• Some great @microsoft folks to follow on Twitter if you live in #cmmc or public sector space: @rimazima, @singingtech, @geekwithin, @jayleask, & @techjahnke

  • CMMC and the Customer Responsbility Matrix

    Defense Contract Management Agency says all customer responsibility matrices must be complete prior to the start of their CMMC assessments. Yet only half the people know much about them. Why?

    Risk Management Framework

    If you come from a Risk Management Framework as traceability matrices or work with federal systems you are familiar with CRM but for many people in the commercial industrial base the idea is new. Many folks in the CMMC heard of customer responsibility matrices when they saw how DCMA

    The Institute of Electrical and Electronics Engineers Standard Glossary of Software Engineering Terminology (1990) defines it as

    A matrix that records the relationship between two or more products of the development process (e.g., a matrix that records the relationship between the requirements and the design of a given software component).

    The NIST glossary then adds two notes to this definition:

    Note 1: A traceability matrix can record the relationship between a set of requirements and one or more products of the development process and can be used to demonstrate completeness and coverage of an activity or analysis based upon the requirements contained in the matrix.

    Note 2: A traceability matrix may be conveyed as a set of matrices representing requirements at different levels of decomposition. Such a traceability matrix enables the tracing of requirements stated in their most abstract form (e.g., statement of stakeholder requirements) through decomposition steps that result in the implementation that satisfies the requirements.

    While NIST-SP-800-37 define how to apply RMF to federal systems NIST-SP-800-171 does not apply RMF to the protection of CUI. The CRM used by DCMA comes from FedRAMP.

    FedRAMP

    The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

    The Frequently Asked Questions used to define FedRamp as FISMA for the cloud. You can only choose to use authorized FedRAMP vendors. As part of this application process vendors must upload the “FedRAMP Low or Moderate Control Implementation Summary (CIS) Workbook Template”

    This document, artifact 9, is the best template for the customer responsibility matrix.

    How do I complete the customer responsibility matrix for CMMC?

    Much of the cloud and CMMC remains dark. We do not have official scoping guidance but the DCMA CMMC assessments of C3PAO provide us clues, and as stated, DCMA will not begin a CMMC assessment with all CRMs used for securing or the authorized handling of CUI.

    You will get this from the cloud vendor that you have decided is in scope.

    1) Implementation Status “Implementation Status” refers to the implementation status of the control (e.g., Implemented, Partially Implemented, Planned, Alternative Implementation, N/A).

    2) Control Origination “Control Origination” refers to which entity has responsibility for implementing the control. The following table defines the control origination options.

    In your SSP you must make sure you link to the CRM and then describe how you fill your duties

    You begin by only using FedRAmp authorized cloud vendors. This will help your CMMC assessor trust the shared responsibility of the cloud vendor.

  • Happy Mother's Day: Dr Tucker Joins the Team

    Mom’s make us mightier. Mom’s make our military fierce. In uniform and on the homefront Mom’s matter most at most important moments.

    So this Mother’s Day I am pleased to announce that Dr. Lauren Tucker has joined our Cybersecurity Maturity Model Certification currirulum team as our lead 508 and ADA Compliance designer. More importantly Lauren applies the principles of Universal Design for Learning to all her instructional design work.

    Dr. Lauren Tucker is an assistant professor in the special education department. She has a dual certification in special and regular education with over 8 years in the field. Dr. Tucker willapply assistive technology, universal design for learning, online learning, and technology implementation into our CMMC courses.

    She will conduct assistive technology evaluations, ADA compliance and trainings to the LTP’s we work with to ensure they deliver compliant curriculium . If you do not take this serious as a trainer you will get sued. Dr. Tucker will make sure the courses we deliver with Data Technologies’s LPP CyberDI meet compliance. She will also train instructors on their responsibilities.

    Dr Tucker supports teachers, students, and individuals in appropriate consideration, selection, and implementation of tools to increase adult learning. Her research focuses on technology integration, teacher learning, assistive technology for accommodations, and implementing communication and visual supports in community experiences.

    As a military spouse the sense of community brought Dr Tucker to our CMMC project.

    “My husband completed his service just as as we were married, but we were initially prepping for a deployment and there’s so much to do and support,” Dr Tucker told me, “but where we struggled was with the after when the supports are gone.”

    Dr. Tucker continued, “Being a spouse to a veteran and support them through transitioning to civilian life, you kind of feel forgotten, so much taken for granted. We as spouses had services and those get cut off and then we need to find new ways to support our partners on their new path.”

    Lauren noted that she got inolved in our CMMC project because she saw so many veterans transitioning into cyber. “You almost need someone to write the Unchecklist Manifesto. There is no TTP for potty training. Just a lot of pee-pee,” she joked about training, tactics and procedures.

    “My partner works for one of the major Defense contractors. Having that connection matters. I am seeing this in my every day, and as the Cyber attacks like the one spiking our gas prices continue we need more professionals protecting our data.”

    So on this Mother’s Day I salute you Dr. Tucker, and all the other military moms. So lucky to have you on the team.

