security tools to verification of customer receipt will have an easier time working with a C3PAO on a CMMC assessment.

System security engineering by its nature creates evidence of persistent and habitual application of CMMC practices. Having a plethora of evidence to choose from will help a C3PAO evaluate an OSC on any number of practices.

System Security Engineering requires organizations to consider their outcomes and constraints. Organizations then create policy to ensure regulation while planning and allocating resources for deployment. The baseline architecture, risks, and mitigation plans get communicated to in-scope people trained as part of the system.

We can not assess for best practice in cybersecurity. Cloud, on-prem, or hybrid. No one solution rules them all. Instead, we need to engineer for better practices given the local environments and contracting restraints.

When security becomes a first principle in this cycle everyone wins.

You do not jump out of a plane without first making sure a parachute works. Yet many Organization Seeking Certification (OSC) want to make a leap of bling faith about their compliance to the practices in the Cybersecurity Maturity Model Certification.

When an Organization Seeking Certification (OSC) contacts a Certified Third Party Assessor Organization (C3PAO) they will not immediately accept ytheir business. Having someone pay for an assessment when a five minute phone interview can evaluate readiness, or lack there of, of an organization would lead to unethical profits. Assessments are a tandem jump between the C3PAO and and the OSC. Both parties have a vested interest in knowing the parachute opens and covers all in-scope assets.

A C3PAO evaluates an organization as much as a OSC evaluates the assessment team they hire.

Where should an OSC expect a C3PAO to begin?

Scoping. The C3PAO needs to scope the assessment which means they need to understand how you scope your networks and systems and how CUI flows through the assets, people, technologies, and facilities, that make up your systems.

For example a C3PAO needs to understand the difference between virtual and physical locations of your assets. Do you have servers, “on prem” or do employees connect to an enterprise cloud? Can employees share and hold CUI on mobile devices? Do employees at home store and transmit CUI?

All of these questions impact the annual cost of your engineering and non-engineering costs each year. They determine the cost of a CMMC assessment. In fact no assessment should occur without knowing the difference between the logical and physical locations where in scope and out of scope assets exist.

What documents should I have ready?

As an OSC you must have a system security plan. You can not have an assessment without one. Yet your documentation needs stretch beyond the SSP. In fact to even begin a CMMC scoping conversation an Organization seeking certification should have the following document based specifications:

• Network Diagrams
• Data Flow Diagrams
• Reference architecture
• Asset Inventory
• Access Control Policies

These documents will not only explain the difference between your physical and logical techniques of separation used to protect CUI but also identify the owners and maintainers of the assets. As an OSC you can limit the numbers of assets in scope and reduce the cost of the assessment.

NIST SP 800-171 Rev 2, which states:

those organizations may limit the scope of the security requirements by isolating the designated system components in a separate CUI security domain. Isolation can be achieved by applying architectural and design concepts (e.g.,implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains may employ physical separation, logical separation, or a combination of both. Basically when considering the logical and physical locations we always want to make sure the separation of assets legally authorized to process CUI. Logical boundaries, "set is physically (wired or tirelessly) connected to another asset or set of assets, but software configuration prevents data from flowing along he physical connection path." Your data flow diagram will demonstrate how Controlled Unclassified Information moves through your system. This will help you understand how to develop a more detailed network diagram. The network diagram would show all the firewalls that route traffic and only allow authorized assets to connect to the system. An access control policy identifies the authorized people with a matrix of role based access or other ways of user separation. We include an asset inventory to identify authorized devices. The asset inventory needs to track the software development life cycle of the device and includes information about the device owner and maintainer.

Why do these documents matter?

These documents prove a state of readiness for a CMMC assessment, but your really need to think of them as part of your life cycle approach to proving you implement the 110 security requirements of NIST-SP-800-171.

Basically you need to develop a systems engineering approach. In fact the most subjective of almost all of the security practices in CMMC revolves around security engineering.

SC.L2-3.13.2 – SECURITY ENGINEERING

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

ASSESSMENT OBJECTIVES NIST SP 800-171A

Determine if:

• a architectural designs that promote effective information security are identified;
• b software development techniques that promote effective information security are identified;
• c systems engineering principles that promote effective information security are identified;
• d identified architectural designs that promote effective information security are employed;
• e identified software development techniques that promote effective information security are employed; and
• f identified systems engineering principles that promote effective information security are employed.

Adjectives and adverbs add a degree of scale to assessment objectives but also subjectivity. What does “effective” mean? How do we demonstrate to an assessor, as an organization seeking certification we identify and deploy “effective information” security, techniques, and principles?

It begins with the document based artifacts that will have specifications proving you identify and deploy effective practices. “Effective information” architecture relies on technical information but also good project management. For example moving your security plan to a six month or annual cycle where you revisit the SSP and POAM while triaging not met practices during monthly meetings helps to support the technical understanding necessary.

So many examples of effective information practices exist. So do many more ineffective examples. Of course you must establish security policies, you may develop layered protections so multiple boundaries protect key architecture. Some organizations place controls as the foundation for their design. Everyone must incorporate security requirements into the system development life cycle. In other words has a devices passed end of life for security patches. Reference architecture contains your network diagrams that delineate physical and logical security boundaries. It will list all the key security assets that protect key boundaries.

You also need to consider in scope people when developing a systems engineering plan. For example anyone with privileged access, meaning they control security of assets or perform functions on systems others can not need different training on how to deploy secure software. Other employees may do risk awareness training and perform threat models to mitigate risk.

To provide enough evidence for the depth and breadth for the assessment objectives of this practice you basically need to demonstrate that you have system architecture policy that can act like a guide and explains the architecture. You will include, for example, if you deploy different networks to logically separate in-scope and out of scope assets.

SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]

Determine if:

• a publicly accessible system components are identified; and
• b subnetworks for publicly accessible system components are physically or logically separated from internal networks.

Network diagrams will docmument to a CMMC Certified Assessor that an OSC should provide the necessary logical and physical separation of in-scope and out of scope assets.

Controlled Unclassified Information takes an authorized legal need to access, store, or transmit. You can not just give access to the public to the CUI nor to the networks on where it gets transmitted and stored. In fact separating public accessible systems, like a company website or public wifi from the servers storing encrypted Federal Contract Information is a level one control. Remember the practices are cumulative . A CCA will assess all level one and level two practices for a Level 2 assessment.

Often companies will use a cloud enclave for CUI to keep the data stored away from the public. Other companies will create a DMZ, a demilitarized zone, or subnetworks. An OSC may have one subnetwork for employees, one for the public, and one for in-scope employees to transmit and store CUI.

By providing a C3PAO with a network diagram you provide readiness for your assessment. This also provides evidence that would speak to the breadth of your your security requirements. A CCA would add to the depth of the coverage by interviewing the people who protect the boundaries.

CM.L2-3.4.5 – ACCESS RESTRICTIONS FOR CHANGE

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. ASSESSMENT OBJECTIVES [NIST SP 800-171A]

Determine if:

• a
physical access restrictions associated with changes to the system are defined;
• b
physical access restrictions associated with changes to the system are documented;
• c
physical access restrictions associated with changes to the system are approved;
• d
physical access restrictions associated with changes to the system are enforced;
• e
logical access restrictions associated with changes to the system are defined;
• f
logical access restrictions associated with changes to the system are documented;
• g
logical access restrictions associated with changes to the system are approved; and
• h
logical access restrictions associated with changes to the system are enforced.

In fact a CCA will assess how an Organization Seeking Certification restricts access to people who can make critical changes to your system.

Basically in order to have the system engineering in place for an assessment an organization should harden physical security at a uniformed layer. What must any employee or guest do to enter the building. You will need to monitor who comes in and control how they enter. If someone needs access to areas where systems changes can be made you need Follow them while they are there, and document why they are there. These steps must be spelled out in policy and procedures ahead of time. .

So your access control policy, a key document in getting a conversation started with a C3PAO should, “Define, identify, and document qualified individuals authorized to make physical and logical changes.” This could include employees or managed service providers whp have access to the organization’s hardware, software, software libraries, or firmware

Overall before you begin an assessment you need to demonstrate that you implement physical access control that prohibits unauthorized users from gaining physical access to an asset. You may use a key card or key pad entry to enter a server room. Your access controls should not allow regular users to log into security software. Some companies may use software that has automation with management workflow rules that define tasks such as seeking approval to change a server. A common technique is to use multiple boundaries such as only allowing patched from a specific IP management system but still requiring a manager to authorize execution.

The network diagram, asset control policy, and asset inventory will all help a C3PAO understand the difference between the logical and physical controls of an OSC’s location. These documents will demonstrate how separation gets protected with access control.

An Organization seeking certification not only must demonstrate their scope and network to a C3PAO but they should also explain how they perform system maintenance control on a system.

MA.L2-3.7.2 – SYSTEM MAINTENANCE CONTROL

Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]

Determine if:

• a tools used to conduct system maintenance are controlled;
• b techniques used to conduct system maintenance are controlled;
• c
mechanisms used to conduct system maintenance are controlled; and
• d personnel used to conduct system maintenance are controlled.

These tools do not store or process CUI assets on a system but do “diagnostic and repair actions on those systems.” Viruses and malware get introduced all the time through bad patching or remote management maintenance tools.

Companies have flexibility in implementing these requirements but this control illustrates how important asset inventory is when starting a conversation with a C3PAO. You can not approve maintenance tools without knowing what maintenance tools you need.

Once you know the tools you need you should include the who is in charge of the maintenance and link to a document tracking the software development life cycle, basically when di you add the software, the version, operating system, controls it meets, business function it plays, when it gets updated, and when the software is no longer supported.

Scoping Matters

The four controls highlighted demonstrate how document based artifacts help to provide the breadth of evidence you utilize to demonstrate you meet the requirements of an objective. Yet these documents also provide a jumping off point for a C3PAO to evaluate an organization seeking certification.

If a company has not documented the differences between the logical and physical locations of their assets than they can not get a CMMC assessment.

Asset Inventory will drive your compliance. Whether you rely on the shared responsibility of zero trust models or protect information at your boundaries, asset inventory drives your security. When determining the cost of both compliance and security asset inventory drives your scoping.

Asset Inventory Matters.

You can not protect what you do not count.

What should good asset inventory be an inventory of?

Before we get there consider your process. How will you count the stuff you want to protect? Once a company gets over 5-10 employees mandatory inventory hurts. A lot. Not only is it time consuming but the data quickly falls out of date.

Asset inventory needs to be a living document fed by automation and cared for with good policy and procedures. You need a system to automate asset discovery. You need to collect up to date information on your assets, such as patching or log-ons. Some assets, like computer programs, may come with a software bill of materials that contain important information that gets automated.

Before you count stuff you must figure out how you will count it but you need to be strategic. For example a company may use their vulnerability scanner to identify assets connected to a system or they may use a spreadsheet and inventory scanners. Just develop a plan that helps to automate as much as possible while considering the many different practices of CMMC.

What Goes into Inventory?

• Unique Indentifier-Each asset needs its own name
• Platform type-Windows, Mac, Server
• Asset Categorization-Type of CMMC asset per scoping guidance
• Admin of asset-Maybe employee or a third party through shared responsibility
• The applications and processes that manage the inventory of this asset
• Network Connections-ways the asset connects
• Regulations-Laws that govern this asset
• Practices/Controls Met-CMMC practices that protect the asset
• Assets role in business
• Contractual Availability-Any rules that spell out access to asset
• Assigned Maintenance-Who maintains asset or third party relationship
• Link to Maintenance Plan

As Jill Lawson notes you will want to expand the CUI assets to a greater extent and include links to a CUI Management plan:

that identifies what CUI or CTI is being protected, who has access to it, where is resides at rest, how to dispose it, and the process of notifying the KO if a risk of aggregation of the CUI arises

.

A CUI policy is one of the delta twenty practices that got cut from CMMC 2.0 and is listed as an NFO, an Appendix E of NIST-SP-800-171. As in the government assumes this is something you do. As an NFO control that means, while not assessed it is an expectation that you meet this for compliance with DFARS-7012.

Source: NIST SP 800-40r4 Guide to Enterprise Patch Management Planning:Preventive Maintenance for Technology

img: Counting flickr photo by anno.malie shared under a Creative Commons (BY) license

Under the Cybersecurity Maturity Model Certification Program a level company who holds federal contract information must complete a self-assessment “with an accompanying senior company official affirmation” every year.

