Despite the disruption caused by the COVID-19 pandemic, the US Department of Defense is moving ahead with its push to ensure Defense Industrial Base (DIB) contractors have implemented strong cybersecurity programs through the Cybersecurity Maturity Model Certification (CMMC).
The CMMC Framework, which was first announced in January 2020, requires that defense contractors be CMMC certified by approved, third-party auditors before they are eligible to bid on new DoD contracts.
🔎 Related Articles: Archon Secure Use Case
With new contracts containing CMMC requirements originally slated to roll out in June of 2020, many defense contractors were already preparing to undergo the CMMC certification process. The sudden shift to remote work in response to COVID-19 has prompted many to look closely at the cybersecurity requirements of CMMC specifically as they relate to the remote work use case.
During Archon's COVID-19 Immediate Secure Remote Work Response Virtual Summit, which took place in March 2020, Scott Edwards of Summit7 Systems, addressed exactly this topic, with a specific focus on what it will take for companies to go from Level 1 CMMC Certification to Level 3.
Continue reading for our summary.
When do you need to be prepared to have CMMC certification as a DIB organization? Here are some important timelines for all organizations to be aware of.
April/March 2020: CMMC 1.02 is currently released. You can review up-to-date documentation on the CMMC website. An accreditation board has already been established and is working on finalizing the process for accrediting and certifying organizations.
June/July 2020: In accordance with DoD's plans to roll out the CMMC program in stages, a series of pathfinder projects will be launched before the full-scale implementation of CMMC. The Office of the Under Secretary of Defense for Acquisition and Sustainment plans on undertaking ten Pathfinder projects through which to test the certification process, with the first starting in June or July of 2020.
July/August 2020: You can expect the first CMMC audits to begin, focused on the initial Pathfinder projects.
October 2020: You can expect to see the first RFPs which will require CMMC certification begin to be released to the wider DIB.
CMMC outlines five different levels of compliance, all of which require auditing and certification by a third party:
In addition to the basic levels of compliance, CMMC is structured into domains, processes, capabilities, and practices.
There are 17 domains, each consisting of specific capabilities - or goals - to ensure security within the domain. Capabilities then break down into both practices and processes which are required to achieve said capability.
There are a total of 85 processes across all 17 domains. Each of the processes is labeled for a specific level of CMMC compliance.
For instance, 51 of the 85 total processes apply at Level 3, while all 85 processes apply at Level 5.
CMMC covers a wide range of cybersecurity issues, but there are 10 major practices that are focused specifically on remote work security.
More details on these, as well as how they relate to remote work security, are outlined below.
AC.2.013: Monitor and control remote access.
Practice basics:
This practice requires that all remote access to the network be monitored and controlled and is executed over an encrypted channel. You must control who is accessing the network remotely using tools like intrusion detection systems (IDS), and have complete monitoring in place.
You must also keep full audit logs and detail conditional access policies through a VPN or cloud-based service, like Office 365 for instance.
AC.2.015: Route remote access through monitored access control points.
Practice basics:
This practice requires that all of your servers live within a monitored and controlled environment, with no access from the open internet. All remote connections to those servers must be routed through a controlled access point.
This is achieved through the use of a VPN, and all of the connections that flow through it must be auditable so that you can see what content is flowing across the connections and who is accessing it.
AC.3.014: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Practice basics:
This practice requires that any VPN solution for remote access use FIPS validated cryptography. This includes the use of TLS 1.2, SSHv2, AES, Triple-DES and DSA.
AC.3.021: Authorize remote execution of privileged commands and remote access security-relevant information.
Practice basics:
This practice applies specifically to your administrative staff and requires organizations to strictly control what system administrators can do remotely. You will need to have a set of policies determining which settings they are allowed to adjust remotely, and which require them to physically be on the network.
AC.4.032: Restrict remote access based on organizationally defined risk factors.
Practice basics:
This particular practice, being more advanced, requires organizations to set policies on a combination of factors about the device or user accessing the system remotely.
There are certain risk factors that can indicate concerning activity. Some examples include:
This practice requires that organizations have a policy for allowing or disallowing access based on the risk factors, or a combination of those factors, outlined above.
IA.3.083: Multifactor authentication for local and network access to privileged accounts and network access to a non-privileged account.
Practice basics:
This practice requires that any remote access be achieved through multi-factor authentication.
IA.3.084: Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
Practice basics:
This practice is required to help prevent man-in-the-middle and replay attacks. It requires organizations to use methods to prevent information from being stolen and used at a future time. Common methods for this include using tokens, one-time passcodes and certificates. Hardware-based VPNs are especially useful in this endeavor.
MA.2.113: Require multi-factor authentication to establish maintenance sessions via external network connections and terminate connections when complete.
Practice basics:
This practice requires that any maintenance work done on the network from a remote location be executed through a connection that uses multi-factor authentication.
SC.2.178: Prohibit remote activation of collaborative computing devices and provide an indication of devices in use to the users present at the device.
Practice basics:
This practice requires that devices, such as cameras and microphones, that are within the controlled network be protected from remote access.
For instance, someone should not be able to connect to the network remotely and turn on a camera or microphone in a conference room to listen in.
To comply with this requirement, you’ll need to put protections in place on the devices themselves, and have clear indicators of when those devices are on or off.
SC.3.184: Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources on external networks.
Practice basics:
This practice requires that any end-user devices connected to the internal network through a VPN can only send traffic through that VPN. You cannot have an end-user device that is sending traffic both over the VPN and the open internet. Hardware-based VPNs are a great way to easily achieve this.
While CMMC may not be required with DoD contracts today, you can see from the schedule above that it is rapidly approaching.
With our current environment, and the increased need to work remotely, it is incredibly important that organizations that are currently doing business with the Department of Defense, or plan to in the future, take steps today to ensure that they will be ready for their first CMMC audit.