  • Module Five: Shrinking Your Scope

    Today we launched the next module in out CCP Essentials class. This week we focus on scoping from a lens of zone segmentation. This means you figure out how the people, processes and technology work my mapping how data flows through your company.

    Objectives

    * Define an endpoint, boundary, and scope.
    * Illustrate a basic network diagram with routers, firewalls, and endpoints.
    * Compare common use cases for the authorized handling of CUI/FCI.
    * Explain the interaction of people, processes and technology in determining scope
    * Identify the controls we apply to people, processes and technology 
    * Define what controls are applicable for the in-scope  people, processes and technology given a business case study.
    

    Video

    Amira Armond. Scoping

    https://www.youtube.com/watch?v=h4TCx1XwRgo&list=PL1ed_BKivc_-8DQpza5thlnkaC4aX6ZIW&index=9

    Reading

    Compliance Forge and Supply Chain Risk Management. (2021). Unified Scoping Guidance.

    Writing

    Try to write a beginner’s guide to scoping that a small business owner can use to demonstrate how authorized handlers protect sensitive data.

    Or

    Almost 70% of all the objectives required by CMMC rely on non-technical solutions. What has to happen with people and processes to ensure the technology to limit scope is an effective security measure? Develop a list of processes that influence scope.

    Participating

    Given a scenario, and using a zone approach to scoping, mark off if specific people, processes, and technology are out of scope or in scope. Then explain how the in-scope elements interact.

  • I am listening to Wayne Boline and RSVPd yes to CMMC Midwest Conference 2021

  • Yes, I will be attending Gentle Introduction to Structural Equation Modeling because I love Eignvalues….I mean those seconds when you wait on your factor weights to see if your model fit makes the grade….that’s a great feeling.

  • Leighton Johnson Joins the Curriculum Writing Team

    I cannot wait to get into a room with people and just hack on curriculum. Learning is such an embodied experience, and we lose that on Zoom (learning is always embodied so we don’t lose it, but the energy goes negative…zoom fatigue). You need to get up and move around, curse, throw things.

    You know. Learning.

    Instructional design is no different. You throw around ideas and keep what sticks.

    This is why I am excited that the Cybersecurity Maturity Model Certification curriculum team at Southern Connecticut State University continues to grow.

    Next time we gather for a curriclum hack day, Leighton Johnson, a forty year cybersecurity veteran, will join us.

    Leighton Johnson

    Leighton Johnson, who started his career as a SATCOM Repair Specialist with the Army down at Fort Gordon in 1980, holds over thirty IT Security and six Homeland Security professional certifications.

    Johnson also brings an unparalled level of leadership experience to the team. His managerial and supervisory experiences span over 25 years, and provide support for multiple levels of activities, including Computer Security Lead Engineer, Regional CIO for Professional Services organization and Information Security Program Manager (CISO) for DOD field-level agency.

    Recently, Leighton has become one of the nation’s leading CMMC experts. He has completed training for and achieved CMMC Provisional Assessor Levels 1-3 certification. Johnson developed and taught cyber warfare and cyber defense courses to DOD/DISA organizations around the world. He has authored two books on Incident Response Team Management and Security Controls Assessments. Johnson also wrote 5 training manuals on the implementation and management of the NIST-based Risk Management Framework. This curriculum leadership will only strengthen the work we publish.

    As an expert, Leighton Johnson will first serve on our content validity team. He begins by taking our objectives and the description of the AB’s Bodies of Knowledge. Johnson then identifies what BoK he thinks our objectives fit, determines how sure he is of his choice, and then decides how relevant he thinks the objective is to the BoK. We then combine his data with other experts and calculate a content validity index score.

    As a next step, Johnson will move into writing curriculum. He will take his expertise in developing RMF trainings for NIST, and help create problem sets around each objective at the practice level.

    We are very excited for our next curriculum hack days.

  • Launching Module 3

    Getting ready to launch our CCP-Essentials Module Three. We have designed our CMMC boot camps so students can customize the course for their companies.

    Objectives

    • Explain the purpose order of Executive Order 13556: Controlled Unclassified Information to standardize data
    • List National Archive and Records Administration role in determining CUI labels
    • Describe responsibility to encrypt CUI while in transit or at rest in storage
    • Evaluate strategies to provide physical protection for CUI
    • Draw conclusions about the effectiveness of a CUI destruction policy
    • Critique a CUI records management approach

    Video

    ISOO CUI Video Training Series

    Reading:

    Department of Defense (2020). CUI Awareness and Marking.

    As you complete the readings, fill in the Venn Diagram describing the legal requirements authorized holders have for protecting Federal Contract Information and Controlled Unclassified Information.

    Writing:

    Compare case studies that provide the scenarios, identify the proper response for handling, storing, labeling, disseminating, and destroying CUI.

    Participating:

    Create a 4-5 episode microcast series (2-4 minute episodes) that defines FCI and CUI, which explores a contractor’s responsibility for protecting both under CMMC.

    Or

    Critique a CUI records management approach.

  • “Have the Fire to Carry us deftly to new heights and to the future.”

    Thank you Micheael Collins. Find your place in the stars.

  • What is CMMC?