Introduction to CMMC Level One

CMMC Level One helps to ensure the contractor meets the basic safeguarding requirements for Federal Contract Information (FCI) specified in FAR Clause 52.204-21. Others can then have added trust to a companies system to protect sensitive data.

Most companies will keep their entire system secure beyond the baseline of the seventeen requirements of NIST-SP-800-171 included in the level one assessment guide. Level one provides you a staring line and not a finish line.

In fact, “a CMMC Level 1 self -assessment, the assets that process, store, or transmit FCI are considered in scope and should be assessed against the CMMC Level 1 practices.” Yet any basic risk based cybersecurity plan should meet the level one baseline.

FCI is such an umbrella term for any data generated as part of a federal contract most companies will not have level one enclaves. Some companies, those with cleared environments, may have some staff that only need access to FCI. Large multinational corporations may have level one business entities to act as a boundary between divisions that hold Controlled Unclassified Information with export controls and international divisions. Yet for the most part companies should assume their entire system, all the peopl, processes, and technology that get the contract done, fall in a level one scope.

Reading the Assessment Guide

The CMMC Level One Self-Assessment guide includes an overview of the level one assessment practice, the assessment criteria you use, key operational definitions to use during an assessment, and then a description of each assessment practice and a list of all assessment objectives for each practice.

When reading the assessment guide you need to understand the role of the assessment criteria. CMMC uses the NIST CMMC definition of an assessment procedure. This procedure consists of an assessment objective which gets met by using assessment methods that connect to assessment objects, or evidence, to justify the assessment finding. A CMMC practice gets met when all assessment objectives get met. This means your self-assessment needs an assessment procedure for each objective at level one. That means you need 59 assessment procedures. Each procuedure will have 2-3 assessment objects. So in your self-assessment you need to document 120-180 pieces of evidence.

You choose the methodologies based on which provides the most adequate depth to the assessment objectives. If your examination of document based artifacts, or specifications, will provide the greatest depth focus on that methodology. This focus allows you to apply greater rigor through a more comprehensive examination of the assessment object. Yet in our example of using document based artifacts the access control policy may not change between a basic and a comprehensive examination. You increase the rigor of the examination and not the amount of evidence.

Yet you ensure the sufficiency us your evidence by also including coverage from other methodologies. You may not put as strong a focus on assessment objects for other methodologies but you want to ensure you have a preponderance of qualitative and/or qualitative evivence so anyone who read your assessment finding would agree.

You also ensure the sufficiency of your coverage by deciding on how representaive the evidence is to the assessment objective across the sample. This means you must decide on how your sample sample size. Some times, such as an approved software list, you may include them all. When examining testing data of routers and switches a basic examination may include a representative sample, a more focused examination would triangulate the the asessment finding using other evidence. Finally a comprehensive examination may include checking the settings or procedures for each component.

If you struggle with deciding on the adaquecy of your depth and the sufficiency of the coverage of your evidence go back to the CMMC assessment practice statement. What is the intent? What evidence best shows you meet this intent for the assessment objective? What methodology? Focus there.

When reading the CMMC Level One Self-Assessment Guide remember the only prescriptive requirements are the CMMC practice and the determining statements of the assessment objectives that let you know if a practice is met or not met

References:

CMMC Level 1 Self-Assessment Guide pages are shared by the CMMC-AB usimng a CMMC-BY license.

What Data Are In Scope?

You are assessing against the 171 standard using the CMMC framework. While practices require data to be separated from authorized and unauthorized users and other controls require compliance with federal regulations you assess against the assessment objectives in the CMMC Assessment Guides.

You do not perform an Assessment of the sovereignty and provenance of data. You will not look for ITAR spillage. This is an assessment against the CMMC practices using the assessment objectives from 171a.

You do not check systems to see if an Organization Seeking Certification followed through on the Incident Reporting requirements. This is not an assessment of compliance with DFARS 7012.

Now an assessor will check to see if an access control policy or if a chosen product would meet the requirements of keeping unauthorized users in compliance with export control regulations. If your CUI policy mentions 72 hour reporting requirements than An assessor may check the procedures to ensure organizationally defined times in an incident response plan would meet DFARS requirements as evidence you do what you say.

All of this gets defined in scope. This is not a NIST-SP-800-171a assessment nor a NIST-SP-800-53a assessment. It is a CMMC assessment using the CMMC Level 1 or 2 Scoping and Assessment guides. Any Organization Seeking Certification will have the right to demand they must only comply with the NIST-SP-800-171 standard as presented in the assessment guide. You can not fail, someone, nor do you even assess, if they meet the NFO controls of NIST-SP-800-171 . You perform a CMMC assessment. Period. The conditions of this assessment get finalized during scoping assessments.

Scoping Matters

What data and systems are in scope gets settled during a scoping pre-assessment. For a level 1 self assessment it is just best to assume your entire system falls in scope given the broad categorization of Federal Contract Information.

Once you know the systems and assets in scope a Certified CMMC Professional can start to help an Organization collect, or they can help as a member of an assessment team. In fact, at this time, a CCP can qualify to take a CCA exam after completing three assessments as a meber of a team.

What is an Assessment?

CMMC draws from NIST-SP -800-37 for a definition of Assessment:

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization

Let us unpack this a little bit.

First their are the security requirements for the information system or organization. For CMMC this includes the requirements in NIST-SP-800-171.

Then you have a desired outcome. This is the governance evidence. Where does the OSC have it written down what should happen. This maybe company policy or software defaults. It maybe in a shared responsibility matrix it may reside in a service level agreement.

Next, working backwards, comes “implemented correctly.” Here you are checking if the procedures will do what the policy says the company will do. This could be reference architecture or implementation guidelines. Step by step guidelines to ensure the control operates as intended.

Then you may interview people to see if they do the do or watch a company test something such as a passowrd lock out after an organization defined number of password attempts.

A CMMC assessment never involves any penetration testing. Leave your lockpicks and honeypots at home. A CMMC never involves a CCP running any data discovery tools or analyzing audit logs for potential breeches. A CCP collects or evaluates evidence to make sure audit logs meet the security requirements of 171. This means knowing which secuirty requirements are applicable to which controls.

What is Applicability?

You don’t check to see the last time a cloud based MFA tool attended its last training session. Role based training requirements are not applicable to tokens nor to your key boundaries. Now to people who have privileged access the tools keeping data separated at the boundary? Role based training requirements are applicable.

When you conduct a CMMC scoping assessment the CCP and OSC will review the assets. All the assets in the end get scored against 110 requirements but many might get marked as not applicable.

NIST-SP-171a rules break down to each requirement having enough depth and coverage. If any security requirement of a CMMC practice falls in scope than you must meet the rest of the requirements to provide enough depth to ensure the practice gets met.

Once a security requirement falls in scope all the security requirements of that CMMC practice fall in scope.

For example let’s take the Maintenance domain. MA.L2.-3.7.5 requirements have you protect CUI when machines go for off site repair. If you simply replace and do not send computers off site for repair this practice and all its assessment objects would get marked not applicable.

If however you allow CUI stored on mobile devices a CCP may look for evidence that employees do not take devices into repair shops for such things as cracked screens. Now all of the determining statements of MA.L2.-3.7.5 assessment objectives are applicable.

Some Organizations Seeking Certification may seek a variance for specific controls from the 171 baseline. This would mean that they need to use offsite repair for devices with CUI but for some reason can not meet all the assessment objectives of MA.L2.-3.7.5 . In this case, they would need to ask and receive a variance from the Department of Defense CIO.

A CMMC assessor will never test if the variance gets followed. This is not a DFARS assessment. The requirements for a variance are not in NIST-SP-800-171. You may though use a document proving a variance exists as an assessment object to meet the adequacy and sufficiency requirements of the CMMC Assessment Process

What is an Assessment Procedure

As assessment procedure gets broken down into a few parts to ensure the accuracy of the information. This includes the determining statement. This is the assessment objective of what the evidence must show is getting met. This determines traceability of accuracy of the evidence. Without accuracy the depth of the CMMC practice can not get guaranteed.

You link this content to the evidence. This evidence makes up the assessment objects. You must collect enough objects to ensure the determining statements get covered sufficiently. This helps to ensure the breadth of the practice get met.

In terms of assessment objects they come in three flavors:

What is an Assessment Object?

• specifications-Document based artifacts that explain, explicitly or implicitly (never leave anything to inference int he system security plan), how the determining statements get met. This includes, “policies, procedures,security plans, security requirements, functional specifications, architectural designs” (CMMC, 2022, pg 7).
• mechanisms-the stuff and equipment that makes up your systems. An assessor, for example may check how your patching and update mechanisms work on your antivirus software.
• activities-stuff people have to do to protect systems. This could include holding a table top exercise as part of risk awareness, bimonthly meetings to review the SSP, or your back up plans.
• People who do the activities to ensure the mechanisms meet the specifications.

What Are The Assessment Methodologies?

In terms of gathering assessment objects you utilize three methodologies. The methodology rounds out the third and final part of the assessment procedure.

• Examine-Touching assessment objects. Usually specifications and document based artifacts such as policies and procedures. This includes HR documents, Acceptable Use Policies, System Security Plans, etc
• Interview-Talking to assessment objects, but call them people. You can have discussions with individuals or groups for clarification, to suss out if procedures get followed, or to collect more evidence.
• Test This means watching the results of an activity or mechanism get performed under specific conditions. For a CMMC assessment this means an in-scoped individual will engage in the activity or mechanism. At no time does a CCP or an Assessor really need access to the CUI stored on a system. You will not test any systems.

When is Enough Evidence Enough?

CyberDi uses a claim, connect, action approach to considering if we have sufficient evidence to meet the breath of coverage necessary for each determining statement or assessment objective. You make a claim against a practice of not or met. You then connect each assessment objectives to enough to ensure someone else would reach the same conclusion reading your report.

If you are an CCP helping an Organization prepare you provide actionable feedback that can get added to a Plan of Action that would lead to the practice getting met with enough depth and breadth.

When determining the adequacy of evidence you need to consider all three assessment methodologies. For some practices you will rely on the governance documents more while other practices will require a focus on the mechanisms. The nature of the control determines how much focus you put on each of the assessment methodologies.

First you ask which of the three methodologies will provide you the greatest depth in ensuring breadth to help ensure the accuracy of of the evidence used in the assessment procedure. You consider if you need a basic, focused, or comprehensive use of the methodology against the assessment objects.

Once you decide on which assessment methods give you the greatest depth you would then increase the chances of making a correct assessment by including evidence from other methodologies but you may not apply the same level of focus to the depth of the assessment. By utilizing a mixture of assessment methodologies, and including both quantitative and qualitative evidence in your report or system security plan you ensure the adequacy of the evidence to prove the accuracy of your claims.

References:

NIST-SP-800-171a Appendix D
NIST SP-800-37
NIST SP-800-18
Bonner, R. (2002). The Importance of Scoping and Applicability in CMMC. Retrieved from: defcert.com/the-impor… DefCert.
Image Credit Remixed From Bryan Mathers’s Anatomy of an Open Badge originally shared with a Public Domain license CC0

CMMC 2.0 did not change much for level one beyond moving to a self-assessment model rather than relying on a third party assessor. In fact many companies will end up hiring a Certified CMMC Professional to conduct their self-assessment.

Level one, under the Cybersecurity Maturity Model Certification Framework, requires companies to self assess against 15 Safeguards in FAR Clause 52.204-21 which get assessed against 17 requirements from NIST-SP-800-171 and 59 assessment objectives from NIST-SP-800-171a.

Before one can begin a Level One self-assessment you need to conduct a CMMC Level One Scoping assessment.

Before one can conduct a Level One scoping assessment you need to categorize your FCI, or Federal Contract Information assets.

Do not think of FCI as something you put in one bucket and your company’s data in another bucket. Work towards a baseline of keeping the water clean of malicious intent, deliberate or accidental. regardless of how you categorize the data.

Only you can prevent dumpster fires.

FCI Assets

Federal Contract Information (FCI) is any information recieved, created, transmitted, or stored that is the result of a federal contract and not meant for public release.

FCI,does not get labeled and represents such a broad category of data most companies will simply apply Level One as the baseline for their entire system.

CMMC level one represents the floor in cybersecurity. Few will have an FCI enclave that separates FCI from data in other systems and processes. Remember a process can involve multiple systems and a system gets made up of different components.We will see exceptions.

Companies that do level two work or higher may separate an FCI environment by default of carving out a Controlled Unclassified Environment. Many service companies that do Level Three or even Classified work may have a front office that handles all the contracting and associated with an award.

