CMMC Version 0.7 Released – Some Initial Thoughts
The Department of Defense (DoD) Office of the Undersecretary of Defense Acquisition and Sustainment [OUSD(A&S)] released version 0.7 of the Cybersecurity Maturity Model Certification last week. Keeping with the trend of continual refinement, version 0.7 shed light on Level 4 and 5 as promised. Here’s our takeaways:
On Time, On Target
If nothing else, the CMMC team is staying on schedule and demonstrating the seriousness of the program by delivering versions as promised. In today’s world, especially with the inherent inertia that comes with bureaucracy, that’s impressive in itself.
It Gets Harder from Here
The CMMC team has done some amazing work in a very short period. However, the hard work is just about to start. Getting the industry, especially the DoD to keep their end of the bargain with respect to labeling content as well as designating target levels in contracts all while rolling out the audit functions will be challenging.
What is New in This Release?
Version 0.7 provides detail on Level 4 and 5 of the CMMC and borrows heavily from NIST 800-171B. The chart below shows how the NIST standard is distributed across five levels.
|CMMC Level||Total||CFR 52.204-21||NIST 800-171r1||NIST 800-171B|
|N/A – Excluded||–||–||–||15|
Table 1 – CMMC Model Version 0.7 Practices per Reference
This is in line with the messaging to date that Level 3 will be consistent with NIST 800-171 with some additions. These include explicitly requiring data be backed-up and that CUI data be identified, categorized, and labeled.
What are the Highlights of the New Controls?
There are several controls worth noting, and we think will get the most attention. Here’s a rundown of each one as well as how we support our clients to meet these controls.
P1053 – Automate log analysis to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity.
This control will require companies to invest in a Security Incident Event Manager (SIEM) that adds a layer of automation and, increasingly, artificial intelligence to network scanning. This is a significant investment for many companies and we offer multiple options to fit our clients’ needs.
P1060 – Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.
Many services (including the one we offer) provide realistic simulations of phishing attacks that are connected to both reporting as well as training to improve awareness.
P1101/1107 – Establish and maintain a Security Operations Center (SOC) during relevant business hours (Level 4) or 24/7 (Level 5).
Most small and midmarket businesses will struggle with this requirement unless they outsource it. Our SOC provides 24/7 coverage ensuring round the clock protection as well as meeting this requirement.
P1227 – Periodically perform red teaming against defensive capabilities.
Red teaming occurs when a group of white-hat hackers attack an organizations’ digital infrastructure in order to test their defenses. It will be interesting to see exactly what is envisioned in this requirement, especially for smaller organizations.
P1171 – Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.
This control takes “assume breach” to the next level and requires organizations to actively hunt for signs of compromise. Our MSSP and MSP services are currently rolling out this capability and we’ve found it to be a great value for our clients.
The appendices include detailed discussion and clarification for Levels 1-3. There is some really good information and insights in the discussion section which helps translate the requirements into actionable guidance. Unfortunately, the examples in the clarification sections don’t always give a full perspective of what’s being asked in the requirement.
It’s still unclear what data will require Level 4 or 5 protections. This makes it hard for organizations that hold sensitive data to plan for the level they need to achieve. For example, we’re looking for explicit guidance on ITAR data; it will be a minimum of Level 3 because it is considered CUI, but will it trigger a higher level?
Version 1.0, the official release is due in late January which will lock down the initial version of the requirements. That will start the sprint to stand up the accreditation body, develop assessment and audit guidance as well as training the auditors. Its gonna be a busy 2020!
For more information on CMMC or to learn how you can prepare to meet your requirements, contact us at firstname.lastname@example.org