    In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to replace the self reporting of cyber hygiene which used to govern the DIB. The CMMC puts an end to self-assessment, and requires a third party assessor to verify the cybersecurity maturity level of all contractors.

    All DoD contractors must comply with the Federal Acquisition Regulation (FAR) and the Defense Acquisition Regulation Supplemental (DFARS). These regulations require companies to meet specific security standards from the National Institutes Standard of Technology. If a company connects to the government network, they must meet the NIST 800-53 standards. Companies not connected to a network were previously required to self-certify that they met the 110 controls and completed actions to increase cyber hygiene as laid out in NIST 800-171.

    Third party assessors, who must complete coursework and obtain a certification, must now measure what maturity level a contractor has met. An organization must demonstrate the institutionalization of the process and the utilization of the practices outlined by NIST. Furthermore, the maturation model is cumulative, meaning a contractor must demonstrate they have met the practices and processes of lower levels as well.

    The goal is to protect two types of sensitive data: federal contract information, and controlled unclassified information.

    What is FCI?

    Authorized holders, who have a Department of Defense Contract with a 7012 clause must protect two types of sensitive data: Federal Contract Information and Controlled Unclassified Information.

    FCI, or Federal Contract Information, is any information included in or created for a government contract not meant for public release.

    You or the government can create FCI. Then, you must do the work on behalf of a contract that generates or uses information not intended for public release.

    You do not need to label FCI. No classification exists. Instead, you must apply basic safeguards to information not meant for public release.

    All of this was established by FAR Clause 52.204-21, which lays out basic protections for sensitive data. A company should not assume meeting the requirements of FAR will be easy or cheap. However, FAR requirements often reflect better business practices, and provide a good starting point on your CMMC journey.

    Contractors who only touch or create FCI will need to pass a Level 1 maturity assessment.

    By 2025, all contractors will be assessed using the CMMC Level 1 methodology.

    What is CUI?

    Controlled Unclassified Information requires greater protections than FCI. The government defines CUI as information that demands safeguarding or dissemination controls required by law, regulation, or Govt-Wide Policy, but which is not classified, and does not include nuclear data or material. These require greater protections than CUI.

    The CUI program was created by President Obama’s Executive Order 13556 after 9/11 to create a streamlined method for information sharing and safeguarding. The Information Security Oversight Office (ISOO) acts as the Executive Agent (EA) of the National Archives and Records Administration (NARA), and is responsible for oversight of the CUI program. The ISOO monitors the implementation of the CUI program by executive branch agencies.

    Contractors who touch, create, receive, transmit, or destroy CUI will need to pass a Level 3 maturation assessment

    By 2025(ish) all contractors will be assessed using the CMMC Level 3 methodology.

    History of CMMC?

    The Department of Defense launched the Cybersecurity Maturity Model Certification Program in 2019.

    The Software Engineering Institute built the initial versions of the CMMC in collaboration with the Johns Hopkins University Applied Physics Laboratory.

    However, the effort to secure the Defense Industrial Base goes back as far as 2017, when the Department of Defense required all contractors who receive a 7012 clause to self-assess their cyber hygiene using a set of controls called the Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This was published by the National Institute of Standards and Technology, and is commonly reffered to as NIST SP-800-171, or simply 171.

    NIST was empowered to set the standards for cybersecurity by the Secretary of Commerce under the Federal Information Security Modernization Act, which was passed all the way back in 2002. In fact, NIST began taking charge of technology standards as far back as 1901n with the Organic Act. This was updated for the digital world with FISMA.

    So the CMMC, while officially beginning in 2019, has roots that are almost twenty years old.

    FISMA empowered the Secretary of Commerce to authorize the Office of Budget and Management to team with NIST. Through NIST, the OMB, and thus the Secretary of Commerce, set standards such as FIPS 199. FIPS 199 is a type of encryption authorized users must use when handling CUI. CMMC-AB, for example can’t just strip away FIPS.

    The Department of Defense instead created CMMC to help speed up compliance to 171 after the F-35 was stolen by the Chine military.

    The plans did not fall into Chinese hands by hacking a single computer or company. Rather, thousands of cyber attacks were launched against the networks of small government contractors who moved plans and files, such as key radar information, back and forth between emails and servers.

    These efforts did not stop with the F-35. In fact, according to a Government Accountability Office:

    “The Department of Defense (DOD) faces tens of millions of attempted malicious cyber intrusions per year as adversaries seek to take advantage of the department’s reliance upon computer networks.”

    Something had to be done.

    The Interim Rules

    The Department of Defense took the extraordinary approach of releasing an Interim Rule to speed up implementation of CMMC. The Interim rule introduced three new clauses, 7019, 7020, and 7021.

    The 7019 and 7020 clauses rely on the same approach to 171, but now only the Under Secretary of Defense for Acquisition and Sustainment can assign the 7021, which has the CMMC requirements.

    As of Nov 30, 2020 all contractors must continue to upload SRPS scores and self-attest under the 7019 clause.

    If the DoD wants to apply a medium review, the 7020 clause kicks in.

    Until 2025, only the Undersecretary of A+S can assign the 7021 clauses.