Multi-national corporations may have some subsidaries or divsions that are level one and others that are level three.

Even in these scenarios your risk based security plan should exceed the basic safeguards of FAR-21 if you want to protect your company’s intellectual property.

So when identifying FCI assets in scope it maybe best to not think of individual files or even software but to think about how your company processes, stores, and transmits federal contract information.

When assets get defined as anything with value that processes, stores, and transmits federal contract information it is easy to see how having your entire system in scope becomes a requirement.

• Process-Assets that access, enter, edit, generate, change, print and delete FCI in the workflow of your contract
• Store-Simply data at rest like a saved file. You need to protect your data as much as the governments data.
• Transmit-Assets sharing FCI. Remember this can be person to person or software to software (components)

How do I identify FCI Assets?

Given the advice that one should consider the entire system in scope for FCI how should a contractor go about categorizing FCI Assets?

Even though the Level One assessment and scoping guides say there are no documentation requirements assessed at level one you should have documentation about your FCI assets.

You do not need to see your documentation to pass yourself on a self-assessment but you should never be able to pass yourself without good asset management. This requires policies, procedures, and inventory.

Documentation.

So to best assess the FCI in your environment you may choose the following set of checklist questions derived from the assessment guide. These questions attempt to elicit all the FCI assets you would need to document across processes, storage, and transmission.

Process

As you begin to identify the processes that involve FCI you seeo to answer, “How does data flow through your company from contract award to conlcusion?”

Some of the FCI assets, such as key boundaries, places that stop unauthorized access, could fit in all categories. These assets got listed under transmission rather than listing them in multiple places. I chose transmission over process thinking risk management.

Most spillage occurs at the boundaries when data is in transit (and by leaked crednetials through phish but there is no phishing awareness and training requirements at level one. Please do phishing training and turn on MFA). Therefore thinking about your key boundaries (even though they protect data at rest too) as assets protecting FCI in transmission made sense to me. Feel free to move the questions into any shape or form you want.

Also remember most level one companies will rely on commercial cloud enterprise software. Much of the FCI asset categorization revolves around knowing your software, the default configurations and how to properly configure it based on your security plan.

When considering categorizing processes that handle FCI assets you need to answer:

• What people can access FCI?
• What are all the third party apps and software people use…All of them, even people’s favorite browser plug-ins?
• Does your list of people identify what systems and processes they can access by identifier or role?
• Do you list the devices that can access your system? Do you know how your enterprise software list devices accessing the system?
• By type of device?
• By specific devices?
• A mix of both?
• Do you have a list of unique identifiers you assign to devices?
• Do you have a list of your external systems’ (Microsoft, Google, Salesforce) identification and access management and password policy defaults?
• Do you treat FCI different than rest of your data?
• Do you list all external systems you use like your Enterprise Software and Alarm Company?
• Do you list any policies and procedures you have for destroying FCI?
• Do you have a list of you policies and procedures for escorting and logging visitors?
• Do you have a list of all your physical access devices such as keys, and NFC badges?
• Do you have a list of policies and procedures for handing out and collecting devices during hiring and termination?
• Do you have a network diagram?
• Do you have a systems diagram showing how FCI moves (data flow diagram)?
• Do you have a floor plan?
• Do you have an org chart?

Store

Most companies at level one will use an enterprise cloud storage solution. While most effort will be needed to train employees not to use personal accounts, level one has no training requirements.

When considering categorizing FCI assets you need to ask:

• Do you have a list of devices and systems that store FCI?
• Do you have a list of people who can access processes that protect stored data?
• Do you have a list of all your enterprise baseline controls for securing and possibly encrypting FCI?

Transmit

Again when transmitting FCI your employees, often through accidental internal threats, will cause most issues by using personal accounts. Not knowing the default settings of your Enterprise software is a close second.

When considering categorizing FCI assets you need to ask:

• Do you have a list of people who can transmit FCI?
• Do you have a list of approved methods for transmitting FCI?
• Do you list individuals allowed to post information to public systems?
• Do you list the components of key internal boundaries
• Do you list all the components that protect communication at key external boundaries?
• Do you list system components vulnerable to malicious code?
• Do you have a list of your current external systems (email, file sharing, etc) software life cycles for all the processes you use?
• Do you list the policies your Enterprise Software uses to scan for malicious code?

A small business doing a level one self-assessment will inherit responsibility for protecting FCI assets from third party enterprise cloud vendors such as Microsoft Office 365 or Google Workspace. Much of your level one asset management will get determined by how well you can find the terms of service, baseline configurations. You then list any requirements you add to the defaults (turn on MFA please).

You self-assess the FCI assets against the applicable controls in the CMMC Level One assessment guide. Meaning you would not assess key boundaries like a firewall for documenting physical access devices.

These questions will only help you categorize Federal Contract Information as it moves through your processes built in your system and when you transmit or store this data. The list of questions should help to identify the type of inventory needed for a level one self-assessment.

Pleasse do not think each question requires an its own inventory or document. The Netowrk Diagram for example may check off more than five of the prompts listed above.

As a company self-assessing you need to focus on using Level One to get a baseline measure of your cybersecurity hygiene and use your compliance with FAR Clause 52.204-21 to create a bare minimum for protecting data, both your IP and the Gov’s FCI, in your risk based security plan.

For companies working toward level two CMMC certification if you were honest when calculating a score to upload in SPRS, and it was was below -50 getting to level one first may provide you with direction (just make sure any devices and components at key boundaries meet Level two requirements) before purchasing.

Do not think of FCI in terms of an enclave or the assets moving through subsystems. Your entire system needs to handle federal contract information

It is okay if you can not answer these questions yet, but one can not self-assess at level one without scoping. You can not scope until you know how in-scope assets move through your system.

Count your stuff, Then protect it.

Otherwise when you go to put out the next fire at work you may grab the bucket full of lubricant oil and not water.

(P.S. Please turn on MFA) (P.S.S. The first P.S is really important)

Img Credit “Fire Buckets at Oakworth Station” by Tim Green aka atoach is licensed under CC BY

Many Certified CMMC Professional (CCP)will find the Configuration Management domain one of the trickiest for organization seeking certification to implement. Yet you have to ensure all employess have secure equipment from the starting line. By spelling out clear rules of the road through policieis and procedures you can ensure all clients

The 11 practices, six from level 2, three from level 3 and one level five requirement focus on how an organization deploys, sets up and manages systems, devices, software, networks and hardware. Specifically on an organizations ability have a configuration baseline and practices to audit this configuration and introduce changes.

Why Configuration Management

A CCP will want to work with clients to develop configuration management policies and procedures to mitigate security risks. You cannot eliminate vulnerabilities and reduce the costs of systems maintenance without a good configuration management. Every device you give an employee, every network router, and every switch needs to follow specific set up in a consistent manner. A Certified CMMC Professional will needs to work with a client to manage all changes. This will require organizations seeking certification to develop defined change control process.

Imagine if you allowed employees to simply go online and order a laptop. How would you know what Operating Systems get used? Will you know if they update the computer? Which anti-virus software comes installed?

Configuration management limits these issues. A company must have standard baseline image, not just for devices but for all the endpoints. Your configuration management and change logs need to track the software version, any hardware or software installed, ports that get open or blocked, and protocols for vulnerability scanner that the user does not control.

Configuration Management takes deep technical knowledge. A CCP will need to work with software documentation, vulnerability scanning software, STIGS, Reference architecture from an external service provider, or often a checklists of steps to follow

In fact, talented CCPs will see configuration more as a life cycle approach rather than a simple security management checklists. This lifecycle moves a system from the concept of operations through the vulnerability scanning, change management, operations, and decommissioning. As a system matures the people in a company will come and go. New technologies will emerge. A CCP can help clients address these programs by ensuring they have a consistent change management policy through the lifecycle of the system that boils down to system hardening, change management, and change management processes.

You cannot accept the defaults. Rarely will products come out of the box with secured to a a NIST-SP-800-171 baseline. A CCP will work with clients to ensure service packs get updated, unnecessary features get deactivated, account provisioning stays in compliance, and all firewalls and automatic updates get set up. If an organization seeking certification inherits many of these practices from an external service provider such as an MSP or IT form the CCP will need to review the shared responsibility matrix.

The configuration management lifecycle requires a focus on change management. You must ensure systems remain stable and employees cannot make changes without privileged access. As a CCP make sure clients include change management in their configuration policies. An Organization Seeking Certification must have a formal review proposed for all changes. This should include regularly scheduled reviews and an emergency process for installing critical patches. Only these proposed changed should get made. Finally, a CCO should ensure a client as procedures in place to re-assess their baseline setting and ti evaluate if it should change.

In order for these first two elements of configuration management lifecycle to occur a CCP will need to assist companies in tracking the process through change logs. This includes having a change request process, evaluating the risk of change, an approval process, testing the change, evaluating if employees need new training, implementing a baseline, validating the baseline, and then finally documenting the change.

Many of the changes to a system happen through software updates and patches released by a vendor. Therefore, change management processes must address how a company handles patch management. A CCP should work with organizations seeking certification to ensure the configuration management policy addresses patching.

Configuration Management provides recognized, standardized, and established benchmarks that spell out the procedures a company must follow to secure their systems and metrics.

Practices of the Configuration Management Domain

The following security requirements fall under the Configuration Management family:

3.4.1 Establish and maintain baseline configurations and inventories of organization information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

A company must have a baseline approved by management to meet the assessment objectives under this practice. A CCP will have to work with their clients to ensure the baseline configurations get developed, documented, and maintained for each syetsm. This means identifying all the systems that handle FCI or CUI, monitoring these endpoints, and developing these endpoints so the baseline configuration before meets 171 compliance before user access.

This requires a system development life cycle spelled out in your configuration management plan. You must provide the foundation for the successful development, implementation, and operation of company information systems.

A Certified CMMC Professional has an ethical obligation to include staff on the team, or let who possess security expertise and skills to ensure that needed security capabilities are effectively integrated into configuration management utilizing best practices in reference architecture. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the company’s business processes. This process also enables the integration of the information security architecture into the enterprise architecture, consistent with company risk management and information security strategies.

The configuration management domain lives and dies based on good document-based artifacts. As a Certified CMMC Professional working with clients to integrate a lifecycle approach you may have to assist clients in developing or curating specifications such as:

• configuration management policy
• procedures addressing the baseline configuration of the information system
• procedures addressing configuration settings for the information system
• configuration management plan
• security plan
• enterprise architecture documentation
• security configuration checklists
• evidence supporting approved deviations from established configuration settings
• change control records
• information system audit records
• information system design documentation
• information system architecture and configuration documentation
• information system configuration settings and associated documentation
• change control records
• other relevant documents or records

The technical members of a Certified CMMC Professional’s team will need to work closely with employees who have configuration management responsibilities, security configuration management responsibilities, and network adminsitrators. Again for many Organizations seeking certification this maybe an IT company or Managed Service Provider with these roles. In this case you must also ensure the shared responsibility matrix or teaming agreements handle baseline configuration, change processes, audit logs, and patching procedures.

A CMMC assessor will want to see these employees or service providers conduct the following tests:

• processes for managing baseline configurations
• automated mechanisms supporting configuration control of the baseline configuration
• processes for managing configuration settings
• automated mechanisms that implement, monitor, and/or control information system configuration settings
• automated mechanisms that identify and/ or document deviations from established configuration settings

3.4.2 Establish and enforce security configuration settings for information technology products employed in organization information systems.

This practice requires companies to bake security into their configuration management plan. A CCP must work with their clients to ensure assets only have features and capabilities that allow them to do their job. A good configuration management policy reflects the most restrictive settings that still allow a business to operate. Like any element of configuration management changes to security tools must get approved, tested, and documented.

Once again a CCP will need to ensure a company has strong document based artifacts to meet the assessment objectives of this practice. These specifications can include:

• configuration management policy
• procedures addressing the baseline configuration of the information system
• procedures addressing configuration settings for the information system
• configuration management plan
• enterprise architecture documentation
• information system design documentation
• information system architecture and configuration documentation
• security configuration checklists
• evidence supporting approved deviations from established configuration settings
• system audit records
• change control records
• other relevant documents or records

A CMMC Assessor will want to see interview the same people and observe many similar tests for this practices as well as other practices in this domain.

3.4.3 Track, review, approve/disapprove, and audit changes to information systems.

To ensure a company meets this practice a Certified CMMC Professional should first identify the IT leadership employees who act as a review board. All changes must get approved an d logged to have enough evidence for the assessment objectives. By building in a set time for the review board to meet you can help clients meet the requirements. You also need to make sure these changes get documents in IT asset management policies.

Numerous changes must get documented. These include modifications to hardware, software, or firmware components and configuration settings. The change process cannot interfere with information system operations. Thus testing needs to reflect company security policies and procedures. They get by information system security policies and procedures default features. Overall a company want to protect the specific health, safety, and environmental risks. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems). Changes to information systems should be reviewed and approved by company management prior to implementation. Beyond the evidence collected for the other practices in this domain a CCP may also want to consider:

• change control records
• information system audit records change control audit and review reports
• agenda /minutes from configuration change control oversight meetings
• other relevant documents or records
  

Beyond the other individuals interviewed to gather evidence a CCP will want to speak with or help to establish a change review board. A CMMC assessor will want to observe tests on processes for configuration change control and automated mechanisms that implement configuration change control.

3.4.4 Analyze the security impact of changes prior to implementation.

You cannot simply introduce new software and changes to a company’s IT system and information security responsibilities such Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers. Once again for many organizations seeking certification this will involve including external service providers that do IT and security. No one department or person could track the endpoints and software across an entire organization.

When a change gets proposed a process or control board must evaluate the security impact. The review process must have clear testing procedures. Many manufacturers will have a change control board or process as part of their Quality Management System for other certifications such as ISO 9001. A CCP should work with a client, who may not have dedicated IT staff, to meet these requirements using already existing processes. Tracking IT changes using the same process will save companies money and increase security.

A CMMC assessor will want to ensure the effectiveness of theses tests. They must consider if the changes impact compliance with other 171 requirements. All configuration changes should then get tested, validated, and documented on a subset of devices or a staging environment before installing them on the operational system.

This again falls to the importance of the change review board and the importance of clear policy and repeatable procedures with a plan to monitor, meet, and document testing and changes.

3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.

Zero trust means little once a malicious or unintentional internal threat has access to your servers and networks. You will need to track and log physical access to key physical areas where changes to the system can get introduced. This will often involve a key card and audit logs. As a CCP work with organizations seeking certification to ensure these areas get clearly marked and penalties for unauthorized access get spelled out in an employee handbook.

For logical access you must consider the implications and how to track who can make security changes to a client’s boundaries. Modern identity management software can require approval, set time bound windows, send notifications to the control board, have role based access and many more features to monitor changes to logical boundaries.

For both physical and logical restrictions always ensure to keep the practices of least privilege in mind.

Beyond the other document-based artifacts already collected for this Domain a CCP must also consider: * logical access approvals * physical access approvals * access credentials * change control records * information system audit records * other relevant documents or records

A CMMC assessor will want to interview employees with logical and physical access. They will need access to employees with information security responsibilities and network administrators.

The assessor will want to see these employees perform automated mechanisms supporting/ implementing/enforcing access restrictions associated with changes to the information system

3.4.6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities.

An employee of a client will not need minesweeper and every Instagram photo filter on their computer in order to do their job. Simply put an Organization Seeking Certification must configure technology so employees only have functions need to keep the system and business operational. A CCP will need to work with a client to identify and remove/disable applications, ports, protocols, services and settings on your systems. This often means imaging machines to remove or add on to default settings.

If a client a CCP works with does not use VOIP than disable the ports VOIP uses.

A CCP will utilize a variety of evidence for document-based artifacts. They should note an inventory of ports gets included in the System Security Plan. ACCMC assessor will want to observe a test on the processes prohibiting or restricting functions, ports, protocols, and/or services

3.4.7 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.

This practice relates closely to 3.4.6, and like many relies on strong IT Asset Management. A company, however, must explicitly define how they limit ports and protocols necessary to provide the service needed for continuation and security. You may disable FTP, for example, or remove applications from a device before access Once again this inventory of ports and programs must get included in the SSP.

In fact companies should consider disabling unused or unnecessary physical and logical ports/ protocols such as Universal Serial Bus (USB), File Transfer Protocol (FTP), and Hyper Text Transfer Protocol (HTTP on information systems to prevent unauthorized connectios As a CCP you may have to help an organization seeking certification evaluate companies that can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections. Firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services can also help mitigate much risk. As a CCP help clients gather evidence from typical document-based artifacts that include.

• configuration management policy
• procedures addressing least functionality in the information system
• configuration management plan
• security plan
• nformation system design documentation
• information system configuration settings and associated documentation
• specifications for preventing software program execution
• security configuration checklists
• documented reviews of functions, ports, protocols, and/or services
• change control records
• information system audit records
• other relevant documents or records

A Certified CMMC Professional will need to work with employees with responsibilities for reviewing functions, ports, protocols, and services on the information system and network administrators. Together make sure observable test can get performed on:

• processes for reviewing/disabling non-secure functions, ports, protocols, and/or services
• automated mechanisms implementing review and disabling of non-secure functions, ports, protocols, and/or services
• processes preventing program execution on the information system
• processes for software program usage and restrictions
• automated mechanisms preventing program execution on the information system
• automated mechanisms supporting and/or implementing software program usage and restrictions

3.4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting policy to allow the execution of authorized software.

This practice builds on top 3.4.7 but requires companies to maintain a list of approved software and a list of software denied to all or requiring an exception. In fact many organizations go beyond the minum of this control and organizations verifying the integrity of approve-listed software programs usingcryptographic checksums, digital signatures, or hash functions. These certificates help to verify versions and secure updates.

Between maintaining an approved list and a not-authorized list, the denial list provides stronger protection. Policies alos get deployed to prevent certain types of software from being run on the company’s systems such as games. A CCP will need to ensure a client checks these policies s by periodic audit.

Beyond the usual document based artifacts of this domain a CCP will want to help an organization seeking certification organize evidence from:

• information system configuration settings and associated documentation
• list of software programs not authorized to execute on the information system
• list of software programs authorized to execute on the information system
• security configuration checklists
• review and update records associated with list of unauthorized software programs
• review and update records associated with list of authorized software programs
• change control records

Employees with information security responsibilities and network administrators will need to know how to demonstrate tests on

• process for identifying, reviewing, and updating programs not authorized to execute on the information system
• process for identifying, reviewing, and updating programs authorized to execute on the information system
• process for implementing blacklisting automated mechanisms supporting and/or implementing blacklisting
• process for implementing whitelisting automated mechanisms supporting and/or implementing whitelisting

3.4.9 Control and monitor user-installed software.

As a Certified CMMC professional just make sure companies disable user installed software on in scope systems. Remember users should not have privileged or admin access on machines that connect to your network and all privileged users always require MFA authentication. This will allow a company to control unapproved software.

Policies must fully describe allowed installations and procedures to check that for policy violations. These polices may want to have very stringent exceptions for installing software, especially on the devices of privileged users.

A CMMC Assessor will not only want to review these policies and procedures but they will want to see employees perform tests on processes governing user-installed software on the information system an automated mechanisms for alerting personnel/roles when unauthorized installation of software gets detected.

If a company takes the time to put down a clear pathway for configuration management we can help to protect the confidentiality of information. Just remember while we need to get to the finish line one should approach it more as conditioning. Once you have your baseline configured get back to tthe starting line and review the deployment as you maintiain the overall cyber health of a company.

“Starting Line” by Phil Roeder flickr.com/photos/ta… is licensed under CC BY

Ben Franklin once quipped, ““When you are finished changing, you are finished.”

Nothing could ring more true in cybersecurity. Frameworks need to live and breath to respond to evolving threats.

On November 4, 2021 the Department of Defense unveiled an update to the the Cybersecurity Maturity Model Certification framework to streamline compliance, increase flexibility, and lower cost for manufacturers and IT providers.

TLDR

• Reduce number of levels from Five to Three
• Return to NIST as maintainer of all documents
• Allow level one self-assessments
• Self-assessments require senior level affirmation
• Level Two is Old Level Three and NIST SP800-171 baseline for Controlled Unclassified Information
• Level Two is bifurcated into priortized and non-prioritized contracts
• Prioritized contracts require third party assessments.
• Return of limited time bound POAMS
• Return of limited approved waivers

Reduced Levels

CMMC 1.0 had five levels. Level One aligned to seventeen controls from NIST SP-800-171 to meet the fifteen safeguards required by FAR 52.204.21 for Federal Contract Information. Level Three, required for CUI, aligned to 110 controls from NIST SP-800-171 and 20 additional controls. Level Five would align to practices selected from NIST SP-800-172.

This model did not work for maturity given the different baselines required for sensitive data. One would not seek a level two certification. In fact, DoD said no bids would even ask for a level two. We also had no classes or assessments for level two or four.

Yet CMMC 1.0 had cummulative levels. Meaning you had to meet all of level one and two to meet level three. This pushed some CUI requirements down to level two which made no sense given lvel three served as the NIST SP-800-171 baseline.

CMMC 2.0 removes the ill-fitted maturity requirements.

Return of National Institute of Standards and Technology

CMMC 1.0 tried to address some of the shortcomings of NIST-SP-800-171. In fact, early on the AB, rumor has it, tried to remove requirements until NARA/ISOO reminded them that the CUI program exists in law and NIST-SP-800-171 provides the baseline. They could only add and not remove.

CMMC 1.0 added twenty additional practices, often referred to the Delta 20s, and made the assumed controls of NIST-SP-800-171 around policy and procedures (an assumption of practices Non Federal Organizations (NFO) just do..they don’t) explict in the process maturity measures.

CMMC 2.0 removes anything unique to CMMC and returns us to just NIST-SP-800-171. Moving forward only NIST will change the requirements. We will see many of the delta 20s making a return, and while policies and procedures do not get explicitly assessed you can not pass an assessment without policy and procedures.

Timeline and Rulemaking

In order to allow for third party assessments under the Defense Federal Acquisition Supplemental regulations the Department of Defense (more likely their lawyers) decided we need to codify this in federal law.

This requires a “harmonization” of rulemaking. First CFR 32, which governs the CUI program needs revision. Then CFR 48, which enables DFARS will get revised.

Federal rule making takes a long time and the DoD estimates suggest 9-24 months. Before contractors breath a sigh of relief they should realize that a 24 month timeframe speeds up the original intent of the five year pilot program.

Once the rule making process gets complete no pilot program will get unrolled because compliance with 171 required since 2017. The rule changing just empowers third party assessments under the DFARS clauses.

More Flexibility

CMMC 1.0 did not allow for any open assessment objectives. You had to meet all 305 to get a level three certification.

CMMC 2.0 allows for a set of limited and timebound POAMs.

Before you jump for joy and think you can couch really expensive stuff as an ever ending POA with a never reached milestones you should understand the caveats.

First you need a minimum SPRS score self-assessing or having a third party assess you against the 171a methodology. A cut score still exists. They have lowered the threshold. How far? We do not know, but it won’t be low.

You also can not POAM all the requirements and objectives. 171a breaks scores down into 5, 3, or 1. While official guidance did not get released officials have hinted no five pointers in the POAM. The most expensive stuff gets five points.

You also get 180 days to rectify the POAM. This flexibility saves you nothing. In fact trying to address a five point control in three months may cost you a ton more than good planning.

What does it Mean?

For organizations seeking certification, little. Keep growing the SSP and shrinking the POAM. We always had 171 as a baseline and that did not change. The Interim DFARS clauses 7019 and 7020 did not go away. DFARS clause 7012 did not go away. If you have CUI or FCI on your systems the people, processes, and technology within scope still fall in scope.

For CEO or CIO of organization seeking certification the affirmation requirements increase your personal liability under Fair Clause Claim. In fact both the DoJ and the DoD have highlighted increased focused on the whistleblower elements of the Fair Claims Act. You may find your lawyers, or more likely your Prime’s lawyers demanding a third-party assessment even if you do not hold CUI on a prioritized contract.

Nobody knows what prioritized contracts mean. You cannot plan on what level of level two you will fall under. Plan your self-assessment as if a third-party assessor will come in and verify your results.

If you wanted to join the ecosystem as a Certified CMMC Professional CCP or a CMMC Certified Assessor you may find the market grew instead of the logical conclusion the market contracted with self-assessments.

It makes sense for the DoD to press pause on third party assessments. They have no idea how big the DIB is but they knew the majority would fail a level one, forget a level three assessment. Why make companies pay for a test you know they will fail?

Yet the market for CCPs and CCAs may have grown. While the DoD may not require a third-party assessor you can bet many a Prime contractor will if you want to remain in their supply chain. Further the number of companies who need to self-assess will require more support.