    The interim rule only applies to contracts after Nov 30. However, when a contract or Task Orger gets modified, which is often, than the interim 7019, 7020, and 7021 clauses kick in.

    The Interim rule is set to be finalized in May of 2021, which then lays out a path for all Defense contracts to have the 7021 clause by 2025-2026.

    It makes sense for Defense Contractors and Managed Support Providers, the IT companies that work with small manufacturers, to begin to understand and implement the CMMC model

    What is the CMMC Model?

    Since December 13, 2017 companies could lose DoD contracts due to lax cybersecurity. But the DoD took an extraordinary step of releasing an interim rule to DFARS.

    Until recently, DFARS required organizations to self assess. Companies had to provide documentation on meeting the 110 controls of NIST 800-171 by collecting artifacts into a Body of Evidence.

    A Body of Evidence contained three major items. The first was a Systems Security Plan, which describes a company’s infrastructure, such as the hardware and software utilized. The Plan of Action and Milestones (POA&M) documented any shortcomings and described a remediation plan for those shortcomings. A company would also submit their procedures and policies as part of the Body of Evidence.

    DFARS required a contractors POA&M to be shared with the DoD. A major change presented by the CMMC model is the removal of POA&M and the introduction of third party auditors, rather than self assessments.

    The CMMC builds off of NIST 800-171 but also includes controls from other cybersecurity frameworks. Where CMMC differs is in both the maturation model and the role of third party assessors. The CMMC defines 17 domains of cyber hygiene that are comprised of 43 capabilities. These capabilities are institutionalized through 171 practices across five levels of maturation.

    The Office of the Under Secretary of Defense for Acquisition and Sustainment defines maturation as a, “set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline.” The CMMC contains five levels of maturation.

    The Five Levels of CMMC

    The CMMC model has five levels of maturation:

    Level 1: Safeguard Federal Contract Information (FCI) 
    Level 2: Serve as transition step in cybersecurity maturity progression to protect CUI 
    Level 3: Protect Controlled Unclassified Information (CUI) 
    Levels 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)
    

    The Cybersecurity Maturity Model Certification program has 17 total Domains across these five levels.

    Almost all of the domains come from NIST 800-171 and Federal Information and Processing Standards 200.

    To these 14 domains, the CMMC model adds Asset Management (AM), Recovery (RE), and Situational Awareness (SA) from other Interational and Risk Management Frameworks. Practices and Processes

    Across these Domains the model has 171 practices. In oder to be compliant with each practice, you must demonstrate compliance with every single objective taken from the 171a methodology. For Level 3 maturation, the practices in each of the Domains of CMMC require someone to meet compliance on 362 objectives.

    The CMMC model also requires an assessor to establish process maturity.

    Maturity Level 1 allows you to demonstrate processes in an ad hoc manner, and will not require poilcy in place for compliance. However, every company will find security impossible to meet without good policy. So, while you are not technically required to show policy for Level 1 compliance, it will be hard to reach without it.

    Level 2 maturity requires an organization to establish and document practices within a Domain. This does not mean you must write a process documentation for each Domain. Many of the objectives used to measure process maturity will exist across your portfolio.

    Level 3 maturity is required to handle CUI. An organization must establish, maintain, and resource a plan for managing cybersecurity. CUI activities must be defined in the plan.

    Level 4 requires an organization to review and measure practices for effectiveness. They must look for vulnerabilities and address them when found.

    Level 5 requires a company to standardize and optimize process implementation throughout the organization. Most Level 5 organziations will be better prepared through experience handling Classified or nuclear information.

    CMMC Cost

    The CMMC Model includes several assumptions about the cost of implementing CyberSecurity.

    As Jacob Horne of DefCert notes, the Interim Rules assume Defense contractors have implemented the controls of 171, although few have managed to do so.

    In fact, NIST-800-171 itself assumes that many of the controls required in FAR-21 just happen as part of the way we do business in the modern world. The Department of Defense knows the web has existed for 30 years or longer. They used to call it ARPANet.

    Can you blame the Department of Defense for not wanting to use contractors who have done nothing to address cybersecurity in 30 years? They will not accept excuses for a lack of cybersecurity, and have published some pricing guidance. Jacob warns us to understand that these prices also include the assumptions built into the CMMC model. Still even if these number represent the floor and not the ceiling, it will still cost a pretty penny for a sheen of cyber hygiene

    The cost CMMC certification consists of 3 things (based off of DoD estimates (assuming you are already 171 compliant):

    The cost of the assessment itself; 
    
    First year, non-recurring engineering costs; 
    
    Recurring engineering costs split over five years. 
    

    Level 1 Certification: $2,999.56

    Assessment: $2,999.56 
    Nonreccuring Engineering: N/A 
    Recurring Engineering: N/A 
    

    Level 2 Certification: $50,755.88

    Assessment: $22,466.88 
    Nonreccuring Engineering: $8,135.00 
    Recurring Engineering: $100,770.00 ($20,154.00 per year x 5 years) 
    

    Level 3 Certification: $118,975.60

    Assessment: $51,095.00 
    Nonreccuring Engineering: $26,214.00 
    Recurring Engineering: $208,330.00 ($41,666.00 per year x 5 years 
    
  • My Module One Deliverable

    In our CCP-Essentials class being offered at Southern Connecticut State University our first module covered the basics of “What is CMMC?”

    As a performance assessment students had to create a “Create a one-page flyer explaining the CMMC program for a manufacturing defense contractor and a flyer for a Manage Service Provider “

    For my mentor text I chose to do a Storyboard. All module long we stressed do not worry about arguing over VDI, split tunneling, FIPS, if you can’t tell me what policies you do and not have in place.

    So in terms of building up a policy library I thought I would create a remixable storyboard that students could use to make training videos for their staff and employees. To meet the Awareness and Training domain people need to Conduct security awareness activities and training.

    This storyboard can serve as a quick primer on CMMC and can be remixed to fit the style guide of your company.

    Topic: Introduction

    Total words:

    Estimated Time:

    Script

    Visual Assets

    Audio Assets

    In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to replace the self reporting of cyber hygiene that used to govern the DIB. The CMMC puts an end to self-assessment and requires a third party assessor to verify the cybersecurity maturit level.

       

    All DoD contractors must comply with the Federal Acquisition Regulation (FAR) and the Defense Acquisition Regulation Supplemental (DFARS). These regulations require companies to meet specific security standards from the National Institutes Standard of Technology. If a company connects to the Government network they must meet the NIST 800-53 standards. Companies not connected to a network were required to self certify that they met the 110 controls, actions to increase cyber hygiene as laid out in NIST 800-171.

    Label: Federal Acquisition Regulation (FAR) and the Label: Defense Acquisition Regulation Supplemental (DFARS)

    Label: National Institutes Standard of Technology.

     

    Third party assessors, who must complete coursework and obtain a certification will then measure what maturity level a contractor has met. An organization must demonstrate the institutionalization of the process and the utilization of the practices. Furthermore the maturation model is cumulative, meaning a contractor must demonstrate they have met the practices and processes of lower levels as well.

       

    The goal is to protect two types of sensitive data, federal contract information and federal

       
         

    Topic: FCI

    Total words:

    Estimated Time:

    Script

    Visual Assets

    Audio Assets

    Authorized holders, who have a Department of Defense Contract with a 7012 clause must protect two types of sensitive data: Federal Contract Information and Controlled Unclassified Information

    [i1.wp.com/isoo.blog...](https://i1.wp.com/isoo.blogs.archives.gov/wp-content/uploads/sites/19/2020/06/FCI-and-CUI-VennDiagram.png?w=1370)

     

    FCI, or Federal Contract information is any information included in or created for a government contract not meant for public release.

    Label: What is FCI?

    FCI<![if !supportAnnotations]>[MG1]<![endif]>, or Federal Contract information is any information included in or created for a government contr<![if !supportAnnotations]>[MG2]<![endif]>

     

    You or the government can create FCI. The You must do the work on behalf of a contract that generates or uses information not for public release.

    Label: Who makes FCI?

     

    You do not need to label FCI. No classification exists. Instead you apply basic safeguards to information not meant for public release

    Label: How do I label FCI?

     

    All of this got established by FAR Clause 52.204-21 which lays out basic protections for sensitive data. A company should not assume meeting the requirements of FAR will be easy or cheap. Yet they often reflect better business practices and provide a good starting pointon your CMMC journey.

    Make a screen of the basic safeguards

     

    Contractors who only touch or create FCI will need to pass a level one maturity assessment

    By 2025 all contractors will be assessed using the CMMC Level 1 methodology

       

    Topic: FCI

    Total words:

    Estimated Time:

    Script

    Visual Assets

    Audio Assets

    Controlled Unclassified Information requires greater protections than FCI. The government defines CUI as Information that requires safeguarding or dissemination controls required by law, regulation, or Govt-Wide Policy but not classified and nuclear data or material. These require greater protections CUI.

    Put definition in a call out

    “All unclassified information throughout the executive branch that requires any safeguarding or dissemination control is CUI.”

    32 CFR 2002.14.

     

    The CUI program got created by President Obama’s Executive Order 13556 after 9/11 to create a streamlined method for information sharing and safeguarding. The Information Security Oversight Office (ISOO) acts as the Executive Agent (EA), of the National Archives and Records Administration

    is responsible for oversight of the CUI Program, monitoring its implementation by executive branch agencies.

    Executive Order 13556

     

    Contractors who touch, create, receive, transmit or destroy CUI will need to pass a level three maturation assessment

    By 2025(ish) all contractors will be assessed using the CMMC Level 3 methodology

       

    Topic: History

    Total words:

    Estimated Time:

    Script

    Visual Assets

    Audio Assets

    The Department of Defense launched the Cybersecurity Maturity Model Certification Program in 2019.

    The Software Engineering Institute built the initial versions of the CMMC in collaboration with the Johns Hopkins University Applied Physics Laboratory

    Get a CMM logo

     

    Yet the effort to secure the Defense Industrial Base goes back as far as 2017 when the Department of Defense required all contractors who receive a 7012 clause to self-assess their cyber hygiene using set of controls called the Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations publish by the National Institute of Standards and Technology, commonly reffered to as NIST SP-800-171, or simply 171.