The number of companies needing a third party assessor remains high. The DoD has pinned this number on 30,000-40,000 and the CMMC-AB places it higher. Further, current thinking, likely to change, has any level three company who wants an assessment by the Government against the upcoming tailored controls from 172 must first have a level two assessment from a C3PAO against 171.

In the end, the baseline of NIST-SP-800-171 did not change. Use the next nine to 24 months to grow the SSP and shrink the POAM.

Change flickr photo by Matt Henry photos shared under a Creative Commons (BY) license

Inbox overflowing with email invitations to CMMC.20 webinars? Every consultant and software service promising to give you the most up to date info your company can not do without?

You can do without. I offer no hot takes.

Just some slow reads.

If you really want to get prepared start reading. Congress got it wrong. Cybersecurity does take reading. A ton of reading.

We know CMMC 2.0 will not kick in for 9-24 months on government clocks. I have no idea how long that will last in real time or dog years.

Until then read.

Evaluate the System Security Plan (SSP).

Read more.

Throw out your poorly templated SSP and start over.

Read more.

Finalize the SSP and write your POAM.

Read more.

Have set meetings to address POAM. Revist SSP in six months.

Read more.

Grow the SSP and Shrink the POAM.

If you do not want to do the reading hire an expert. You can try to do cybersecurity without reading. You can also try accounting without math.

So instead of beating you over the head with one more CMMC 2.0 webinar I offer you my top ten hit reading list for 7012 compliance.

Reading and Time. My turnkey easy button solution to CMMC 2.0

1. FIPS-199/200 - The basic controls. Only thing gov truly mandates
2. SP 800-30 and 39 -learn the risk management process
3. SP 800-37 - Do risk management
4. SP 800-18 - How to write an SSP
5. SP 800-60 & 70 - Mapping data flows and info system
6. SP 800-53 - 1200 controls in the catalog. Spend a hot minute here.
7. SP -800-171 -Learn the derived controls selected from 53 that combined with the basic controls from FIPS that you must have on nonfederal system (don’t skip Appendices)
8. SP 800-115 - How do we test controls 9 SP 800-162 How to speak engineer to humans
9. SP 800-137 - continuous monitoring guideline

Bonus reading: SP 800-161 Supply chain risk management

img credit: “A Shot of Ice and Fire” by ElleFlorio flickr.com/photos/el… is licensed under CC BY-SA

The cybersecurity awareness and training industry tops a billion dollars in revenue and will only grow as regulatory frameworks that require companywide learning programs spread.

At the same time and given Higher Education’s inability to adapt or keep up in digital fields, a training program that tops hundreds of billions of dollars grew overnight. In fact, a study by CompTIA (bias disclosure: a test vendor) found 91% of all employees use certifications in hiring.

Classes to pass the certification exploded overnight. I worry the bootcamp model broke us.

I do not want people equating a four-day class in how to pass a test to equal deep learning based in cognitive science. Not when it comes to cybersecurity. The mission too important to hunt for a quick fix in awareness and training.

I know, like CMMC these certification classes are not meant to teach cybersecurity skills. Still, I personally believe the domains of knowledge assessed on the certified classes too hard to master in a four-day seminar.

I don’t blame anyone, but human nature. You can never lay shame on someone for taking the path of least resistance when it comes to securing food or shelter for them and theirs. Once you introduce a high stakes test humans will immediately start mixing a broth to corrupt the reliability and validity of that test.

At the same time these increased cost and regulations caused expected resentment in the cybersecurity professional community. Many feel their experience has established these skills and they feel preyed upon by a certificate mill industry. They have a point.

The entire tech industry, however (I included) could benefit from a good dose of humility. Nobody knows it all, and if you know more, others in the class benefit. Those most successful in bootcamp classes are probably humble folks in other online spaces.

Bootcamp Model

In a “bootcamp” style class, whether to train employees or to prepare for a certification test ,the learning gets crammed into a very short time frame over long extended days.

Almost all cognitive science research supports longer durations for learning. In fact, retention ability decays very quickly. Further long-term transfer to other domains increases when high quality feedback gets connected with bursts of content, activity, and reflection.

Bootcamp models do work, and we have emerging research to support this, in well-defined domains with discrete skill sets. Configuring your endpoint detection, learning to write JavaScript, even playing Clarinet.

The Domain of cybersecurity, especially when preparing to move from one industry framework or another, however, cannot happen overnight. Yes, as I stated these classes do not train you in cybersecurity, but it will take specialized knowledge to move from a HIPPA audit to a 171 assessment for example.

These domains of knowledge too complex for quick learning just to check off a compliance box.

Myth of Auto-Didactic Learner

No bootcamp lives in a vacuum (until Space Force starts orbital unit training) so when people claim to only want self-paced learning, they should make sure they have community support somewhere.

Nobody learns alone. No one gets self-taught. Full stop.

Community is the Curriculum.

The original MOOCS, which helped kick off the coding and cybersecurity bootcamp craze, never focused on size. they focused on people. When David Cormier coined the term the massive modified open, not the size of the class.

It meant using network theory to encourage the spread of open resources and pedagogy through ever growing learning communities.

So even a four day or four-week self-paced online class needs some element of community. You need peers to have discussions. You need groups to work on scenarios and case studies that will reflect what cybersecurity and assessors will do in the field. Most importantly you need high quality feedback from your instructors.

Not opinion. Stable and replicable finding from cognitive science research and based on principles of Universal Design for Learning to ensure all learners can succeed.

Bootcamp Models Dont Meet Diverse Workforce Needs

You need a lot of resources to check out for four days and go to an intensive bootcamp. Childcare, carpools, community volunteering, the bootcamp model do not reflect the needs of the modern workforce.

Bootcamp models do not help diversity, equity, and inclusion when the only option involves four days of unpaid work. We need to provide learning communities that allow for flexible and supportive learning modalities. As a nation we must root cybersecurity trainings in groups that face historical exclusion in the tech and cyber industry.

These four-day learning bonanzas also hurt organizations. As a CEO do you want your entire cyber/IT team out of pocket for four days? What if like many small businesses as CEO you are your entire cyber/IT team? Can you be out for four days?

A Better Way forward with CyberDI and Southern Connecticut State University

At SCSU, we have developed and iterated on the CyberDI curriculum that they will deliver on our online and offline campuses as an LTP through four rounds of iterative design with the goals of using principles of cognitive science in curriculum development and delivery.

Real science. Not bootcamp marketing or certificate mill hype.

In our five-week class model you meet twice a week for live classes each week. Instructors schedules these classes either at noon, the evening, or the weekends depending on local audience needs. They offer hybrid and fully online versions. The lectures and discussions get recorded so if life gets in the way anyone can catch up.

Every practice and process in the CMMC model gets covered through systematic and explicit instruction following the “Instructor does, class does, you do” model. This predictability, science tells, us, improves learning.

Social learning, not just explicit instruction, gets baked into the model. We have two weekly office hours where instructors and community members just drop in to get specific technical help or to ask general questions about course content.

We know from research, building scaffolds that gives learners support drives success.

Our course navigation is simple and works in Blackboard, Canva, Microsoft Teams, or my favorite a simple HTML website. In every module you are asked to read, write, and participate. We give you access to easy to navigate resources.

You can see above how each model gets laid out in a Google Classroom example. We know from decades of research ease of navigation drives learner efficacy and success.

Most importantly you take part in production-based learning driven by feedback designed to elicit growth against the course objectives. Feedback, both formal and informal, drive learning. The teacher guide we provide has tips on writing feedback. The instructors who teach the CyberDI classes on SCSU campuses will get on going coaching in their questioning and discussion techniques. They get additional training on how to write and deliver feedback for growth.

We do hope you choose a training program based in cognitive science and not just certificate mill marketing hype. The classes CyberDI will teach on our campuses meet this criteria.

Just wanted to end with a quick shoutout to the subject experts who helped write and shape the curriculum

Curriculum Authors:

• Leighton Johnson- Wrote our Domain Scenarios
• Paul Netopski- Wrote our CMMC Assessment Process Chapter
• Vincent Scott- Co-wrote history of CMMC and Domain Scenarios
• Tom Cornelius- Open Source contributor. We utilize Comp;iance Forge’s CC BY-SA Scoping Guidance.
• Gregory McVerry co-wrote CUI scenarios, co-edited textbook with Dr. Tucker
• Lauren Tucker-lead author on instructinal guide, co-edited text book
• Richard Dawson-Wrote 162 aligned introductions for 17 Comains
• Dana Mantilla-Video Instructor who interviewed top talent
• Brian Rogalski-co-wrote CUI scenarios

Academic Advisor: Leslie Weinstein

Video Guests:

• Allison Giddens
• Vincent Scott
• Margaret Glover
• Paul Netopski
• Matthew Carson
• Jake Williams
• Amira Armond
• Ryan Heildron
• Vic Malloy
• Kyle Lai

img credit: Bootcamp dreams. by jgmac1106 shared under an CC-BY-SA license a A remix of: Work boot” by Bigbadvoo flickr.com/photos/bi… is licensed under CC BY “Storm Clouds Gathering” by izoo3y flickr.com/photos/iz… is licensed under CC BY-SA “Cha-Ching” by spcbrass flickr.com/photos/sp… is licensed under CC BY-SA

We want to transform CyberSecurity Awareness and Training into an active learning process. For far too long we have assumed video-based quizzes work at the minimum and real training cannot happen because you need decades of experience to do Cyber.

Neither assumption rings true. Active learning leads to greater transfer and retention. This production-based method, where learners must do stuff with what they learn begins with questioning.

In my time working on Cybersecurity Maturity Model Certification courses, I have reviewed so much curriculum. Coched Provisional Instructors as they develop lesson plans and provided feedback to our instructors as we iterate on curriculum at Southern Connecticut State University.

Stop Asking Any Questions

Almost all the instruction I observe relies on direct intruction with little learner interaction. I see it in video based training and lectures where a highly talented Subject Matter Expers asks, “Any Questions” at the end of each segment or lecture.

Everyone has questions. No one will ask.

Instead a good teacher uses questions to elicit evidence of and scaffold knowledge growth. You can think of three types

• Literal
• Inferential
• Evaluative

Literal questions get answered with explicit, which means identifiable in the text, details. Inferential questions require students to combine information in a text, either explicitly or implied, and combine this with prior knowledge or another source. Evaluative questions ask you to combine implicit information with an opinion and may focus on why and how to fill is missing details.

As an instructor you need to plan your questioning well. You can use verbs from Bloom’s Taxonomy or Webb’s Depth of Knowledge, but you need to ask questions for learning to occur.

Helping Out CMMC Instructors

So, to help out the Instructors who utilize the CMMC curriculum we write we started to create a question guide for each of the 17 Domains. It includes a definition from NIST SP-800-162 and questions a Certified CMMC Professional can use to help an Organization Seeking Certification. We derive these from 162 as well.

We then include every assessment objective. CMMC courses mean nothing without Assessment Objectives. Next, we close with sample discussion questions. We hope these focus on pain points and common misconceptions. When an LTP or Provisional Instructor uses our material, you can know we provide you the tools to have active discussions,

Check out our Access Control Example

Featured Image “Question” by kevin dooley is licensed under CC BY

Let me tell you how most of my pitch calls go when someone needs instructional design work for their company’s cybersecurity awareness and training.

The customer typically says something along the lines of, “We just need a quick and dirty training, to check off the compliance box”.

I ask, “Can you send me your policies and procedures so I can weave them into the training?”

Response A:

“My boss doesn’t want this eating up a bunch of time and resources. We just need the compliance. This isn’t about learning.”

In the case of Response A, I always say, “Doesn’t it make sense to train your employees on your security stack based on their roles? Don’t you know policy and procedures mean nothing without people? We can write your awareness and training so it reflects your people, processes, and technology, and most importantly the threats the data you hold faces.”

Response B:

“We really don’t have the policies and procedures in place.”

For Response B, I always say, “Then your awareness and training needs to start with how to write and deploy policies and procedures.”

The Call Back

Almost always I get a call back an hour or day later with, “I talked to the boss. They want to keep it dead simple and focus on compliance. How much for a quick one hour training?”

I wish them luck and shut down the call.