    Screenshot of the manual page

     

    NIST get empowered to set the standards for cybersecurity by the Secretary of Commerce under the Federal Information Security Modernization Act

    Passed all the way back in 2002.

    Federal Information Security Modernization Act-get a headline or something

     

    So CMMC, while beginning in 2019 has roots almost twenty years old.

       

    The Department of Defense accelerated cybersecurity through the CMMC program after the F-35 got stolen by the Chine military.

    The plans did not fall into Chinese hands by hacking a single computer or company. No, instead thousands of cyber attacks were launched against the networks of small government contractors who moved plans and files, such as key radar information, back and forth between emails and servers.

    These efforts did not stop with the F-35. In fact according to a Government Accountability Office:

    “The Department of Defense (DOD) faces tens of millions of attempted malicious cyber intrusions per year as adversaries seek to take advantage of the department’s reliance upon computer networks.”

    Something had to be done<![if !supportAnnotations]>[MG3]<![endif]>

    Get some b roll of the f-35 and j-20

    “faces tens of millions of attempted malicious cyber intrusions per year”

    Dramatic world ending military beats with a bit of old school drum and bass House feel

    The Department of Defense took the extraordinary approach of releasing an Interim Rule to speed up implementation of CMMC. The Interim rule introduced three new clauses, 7019,7020, and 7021.

    The 7019 and 7020 clauses rely on the same approach to 171 as the past but now only the Under Secretary of Defense for Acquisition and Sustainment can assign the 7021 which has the CMMC requirements.

    The Interim rule is set to be finalized in May of 2021 which then lays out a path for all Defense contracts to have the 7021 clause by 2025-2026.

    It makes sense for Defense Contractors and the Managed Support Providers, the IT companies that work with small manufacturers, start to understand and implement the CMMC model

    Make a graphic comparing the three interim clauses

     

    Topic: Model

    Total words:

    Estimated Time:

    Script

    Visual Assets

    Audio Assets

    Since December 13, 2017 companies could lose DoD contracts due to lax cybersecurity. But the DoD took an extradionary step of releasing in interim rule to DFARS.

    Yet until recently DFARS requires organizations to self assess. Companies had to to provide documentation on meeting the 110 controls of NISt 800-171 by collecting artifacts into a Body of Evidence.

    A Body of Evidence contained three major items. The first a Systems Security Plan describes a company’s infrastructure such as the hardware and software utilized. The Plan of Action and Milestones (POAM) documented any shortcomings and described a remediation plan. A company would also submit their procedures and policies as part of the Body of Evidence.

    DFARS required a contractors POAM to get shared with the DoD. A major change in the CMMC is the removal of POAM and having third party rather than self assessments.

    Make a graphic comparing no 171a vs CMMC

     

    The CMMC builds off of NIST 800-171 but also includes controls from other cybersecurity frameworks. Where CMMC differs is in both the maturation model and the role of third party assessors. The CMMC defines 17 domains of cyber hygiene that are comprised of 43 capabilities. These capabilities get institutionalized through 171 practices across five levels of maturation.

       

    The Office of the Under Secretary of Defense for Acquisition and Sustainment defines maturation as, “set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline.” The CMMC contains five levels of maturation.

    “set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline.

     

    The CMMC model has five levels

    <![if !supportLists]>· <![endif]>Level 1: Safeguard Federal Contract Information (FCI)

    <![if !supportLists]>· <![endif]>Level 2: Serve as transition step in cybersecurity maturity progression to protect CUI

    <![if !supportLists]>· <![endif]>Level 3: Protect Controlled Unclassified Information (CUI)

    <![if !supportLists]>· <![endif]>Levels 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)

    Graphic of the Level

     

    The Cybersecurity Maturity Model Certification program has 17 total Domains across these five levels.

    Almost all of the domains come from NIST 800-171 and Federal Information and Processing Standards 200

    To these 14 domains, the CMMC model adds Asset Management (AM), Recovery (RE), and Situational Awareness (SA) from other Interational and Risk Management Frameworks.

    Across these Domains the model has 171 practices.

    Yet to meet compliance on each practice you must demonstrate compliance with every single objective taken from the 171a methodology,

    For level three the practices in each of the Domains of CMMC require someone to meet compliance on 362 objectives.

    Access Control (AC) – Establish system access requirements. Control internal system access. Control remote system access. Limit data access to authorized users and processes.

    Asset Management (AM) – Identify and document assets. Manage asset inventory.

    Audit and Accountability (AU) – Define audit requirements. Perform auditing. Identify and protect audit information. Review and manage audit logs.

    Awareness and Training (AT) – Conduct security awareness activities. Conduct training.

    Configuration Management (CM) – Establish configuration baselines. Perform configuration and change management.

    Identification and Authentication (IA) – Grant access to authenticated entities.

    Incident Response (IR) – Plan incident response. Detect and report events. Develop and implement a response to a declared incident. Perform post incident reviews. Test incident response.