When you cut through the marketing hype—and ignore all of the LinkedIn trolls predicting the doom of the Cybersecurity Maturity Model Certification (CMMC) program— you realize CMMC did not arise out of the blue. When you reasearch its history, you will find nothing especially new or unfamiliar. CMMC simply requires third party attestation of what defense contractors already had to do in order to fulfill the legal requirements of their agreements. The major change associated with CMMC is that it no longer allows for the self-assessment of cyber hygiene associated with Controlled Unclassified Information (CUI), as measured against NIST-SP-800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”

Individual contractors no longer have the authority to say how well they secure CUI. Instead, a third pary must come in and assess this information. In essence, it all comes down to CUI. But what do we mean we say Controlled Unclassified Information (CUI)?

What is CUI?

The US Government defines CUI as information which requires safeguarding or dissemination controls necessitated by law, regulation, or Government-Wide Policy; however, it does not include classified or nuclear stuff. The latter two fall under classified policies, and therefore require even more protections than CUI.

The CUI program is thoroughly explained in the Code of Federal Regulation 32, Part 2002. This program standardizes how the Executive Branch handles CUI. The Department of Defense (DoD), for example, established a CUI policy on March 6th 2002. This policy, DoD Instruction 5200.48, “Controlled Unclassified Information,” fulfills their requirements to develop a CUI policy. Every department, and thus their respective agencies, must have a similar CUI policy.

The CUI designation was created in response to 9/11 via President Obama’s Executive Order 13556. This executive order required all unclassified information throughout the Executive Branch which necessitated additional protection above and beyond information not for public release to be labeled CUI. Before this CUI policy, no uniform marking system existed for this kind of information across the Federal Government. Different agencies used an alphabet soup of labels such as FOUO, LES, and SBU.

Under the Executive Order, the National Archives and Record Administration (NARA) was appointed to lead on developing a universal CUI Policy. The Secretary of Commerce, through the Office of Management and Budget, decided that CUI required moderate protection. FISMA, the Federal Information Modernization Security Act, then authorized the National Institute of Standards and Technologies (NIST) to develop standards for the protection of CUI.

In fact, section two of the Executive Order designated NARA as the Executive Agency to oversee the order and the CUI program. NARA delegated this authority to the Information Security Oversight Office (ISOO). ISOO established a CUI registry that is:

• Publicly Accessible
• Includes authorized categories
• Includes subcategories and guidance
• Includes citations to laws and regulation and government wide policies

The Department of Defense then defined their relevant categories using DoD Instruction 5200.48, “Controlled Unclassified Information”.

The ISOO CUI policy defines two types of CUI: Basic and Specified. Specified CUI contains specific handling controls, which it requires or permits agencies to use, and which differ from those used for Basic CUI. So, if a federal law or regulation requires handling instructions beyond the basic protections of CUI, we call this CUI Specified. An agency can decide internally, or with agreement from ISOO, to require additional protections.

CUI Lifecycle

The CUI lifecycle requires a contractor to identify the CUI they handle, to explicitly mark this data as CUI, to protect this CUI while in transit and at rest, to only share CUI for a lawful purpose, to destroy CUI when necessary, and to decontrol CUI when it no longer needs additional security.

Identifying CUI

It is best to begin this process by determining if you have any CUI in your system, or if you wish to bid on future contracts that would require CUI in your systems. Unfortunately, most of the data contractors receive from the DoD and prime contractors will not have proper markings. This does no alleviate a contractor of the legal responsibilities for protecting CUI, especially if they have existing contracts with the Defense Federal Acquisition Regulation Supplemental (DFARS) clause 7012, which requires self-attestation for protecting CUI against a 171 baseline.

Once you identify the CUI in your system, identify which contract vehicles with a 7012 clause the CUI is often associated with. Then identify the people or roles with legal access to that CUI under each contract. In fact, you should create a matrix to capture this information.

You cannot expect the DoD or a prime contractor to label all CUI created under a CUI contract. How could a Contracting Officer (CO) or a Program Management Office decide if the personal notes taken or meeting minutes contain CUI?

Marking CUI

The CUI program set out to protect unclassified information and ensure the timely sharing of information. The marking requirements of CUI vary based on the kinds of CUI and the chosen designation indicator. These influence the requirements for banner markings, which have to include category markings, control markings, and any limited dissemination markings (only certain people should see this).

CUI marking requirements are influenced by more than just their category and control markings. The type of media it is associated with, such as emails or military documents, can influence the marking as well. Email banners may differ from the requirements for removable media. CUI can also be co-mingled into documents that require different limited dissemination, or are considered classified. Finally, you also have rules about marking CUI for mailing.

The marking must include a designation indicator. This indicates who created the CUI. This can include a variety of formats such as a letterhead, a logo on a sticker, a signature, or a controlled byline. You have no requirement to include contact information, but many markings add this optional information.

Department of Defense guidance suggests using a Designation Indicator block when space allows. This includes who controls the data, as well as anyone to which control was flowed through an authorized and legal use, any limited dissemination controls, and a point of contact. For example:

Controlled by: OUSD(I&S)

Controlled by: CL&S INFOSECCUI Category(ies): PRVCY, OPSEC

Limited Dissemination Control: FEDCON

POC: John Brown, 703-555-0123

The banner marking can include three elements. The first, the control marking, is mandatory. This can say “controlled” or “CUI.” Category markings are required for CUI Specified, and are separated by two // slashes. If dissemination controls are included, those follow the category markings, again after two forward slashes. Banners must appear in Bold Capitalized text, and ought to be centered when possible.

CUI works as a basic CUI label.

Category markings are optional, except in the case of CUI Specified. In fact, when you have Specified CUI, you are required to include the letters SP before the category marking. If more then one type of specified marking is included, you alphabetize them, but only separate each by one / forward slash after the first category, which follows the two // forward slashes and the basic marking.

CUI//SP-HLTH/PHYS In this example we see two CUI specified categories which follow the basic CUI marking.

The banner markings can also designate the dissemination controls. Limited Dissemination Controls identify an intended audience, so a document does not need continuous authorization.

No Foreign Dissemination (NOFORN) —Information may not be disseminated in any form to foreign governments, foreign nationals, foreign or international organizations, or non-U.S. citizens.

Federal Employees Only (FED ONLY) —Dissemination authorized only to employees of the U.S. Government executive branch agencies, or armed forces personnel of the U.S. or Active Guard and Reserve.

Federal Employees and Contractors Only (FEDCON) —Includes individuals or employees who enter a contract with the U.S. to perform a specific job or supply labor, and dissemination is in furtherance of the contractual purpose.

No Dissemination to Contractors (NOCON) —Intended for use when dissemination is not permitted to federal contractors, but permits dissemination to state, local, or tribal employees.

Dissemination List Controlled DL ONLY —Dissemination authorized only to those individuals, organizations, or entities included on an accompanying dissemination list.

Authorized for Release to Certain Foreign Nationals Only (REL TO USA, LIST) —Information has been predetermined by the designating agency to be releasable only to the foreign country(ies) or international organization(s) indicated, through established foreign disclosure procedures and channels.

The Department of Defense CUI guidance also allows dissemination marking to be included in the designation box. These include:

Distribution Statement A: Approved for public release. Distribution is unlimited.

Distribution Statement B: Distribution authorized to U.S. Government agencies only (fill in reason and date of determination).

Distribution Statement C: Distribution authorized to U.S. Government agencies and their contractors (fill in reason and date of determination). Other requests for this document shall be referred to (insert controlling DoD office).

Distribution Statement D: Distribution authorized to Department of Defense and U.S. DoD contractors only (insert reason and date of determination). Other requests for this document shall be referred to (insert controlling DoD office).

Distribution Statement E: Distribution authorized to DoD Components only (fill in reason and date of determination). Other requests shall be referred to (insert controlling DoD office).

Distribution Statement F: Further dissemination only as directed by (insert controlling DoD Office and date of determination) or higher DoD authority.

On digital media, you include these markings. On PowerPoint slides, you can include the CUI label at the top and bottom of the title slide with the indication block and the CUI label on the bottom of each slide. In a word document, you can include a cover sheet with the marking and designation block.

Removable Media

On a removable storage device, you are required to include the basic marking and a controlling indicators. Each file contained on the storage device needs its own marking. When feasible, you should include all required elements in the designation block, but the CUI basic marking and the originator or controller must always be included.

Email

Email is a bit trickier. When you send an email (try not to) containing CUI, you must let the recipient know. You must include a banner marking in the body of the email. Furthemore, best practice suggests including it in the CUI itself. Many companies use email server rules to sequester email with CUI. The subject line helps protect the data. When you forward email you must keep all banner markings. Make sure you cut and paste the banner to the top of the forward. You can also portion mark emails like regular documents where you call out sections that contain CUI.

Physical Protection of CUI

You will need to create a controlled environment to protect CUI. The regulations require you to have at least one physical barrier, such as sealed envelopes, locked doors, bins, drawers, or electronic locks. You have flexibility in deciding what counts as a physical barrier.

You also need to consider meeting areas. You will need to control meeting access when CUI is shared and discussed. You will need to mark the door with the lock, noting only authorized indivduals allowed, and you will need a clean desk policy for after the meeting.

Think about who has access to your controlled environments. You will need to lock away CUI from after hour cleaning crews, and to keep visitor and employee logs of areas that contain or discuss CUI. Your computer systems and networks also need to control access. You need to include banner markings on devices and systems that can connect to controlled environments.

Basically, on electronic systems, you need to create some kind of barrier to prevent unauthorized access to CUI. This can include network folders, files, intranet, cloud enclaves, file sharing sites, and individual machines or devices.

Encryption and CUI

Based on Office of Management and Budget (OMB) policy, CUI requires moderate protection. This, in turn, requires encryption which meets a specific level called FIPS Validated 140-2A. At the simplest definition, encryption means that something we read in plain text is scrambled into a cyphertext. The authorized holder then has a “key” to unscramble the ciphertext into plain text.

The approved encryption techniques are authorized by NIST in a document called “Federal Information Processing Standards (FIPS) 140-2.” The approved techniques, which can change based on use case and authorizer, include: AES, Triple-DES, and the Digital Signature Standard (“DSS”). NIST-SP-800-171 (3.1.13 and 3.13.11) and CMMC spell out specific requirements for encryption (AC.3.014, SC.3.177).

With FIPs level encryption, we make an important distinction between modules and devices. A module can be an embedded part of a product, such as an “encrypt this email” button or an entire product such as a CUI cloud enclave. A device, such as a laptop or cellphone, does not itself need the encryption. The tool accessed on that device to share, view, store, or transmit CUI must use encryption modules that meet FIPS standards.

Destroying CUI

When you destroy CUI, the NARA policy CFR 32 Part 2002 requires the CUI to end up unreadable, indecipherable, and irreconcilable. The NARA policy follows guidance of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-88, Revision l: “Guidelines for Media Sanitization” or any technique approved by Classified National Security Information (32 CFR 2001.47).

In 2019, NARA released guidance on destroying paper-based CUI. You must follow the specifics of NIST-SP-800-88 when shredding paper. You must crosscut, meaning up and down, and left and right, down to 1mm x 5mm (0.04in x 0.2in) in size. You can also pulverize paper using disintegrator devices equipped with a 3/32in pulverizer. The approved shredders can get expensive. Many companies use a third party shredder or recycler that will provide a certification that they meet the requirements of NIST-SP-800-88.

You can always go the cheapest route and follow the burn recommendations.

In terms of media, there are also destruction requirements. NIST SP 800-171 3.8.3 states, “Sanitize or destroy system media containing CUI before disposal or release for reuse.” The type of media will determine how you sanitize the device. Hard drives, for example, need different disposal methods than static hard drives.

Decontrolling CUI

CFR 32 Part 2002 defines decontrolling as the event in which the authorizing agency decides the CUI “no longer requires such controls.” You must have policies and procedure in place to decontrol CUI. CUI can be decontrolled automatically or through positive decontrol. In automotive decontrol, a prior event, such as a date, is chosen when the controls are no longer required by law or policy. In positive decontrol, the authorizing agency takes an action to remove the controls.

While a contractor can be appointed by the authorizing agency to disagree with the ability to decontrol CUI on a contract with the 7012 clause, it will not happen often.

In the end, when you think CMMC, just think about CUI and how you can protect it from unauthorized disclosure.

At a recent Town Hall, the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB) CEO Matt Travis noted that “trust and confidence in the CMMC Ecosystem” is the shared responsibility of both the AB and the members of the community.

In fact, Travis’s call to action harkened back to the the testimony of Deputy Assistant Secretary of Defense for Industrial Policy Jesse Salazar, who noted in his testimony to the Armed Service Committee cybersecurity subcommittee:

DoD must ensure there are clearly defined roles and responsibilities, standards of conduct, and audit mechanisms governing relationships with private sector entities within the external assessment system.

In order for CMMC to succeed, ethics must matter.

In the realm of Cybersecurity Maturity Model Certification, the Professional Code of Conduct drives ethical considerations. This document provides the standards to which all members hold themselves accountable.

The document unites around five principles:

• Professionalism
• Objectivity
• Confidentiality
• Proper Use of Methods
• Information Integrity

The document then lays out the practices inherent to each principle, in addition to how reporting features are implemented.

Conflict of Interests occur when a person has a duty or motivation to serve the interests of more than one party in the engagement of an activity. According to Matt Travis, this can lead to a variety of consequences, including:

• Compromised Judgement
• Threatened Objective Decisions
• Undermined Impartiality
• Destroyed Confidence in Fairness and Integrity
• Required Disclosure

CMMC Conflict of Interest

We must remember that a mere perception of conflict can cause serious damage, even when no such conflict exists. Conflicts of interest can also exist without malicious intent or outcomes.

The CMMC-AB, in fact, must establish a firewall between the registration of consultants, the accreditation of training schools, and the Assessment of Organizations Seeking Certification (OSC).

Section 3.1.8 of the CMMC Professional Code of Conduct (CPCOC) requires everyone to avoid conflicts of interest to the greatest extent possible. We have a duty to avoid conflicts and report them when they occur.

The professional code of conduct in Section 3.1.10 also prohibits Certified Third Party Assesment Organizations (C3PAOs) from soliciting business from the organizations they assess. In other words, you can not fail an OSC and then offer services to help them pass the next assessment.

CMMC and Objectivity

The CPCOC prohibits a credentialed assessor from joining an assessment team if that individual helped the organization prepare for the assessment.

The ecosystems of many companies have Registered Professional Organization (RPO) credentials and C3PAO credentials. A business can not provide RPO services and then join a C3PAO Assessment Team, or host an Assessment Team themselves. Furthermore, if you have signed the CPCOC, you have an obligation to report this activity if you see it.

CMMC-AB and Ethics

In order to understand how the Accreditation Board (AB) must adhere to the ethics of the CPCOC, we must first understand their role in the ecosystem. The AB is required to:

• Authorize CMMC C3PAOs to conduct assessments
• Accredit C3PAOs in accordance with ISO 17020
• Authorize the CAICO (CMMC Assessors and Instructors Certification Organization) to certify CMMC Instructors and Assessors
• Establish, maintain, and Manage the CMMC Marketplace
• Oversee the CMMC Professional Code of Conduct

Due to these roles the CMMC-AB has a variety of tools to limit Conflict of Interest

• CMMC-AB Code of Ethics
• CMMC-AB Conflict of Interest Policy
• CMMC-AB Directors Agreement
• CMMC Code of Professional Conduct
• Contract with Department of Defense
• CMMC-AB Audit, Ethics, and Compliance Committee
• Security and Compliance Officer
• ISO 170ii General Requirements for Accreditation Bodies Assessing and Accrediting Conformity Assessment Bodies

These elements work together to ensure the CMMC ecosystem maintains a high ethical standard.

Duty to Disclose

The CMMC-AB will release a disclosure matrix that lists all of the players in the ecosystem, and then a list of possible affiliations. These include elements of potential conflict such as ownership, financial interest, teaming agreements, family members, personal relationships, employment affiliations, and more. The AB will decide if, based on its role in the ecosystem, if that is a type of relationship that is okay, to be avoided, or risky enought to require mitigation.

This document will explain your responsibilities to report conflict of interest.

Red Lines for the CMMC-AB

Based on the policies governing the AB, its members must not fail to disclose conflicts, have a vested interest in an C3PAO, use their status on the AB to generate business or leads, endorse any commercial product implicitly or explicitly, accept any gifts, or operate in a credentialed company within the ecosystem for the duration of one year after leaving the board.

Shady Vendors

As a member of the ecosystem, you face a barrage of emails. Many of these provide snake oil services or over-promise. As a small business, owners rely on word of mouth, not drip campaigns from marketing teams. Avoid anyone who promises quick assessments or turn key services.

Take your time. You do not need a Level Three Certification overnight. 2026 is still a bit far off. Until then, just grow the SSP and shrink the POA&M.

It always comes down to the humans. Even with the best security, the tiniest friction can cause all systems fail. That 2% of DNA separating us from chimpanzees really messes with your cyber hygiene.

If you want security you need to focus on the biggest attack vector: people.

The Cybersecurity Maturity Model Certification (CMMC) program revolves around a national awareness and training program to increase the validity and reliability of the cybersecurity hygiene for the Defense Industrial Base (DIB).

Relying on self-assessments hurts the overall validity of an organization’s cyber hygiene, due to the scoring system for determining compliance. In NIST-SP-800-171 nor 171a, the methodology describes a scoring scheme. That model of having 110 points, and subtracting either 1, 3, or five points, came from the Defense Contracting Management Agency (DCMA). It did not work.

Relying on self-assessments hurt the overall reliability of knowing if someone had achieved adequate compliance against NIST-SP-800-171. A lot of revenue depends on contracts from the Department of Defense that carry the 7012 clause. Many companies lacked experience or have had past success with a business development strategy of ignoring Department Defense mandates .

We use the amount of data exfiltration from small manufacturers as proof of the failure. The daily ransomware attacks DIB companies face is further observable evidence that self-assessment does not work.

CMMC requires us to realize cybersecurity isn’t just everyone’s job. Cybersecurity IS everyone. You must control your story, data, and identity. The people matter.

In fact, the CMMC model requires an Awareness and Training Policy for Level Two (and thus Level Three, given the cumulative nature of the model):

AT.2.999

Establish a policy that includes Awareness and Training.

So how do you build an Awareness and Training policy? You need to understand what people need to know, when they need to know it, and how you will prove they know it. This begins, like all learning, by definining key terms.

What is Awareness?

I can understand the dangers of swimming in riptides in the absence of the training to escape one. All employees must have an awareness of the threats your company faces.

In fact NIST SP 500-172, defines awareness as

sensitivity to the threats and vulnerabilities of computer systems and the recognition of the need to protect data, information, and the means of processing them

However, awareness—like swimming—does not equal training. In terms of cybersecurity, a company needs to have a general understanding of threats and cyber hygiene in order for it to grow. So, for example, while I may hang Controlled Unclassified Information (CUI) posters in the enclave to keep people aware of company policies, that does not equal a training program on selecting the correct shredder for the destruction of paper-based CUI.

You may publish many of your policies in an employee handbook to make them aware of security issues. But you still need to train employees on how to execute these policies.

What is Training?

Awareness focuses on what, while training focuses on why and how. Training will take longer, and you as the learner will need to generate observable evidence of knowledge growth.

What Type of Awareness Programs do my Employees Need?

Based on the NIST 800-171a assessment objectives included in CMMC, you have to have an overall awareness of the threats CUI faces. All employees need an awareness of policies, standards, and procedures. This is often best covered in the Employee Handbook and Acceptable Use Policies.

Your technical staff will need to understand the security risks associated with their activities to keep data safe. This, again, will require the development of Operating System awareness, and you may need to run multiple awareness programs for each major and minor technical system.

Managers and system administrators need awareness of the applicable policies, standards, and procedures related to the security of the systems they oversee. This will include reference documents, a required tour of a wiki or database, and Security Technical Implementation Guides (STIGs).

Some Awareness and Training requirements kick in at Level Two when we talk Cybersecurity Maturity Model Certification (CMMC):

AT.2.056

Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities, and of the applicable policies, standards, and procedures related to the security of those systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]

Determine if:

• [a] security risks associated with organizational activities involving CUI are identified;
• [b] policies, standards, and procedures related to the security of the system are identified;
• [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
• [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.

To meet the assessment objectives of this practice you will need to provide multiple types of security awareness and training programs

What type of Training Program Do My Employees Need

Based on the NIST 800-171a assessment objectives included in CMMC, you have to have three domains of training. One domain is focused on your CUI policy, another on threat analysis, and another on your system, security, and roles.

CMMC has an entire set of objectives on developing and deploying a CUI policy. In your training, you need to ensure your managers and technical systems engineers, or Managed Service Providers (MSPs), know how CUI is protected on your system.

Your training around applicable policies, standards, and procedures related to the security of the system will need extensive documentation, and will include recognizing educational certificates and providing your own training related to your reference architecture.

For example, take AT.2.057, which requires contractors to “ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. ” This will require operating system training specific to a company’s reference architecture. You will rely on different certificate programs to ensure your technical staff can stay current as technology changes. You will need multiple trainings for each of the operating systems deployed on your major and minor systems that store, transmit, destroy, or create CUI as the result of a government contract.

What is the Purpose of my Awareness and Training Policy?

The first objective of AT.2.999 establishes a policy that includes Awareness and Training, which requires you to have a purpose to your awareness and training policy. For Level Three certification, you need a mission and strategic goals. AT.3.997 requires contractors to “establish, maintain, and resource a plan that includes Awareness and Training” objectives b and c.

We recommend you do this on company-wide scale, via a threat awareness and training program. Explore the threats, external and internal, you face. Analyze risks to your business and supply chain.

Break employees into groups and have them draft threat analysis documents (this is a Level Four requirement, but wise to implement ahead of time). Then when you have a complete list of threats, have the groups craft mission and goal statements.

You then work with the groups in a whole company setting to ensure your employees draft the kind of comprehensive policy statement you envision. Ownership builds awareness.

Many mature and large organizations will have awareness and training policies developed. If this is the case for your organization, you should still conduct ongoing threat analysis discussions at the department level.

At the end of the day, make sure folks are aware.

Who needs Awareness and Training?

Everyone. Awareness and training ensure policies and procedures become company culture. However, it is important to note that your managers, sales staff, and security engineers need different awareness and training.

NIST Special Publication 800-16, “Information Technology Security Training Requirements,” recommends creating a role-based training matrix. You can combine this approach with CMMC requirements to create a full curriculum scope and sequence for your awareness and training program.

In the first column of the Matrix, list all the user roles on your information systems. Include a row for “all.” You can group trainees by their roles as well.

Then create four domains in your awareness and training program:

• Employee Responsibilities,
• Information System Policies,
• CUI
• Reference Architecture

What kind of training an employee receives, and in which domain, depends on their role. For example, all employees may have to watch a training and certify they read the Employee Handbook and Acceptable Use Policies. You probably want a training on the email rules of your company for all employees.

For Level Three CMMC Certification, you need to document what will be learned. In fact, Assessment Objective [e] of AT.3.997 requires you to document “the plan documents, activities, and due dates.” In your matrices, be sure to list the trainings, in addition to when due dates occur.

Fill out the chart indicating when role-based awareness and training occurs, what it includes, and how it is assessed.

Large companies may have an internal learning management system that may track many of these metrics. Smaller companies may have to contract with a vendor. If you purchase IT or security products from MSPs or vendors, try to negotiate a training package, or choose those you see as compliance partners.

What should Awareness and Training Cover?

Employee Responsibilities

You need to cover the four domains of knowledge, but now you must also develop the scope of learning objectives and the sequence of training for the matrices.

First begin with employee responsibilities by examining the everyday system-wide awareness and trainings all employees must receive. This includes the employee handbook, sexual harassment, legal compliance, company wide posters, CUI handling posters, and stickers. These are everyday business practices that require awareness and training.

Then decide which of these policies need more than awareness and actual training. This could include a short video summarizing the employee handbook with a quiz. Employees often have to attend mandatory trainings with a supervisor.

Once you have the list, decide if the subject requires awareness or training. Add it to the matrix.

Controlled Unclassified Information

As noted above, you must include awareness and training on the “security risks associated with organizational activities involving CUI are identified.” In other words, you need to develop a CUI Training Program.

At Level Two of the CMMC, your company will need awareness and training on the internal threats faced by companies who have a legal right to handle Control Unclassified Information on behalf of a government contract.

At Levels Two and Three, your awareness and training program must include your company policies on receiving, creating, labeling, disseminating, transmitting, storing, and destroying CUI. This policy should cover the specific workflows for handling this information. You will also need to include your Incident Response Training on handing CUI data spillage.

At Level Four, your CUI awareness and training program should include recognizing and responding to threats from social engineering that can lead to advanced persistent threat actors, breaches, and suspicious behaviors; you will be required to update the training at least annually, as well as when there are significant changes to relevant threats.