    Maintenance (MA) – Manage maintenance.

     Media Protection (MP) – Identify and mark media. Protect and control media. Sanitize media. Protect media during transport.

    Personal Security (PS) – Screen personnel. Protect CUI during personnel actions.

    Physical Protection (PE) – Limit physical access.

    Recovery (RE) – Manage backups. Manage information security continuity.

    Risk Management (RM) – Identify and evaluate risk. Manage risk. Manage supply chain risk.

    Security Assessment (CA) – Develop and manage a system security plan. Define and manage controls. Perform code reviews.

     Situational Awareness (SA) – Implement threat monitoring.

    Systems and Communications Protection (SC) – Define security requirements for systems and communications.

     System and Information Integrity (SI) – Identify and manage information systems flaws. Identify malicious content. Perform network and system monitoring. Implement advanced email protections.

     

    The CMMC model also requires an assessor to establish process maturity.

    Maturity Level one allows you to demonstrate processes in an ad hoc manner and will not require poilcy in place for compliance. Hoever every company will find secuiryt impossoble to meet without good policy. So while you do not have to show policy for level one complinace it will be hard to reach without it.

    Level two requires an organization to establish and document practices within a domain. This does not mean you write a process documentation for each Domain. Many of the objectives used to measure process maturity will exist across your portfolio,

    Level three matutiry is required to handle CUI . An organization must establish, maintain, and resource a plan for managing cybersecurity. C activities as defined in the plan.

    Level four requires an organization to review and measure practices for effectiveness. They must look for vulnerabilities and address them when found.

    Level Five requires a company to standardize and optimize process implementation throughout the organization. Most level five organziations will be better prepared through experience handling Classified or Nuclear information.

    Get a picture of the table from the model

     

    The CMMC Model includes a lot of assumptions on the cost to implement CyberSecurity.

    As Jacon Horne of DefCert notes, the Interim Rules assume Defense contractors have implemented the controls of 171.

    Few have.

    In fact NIST-800-171 itself assumes that many of the controls required in FAR-21 just happen as part of the way we do business in the modern world.

    The Department of Defense knows the web has existed for 30 years or longer.

    They used to call it ARPANet.

    Can you blame the Department of Defense for not wanting to use contractors who have done nothing to address cybersecurity in 30 years?

    They will not take excuses for a lack of cybersecurity, and have published some pricing guidance.

    Jacob warns us to understand that these prices also include the assumptions built into the CMMC model.

    Still even if these number represent the floor and not the ceiling, it will still cost a pretty penny for a sheen of cyber hygiene

    The cost CMMC certification consists of 3 things:

    1. The cost of the assessment itself;

    2. First year, non-recurring engineering costs;

    3. Recurring engineering costs split over five years.

    Level 1 Certification: $2,999.56

     Assessment: $2,999.56

    Nonreccuring Engineering: N/A

    Recurring Engineering: N/A

    Level 2 Certification: $50,755.88

    Assessment: $22,466.88

    Nonreccuring Engineering: $8,135.00

    Recurring Engineering: $100,770.00 ($20,154.00 per year x 5 years)

    Level 3 Certification: $118,975.60

    Assessment: $51,095.00

    Nonreccuring Engineering: $26,214.00

    Recurring Engineering: $208,330.00 ($41,666.00 per year x 5 years

     
         

    Always define the word on the screen when using a key concept for the first time. This is supported by Richard Mayers Multimedia Learning Theory and by more recent work in Universal Design for Learning 


    Tips

    Notice how I have a subtle transition at the end of each concept that connects the reader to the next topic being introduced.

    This is designing for cogntive bias (activating proir knowledge, reducing inferences) without using bad meta language writing, "In this section I will tell you about CUI. First the history....." better than nothing but still bad writing

    In GovCon you can not dileneate from the tempalte of the RFP but you can still weave your own story around the numbers

  • 2021-04-23 My Morning Message to CCP-Essentials Class

    You always get jitters in our stomach the day of module launch. You worry will everything work? Will my students understand the modules and demonstrate growth? Will my assessments elicit evidence of this knowledge growth?

    Yesterday the launch of our Module One in our CCP-Essentials Class, a non-certified preview of our official class coming this June. It also affords us the chance to hire a team of experts for a content validity study and to write the protocols for all the assignments.

    Yesterday I realized like most of us in the Defense Industrial Base I need to take my policy and procedure a step back and begin with user onboarding.

    Onboarding Procedures

    Much like the Human Resources onboarding and termination policies any company needs for cybersecuirty our courses will need guides on how to add users and grant authorized access to learning materials through role based access control (RBAC).

    RBAC? I mean different people have different authorizations to see and/or do things to different stuff. So the teacher has one role and they get to more things to more stuff and then students have a role and they get to less things to less stuff but more things to their stuff.

    In a way we build classrooms like access control.

    New Users

    I stuggled yesterday with account creation and provisioning of assignments. As a reminder we deployed our class using Microsoft Teams. So we have people still signing up for the class after they hear about our approach to personalized learing.

    I quickly realized I need, just like you need a new employee guide, policy for new account creation. For example I need to ask, “Do you use a GCC-High account and if so do you have a commercial account you can use?”