Information System Policies

Then you will have company-wide information system policies, such as your password policy, email policy, device policy, how Multifactor Authentification works (please turn on MFA), et cetera.

These Information System Policies apply to all employees, however, at this point you may have to start specializing. The account generation for your Mobile Device Management tools may vary from your payroll system. In fact, at this level you will start to specialize at the Operating System level.

Different types of operating systems will require you to verify employee training through different certificates. If you deploy in Kubernetes in Azure or use S3 in WS Govcloud, each of those stacks has individual Security Technical Implementation Guides (STIGs) and certification programs.

You must consider all the major and minor systems, the data that flows through them, and the laws and regulations that govern how that data is used and shared.

As a contractor, you also will need to consider trainings on your acquisition team on what kind of service level agreements you need in your vendor agreements with regards to information and technology systems. Trainings need to include examining vendor agreements and SLAs to determine if proposed security solutions meet CMMC Level Three standards.

Reference Architecture

As Tom Cornelius from Compliance Forge notes, “You must see policy as a blueprint and not documentation. You are more an archtiect than a writer.”

As an organization, you will need solid reference architecture on how you build secure systems that can handle a moderate baseline for the protection of Controlled Unclassified Information. You will have a set of documents that describe how to build the ideal environment for your use case. You will need awareness and training on how to use and update your reference architecture.

Take configuration management for example. If you do not have a clear configuration management documentation and provide baseline training on using the necessary references, you will not have the basics of Access Control, the root of cybersecurity.

Next, you can turn to the other domains in CMMC to determine the specifics of company-wide training policies.

What other Domains Should Awareness and Training Cover?

The Awareness and Training you provide must go well beyond the practices and process of the AT domain. In fact, according to Native Intelligence in a blog post on Amira Armond’s CMMC Audit, Awareness and Training needs to cover fourteen additional practices across five domains

• Access Control (AC)
• Media Protection (MP)
• Maintenance (MA)
• Physical Protection (PE)
• Systems and Communications Protection (SC)

How to Get Started on an Awareness and Training Plan

Create an Instructional Leadership Team

You first begin by designating who owns your awareness and training program. The Instructional Leadership Team should contain stakeholders across the organization and not just from IT or your security team (if you even have either position. The team could include your Information System Security Officer, CIO, CTO, information System Security Manager, human resources, facility security officer, or employees designated to serve on the instructional leadership team.)

Craft Goals, Missions, and Objectives

Your instructional Leadership Team then crafts your goals mission and objectives. This begins by a walkthrough through of your threat environment. Understand the common threats to the sensitive data you hold.

You can have very generic goals, missions, and objectives for your trainings. You may want to consider utilizing the awareness and training domain to strengthen your talent across the board. However, you only need to track system security related training with CMMC.

Determine Roles for Awareness and Training

Next, the Instructional Leadership Team determines roles and responsibilities. Christina Reynolds of BDO-USA recommends using the RAC model: who is Responsible, who is Accountable, and who need to be Consulted. The goal is to create observable evidence that partially meets assessment objectives c, d, and g of AT.2.999

” the roles and responsibilities of the activities covered by this policy are defined; (i.e., the responsibility, authority, and ownership of Awareness and Training activities);”

“The policy establishes or directs the establishment of procedures to carry out and meet the intent of the policy;”

“the policy is endorsed by management and disseminated to appropriate stakeholders; and “

So you develop a matrix of roles and responsibilities. Include general users, data owners, system owners, and members of the Instructional Leadership Team. Make a column for each.

Then, in the rows include who must complete training, who develops the training program, who agrees to acceptable use policies, who decides which roles get what training, who completes role based training, and who is responsible for record keeping.

Establish Company-wide Baselines

Now, decide what basic training every employee must have. This will include your awareness activities, employee handbooks, email policies, acceptable use policies, etc. You may include optional training on overall threat awareness and common attack vectors, such as phishing.

The goal is to establish the bare minimum of security awareness you want with your employees. This wil usually include a variety of trainings like company wide meetings, video on-demands, or online learning.

Develop A Training Matrix

Now that you have a baseline of security awareness and training you want for employees, you next decide on specialized roles, and create a role-based training matrix. People in specialized roles and management positions will need additional training over and beyond what every employee recieves.

You need to group people into roles based on functions in the workplace.

Then create a list of topics, which includes items such as:

• CUI
• Email
• Threat Awareness
• Media Protection
• Passwords
• Mobile Devices
• Access Control Policy
• Reference Architecture
• Crafting Service Level Agreements
• etc

You then decide based on the number of roles created by your Instructional Leadership Team which group gets what training.

Develop Company Wide Awareness and Training Rubric

Next the Instructional Leadership Team needs to define success metrics for your awareness and training program. In terms of CMMC, it is important to know if a plan really does not kick in until Level Four process requirements, but you cannot have a compliant training program at this Level without evidence of learning gains.

The evidence of awareness and training success, like all compliance data, can fall into one of three categories: interview, observe and test.

First, you want to understand if your awareness and trainign impacts your operational security. Indicators could include reduction in down time, increased phishing test success rates, and incident reporting. If you can not automate these metrics, you can have the Instructional Leadership Team rate them on a four point likert scale.

You also have training program metrics, such as the frequency of training programs, learner performance, attendance, and learner feedback. You should check with your state on the requirements to protect and retain employee training data.

Evaluate Content

Now you have to choose content that will align your role based matrices with your required learning matrices. It will probably be cheaper to purchase curriculum than to develop it in-house. However, when you pay for an instructional designer to develop your program, you can align the program to your company culture and workflow.

The majority of cybersecurity training is video-based garbage designed to allow you to check off a compliance box about providing training. Develop or utilize a rubric for evaluating curriculum. You may consider hiring a consultant to help you evalaute curriculum. At the very least, choose your networks from word of mouth.

Create Deployment and Evaluation Schedule

Next, you must create a scope and sequence guide for your curriuclum. This document includes the objectives of your chosen curriculum, how those objectives will be measured, when the curriculum will be delivered, and who will evaluate the result. You can include information about awareness and training.

For awareness, you could include the posters you hang and monthly security reminders that are delivered by email. The awareness program occurs all the time, and for all users.

For training, this again will be a role-based document. Many people may end up including the role-based matrix in the scope and sequence of the curriculum.

Craft Awareness and Training Plan Compliance Documentation

Finally, you will need to create a way to document your awareness and training program, so you organize observable evidence in a way that would not require a CMMC assors to make any inferences about your program. Spell out how you meet each requirement in your Policy, Procedures and Plans. If you followed the path above, you will have the majority of the required documentation already.

Now, as your goal you must include the procedures you have decided upon for your Awareness and Training Policy, in addition to how you plan to include the metrics from your Awareness and Training in both your System Security Plan (SSP) and your Awareness and Training Plan.

Create a policy for retaining security training records. Create the procedures to make sure this happens.

Include a table in your policy that explicitly addresses all of the required Awareness and Rraining in a practice or assessment objective. Then, in your SSP, reference this policy and include two pieces of observable evidence that the assessment objectives have been met.

For example, you need to include training of internal threats at Level Two of CMMC. This means that for Level Three compliance, you must demonstrate you provide this training. Explicitly spell this out, in addition to any required training in your Awareness and training Policy and Procedures.

For many companies, beginning with the Awaress and Training domain may provide a great launching point for your CMMC journey.

Meet CMMC Compliance through Awareness and Training

Can you complete your SSP as you utilize and also reach compliance on the Awareness and Training domain? Would this approach lead to increased hygiene?

Everyone frets over CMMC devolving into a checklist of policy and confusing technical controls. Awareness and Training makes this difference.

Christina Reynolds co-authored this post in the guidance she provided in how to craft Awareness and Training Policy

Featured Image: “Bad Ragaz - Original Sin” by Kecko is licensed under CC BY

Great post from Alex Johnson on the difference between the discussion and requirements of CMMC practices.

“I want to offer some information to those who may be struggling with understanding what options are available to you regarding the implementation of NIST SP 800-171 and CMMC requirements or practices.

NIST SP 800-171 Section 2.2 contains the following:

“A discussion section follows each CUI security requirement providing additional information to facilitate the implementation and assessment of the requirements. This information is derived primarily from the security controls discussion sections in [SP 800-53] and is provided to give organizations a better understanding of the mechanisms and procedures used to implement the controls used to protect CUI. The discussion section is informative, not normative. It is not intended to extend the scope of a requirement or to influence the solutions organizations may use to satisfy a requirement. The use of examples is notional, not exhaustive, and not reflective of potential options available to organizations. “

The bottom line is that you have options. The discussions are not telling you exactly what you have to do. Rather, they are helping you to understand the essence of what the requirement is. There are a few discussions that are normative, but only a few.

A great example of this can be found in MP.2.119 (3.8.1). These assessment objectives require you to physically control and securely store media containing CUI. The discussion indicates that “physically controlling system media includes conducting inventories.” However, that is not a requirement based on NIST SP 800-171 Section 2.2.

I hope this helps some who may “extend the scope of a requirement” based on the discussion section.”

Alexy J. on LinkedIn: I want to offer some information to those who may be struggling with linkedin.com

Archiving…

Inventory matters. As Sarah Spencer CEO of SolonTek notes, “You cannot protect what you cannot see.”

“dandoodlescan065-inventory is waste” by Inha Leex Hale is licensed under CC BY

Now, some people read the CMMC assessment guide for Level One and think, “Huh no inventory needed?”

This is not true. You may not need to show your inventory results or policies for Level One compliance, but you will not be Level One compliant without good inventory policy.

Think about assessment objective f of Access Control 1.001, “[f] system access is limited to authorized devices (including other systems).” You will need to inventory your systems to comply with this objective.

What about CUI? If you read NIST-SP800-18 on writing a System Security Plan, you quickly realize you need to inventory all of your 7012 contracts and the data owner for each one.

Vincent Scott and I developed a quick table of “some” of the areas hit by good inventory. The word “identified” happens a ton in the CMMC assessment guides. You have to decide if this also means counting. This list will continue to grow, so if you think we missed something, please let us know.

Comment on LinkedIn or better yet get a blog and send me a webmention.

CMMC Level	Domain	Number		Definition	Assessment Objective	NIST 171
1	Access Control	AC.1.001		Limit information system access to authorized users, processes acting on behalf of authorized users, or devices	[c] devices (and other systems) authorized to connect to the system are identified;	3.1.1
1	Access Control	AC.1.001		Limit information system access to authorized users, processes acting on behalf of authorized users, or devices	[f] system access is limited to authorized devices (including other systems).	3.1.1
2	Access Control	AC.2.006		Limit use of portable storage devices on external systems	[a] the use of portable storage devices containing CUI on external systems is identified and documented;	3.1.21
2	Access Control	AC.2.011		Authorize wireless access prior to allowing such connections	[a] wireless access points are identified;	3.1.16
2	Access Control	AC.2.015		Route remote access via managed access control points	[a] managed access control points are identified and implemented;	3.1.14
2	Access Control	AC.2.016		Control the flow of CUI in accordance with approved authorizations	[c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;	3.1.3
3	Access Control	AC.3.020		Control connection of mobile devices	[a] mobile devices that process, store, or transmit CUI are identified;	3.1.18
3	Access Control	AC.3.022		Encrypt CUI on mobile devices and mobile computing platforms	[a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified;	3.1.19
2	Configuration Management	CM.2.061		Establish and maintain baseline configurations and inventories of organizational systems throughout the respective system development life cycles	[e] the system inventory includes hardware, software, firmware, and documentation; and	3.4.1
1	Identification and Authentication	IA.1.076		Identify information system users, processes acting on behalf of users, or devices	[c] devices accessing the system are identified.	3.5.1
1	Identification and Authentication	IA.1.077		Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems	[c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.	3.5.2
3	Media Protection	MP.3.123		Prohibit the use of portable storage devices when such devices have no identifiable owner	[a] the use of portable storage devices is prohibited when such devices have no identifiable owner.	3.8.8
1	Physical Protection	PE.1.134		Control and manage physical access devices	[a] physical access devices are identified;	3.10.5
2	System and Communications Protections	SC.2.178		Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device	[a] collaborative computing devices are identified;	3.13.12
2	System and Communications Protections	SC.2.179		Use encrypted sessions for the management of network devices	[a] the organization has one or more policies and/or procedures for establishing connections to manage network devices;	N/A
1	System and Informational Integrity	SI.1.211		Provide protection from malicious code at appropriate locations within organizational information systems	[a] designated locations for malicious code protection are identified;	3.14.2