    As GCC-High will block the account creation. This must be followed up with, “If you choose to use a personal account do you know if this violates work policy?”

    Authorization to Video

    Microsoft Teams and metting recordings do not get shared outside of the organization. Some of the accounts in the class, not all, can not watch previously streamed movies. Makes sens don’t want folsk sending meetings outside of the organzation. The videos get sent to stream and to Share Point.

    So as a hack I go into Stream, I download the video and then I upload the mp4 file to Teams so everyone has access. Works but a PITA. Still needs to make my policy.

    The bigger the PITA someone will find a process the more important we find that you stress fidelity, spell out the steps and make everyone do them, in your policy.

    People seek the path of least resistance. You can not let them. That is the job.

    Deployment of Assets

    Sharepoint has so many internal settings for our University Security we could not deploy it as a viable option. So after feature and price shopping we have decided to pilot SafeShare, an encrypted file service, for our curriculum deployment.

    I need a smoother workflow for distributing and templating assessments. In SafeShare you can control asset access by only allowing authorized users specific times to open a file. In learning we call this Condtional Release, it has tons of research supporting the use.

    In CMMC land we call this a strategy for limiting unauthorized access.

    What I did yesterday for Module One didin’t work. Whether in Teams or In SafeShare I need a way just to hit a button and send a template top every student.

    Matching the Tool to the Job

    We have people doing many different types of pre and post assessments derived from the most rigorous research in cognitive science. Many cybersecurity experts complain, “I am not good at tests.”

    Maybe becuase we only test in one modality when we know learning occurs best through multiple repitions across as many modalities as possible.

    Why should measurement be any different?

    Doesn’t mean we won’t mess up.

    Yesterday, for example, (and I knew better) I tried using Micorsoft Word for concept mapping. I would just print mine out but a lot of people like tech, especially in this cyber space, so folks suggested making in PPT.

    One student just did it on our own.

    Policy Through Iterative Design

    So while this isn’t policy I do need to update the protocol for assessments and continue to hack on asset deployment to ensure a verifiable path of evidence for accountability.

    Same holds for your protocols and policy, You can never reach a security level high enough for compliance without living documents.

    Ad hoc equals = death in a digital world.

  • 2021-04-22 My Morning Message to CPP-Essentials

    Gonna re-record yesterday’s movies and remember sound this time. he thing with filming off the cuff sometimes you hit it in one take and you are always chasing a memory (that you cant actually verify the quality)

    My learning subjective for Module One is a “What is CMMC video?” You will watch me take it from idea to production, to storyboard to script. I want to cover the basics and demonstrate important reference docs are to understanding CMMC.

    I will show you how I match my personal learning subjectives to the module objectives which is the process you will do with me if your are doing the “Choose Your Own Adventure Pathway”

    What you then do is submit an application for the badge explaining how you met the criteria. You can see where we define the success critera against the rubric. We even list possible evidence you can submit from:

    • Interview Data: Grab convos you had with me or peers
    • Artifact Data: Gather evidence from posts and materials
    • Test Data: Submit pre and post test data.

    If your evidence demonstrates the skill and knowledge growth necessary to meet the stated learning objectives you earn the module badge. Earn all the module badges you pass the course,

    Yoda rules. Do or do not. There is no try. Or in CMMCese, “Comply or do not. There is no POA&M.”

  • Thought of the Day: Maybe I had it wrong.

    It’s not #Cybersecurity at Scale begins with #UX but Bad #UX is the greatest internal threat to cybersecurity at scale.

  • Starting my morning off doing some sketch thinking while creating #cmmc courses #instructionaldesign

  • I just RSVPd to Summit 7’s yes to Cloud Security and Compliance Series (CS2): Virtual

  • OMG OMG look what the #connecticut #CMMC coalition finished: Our #cybersecurity glossary guide: asaelcorona.com/Glossary/…

  • I just RSVPd yes to Connecticut Economic Update 2021 as a proud member of the @cbia

  • Why would I even try to search for a better source mateiral on #cui #scope when I can just remix the expertise of Compliance Forge? via.hypothes.is/ex…

  • When you hear the words low, moderate, and high in terms of FedRamp, understand that these classifications are derived from the FIPS 199 Standards for Security Categorization of Federal Information and Information Systemsm, which was also created under the FISMA umbrella.

  • Goal of DoDI 8510.01 DoD Risk Management Framework “provides procedural guidance for the reciprocal acceptance of authorization decisions and artifacts within DoD, and between DoD and other federal agencies, for the authorization and connection of information systems (ISs).”

  • DoDI 8510.01 is the implementing policy for the DoD RMF based off of NIST SP-800-37 which incoporates CNSSI 1253 www.dcsa.mil/portals/9… and NIST SP 800-53

  • FedRamp: Federal Risk and Authorization Management Program was established in 2011 by the Office of Management and Budget (OMB) Memorandum 10-28, “Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security.”

subscribe via RSS

All content, unless otherwise notes, is licensed with a CC-BY-SA https://creativecommons.org/licenses/by-sa/4.0/