The Cybersecurity Maturity Model Certification (CMMC) – A pocket guide
eBook - ePub

The Cybersecurity Maturity Model Certification (CMMC) – A pocket guide

  1. 75 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

The Cybersecurity Maturity Model Certification (CMMC) – A pocket guide

About this book

The United States DoD (Department of Defense) is one of the largest employers in the world, with about 2.87 million employees. It spends more than a year among more than 350, 000 contractors and subcontractors throughout its supply chain.

Information in the DoD network is shared digitally across the contractor and subcontractor supply chain, offering an irresistible target for nation-states and cyber criminals.

Protecting the DoD supply chain

The CMMC was developed to step up measures for protecting the DoD supply chain. Its objectives are to standardize cybersecurity controls and ensure that effective measures are in place to protect CUI (Controlled Unclassified Information) on contractor systems and networks.

All companies doing business with the DoD, including subcontractors, must become certified by an independent third-party commercial certification organization.

Your essential guide to understanding the CMMC

To help you get to grips with the CMMC, this essential pocket guide covers:

  • What the CMMC is and why it has been introduced
  • Who needs to comply with the CMMC
  • The implementation process
  • The road to certification
  • CMMC implications for firms doing business with the US government

Suitable for senior management and the C-suite, general or legal counsel, IT executives, IT organizations, and IT and security students, this pocket guide will give you a solid introduction to the CMMC and its requirements.

About the author

William Gamble is an international cybersecurity and privacy compliance expert. He is one of the few lawyers to hold advanced cybersecurity professional qualifications, and has an in-depth understanding of the design, management, and deployment of technology within the ISO 27001 framework.

With more than 30 years' experience of international regulatory practice in the U.S., EU, China, and other countries, William has had hundreds of articles published globally, written three books, and appeared on numerous radio and television programs around the world.

William is a member of the Florida Bar and several federal courts. His qualifications include Juris Doctor (JD), Master of Laws?(LLM), CompTIA ® A+, Network+, Security+, CASP (Advanced SecurityPractitioner), ISO 27001 Lead Auditor and Lead Implementer, and GDPR Practitioner (GDPR P).

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access The Cybersecurity Maturity Model Certification (CMMC) – A pocket guide by William Gamble in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
ITGP
Year
2020
Print ISBN
9781787782440
eBook ISBN
9781787782464
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

CHAPTER 1: AN INTRODUCTION TO THE US DEPARTMENT OF DEFENSE DIGITAL SUPPLY CHAIN

The US Department of Defense (DoD) is one of the largest employers in the world. It employs about 2.87 million people,1 and has a base budget of $671 billion, and a $69 billion budget for overseas contingency operations for the 2021 fiscal year.2 It also engages about 350,000 contractors.
These contractors represent the Department’s supply chain. They also present a security risk – a problem familiar to many businesses. Supply chains need to be managed to be efficient, economical and effective. One objective is to avoid single points of failure, because like a regular chain, a supply chain is only as strong as its weakest link.
This concept has not gone unnoticed by cyber thieves. For any information to have value, it must be shared. Information is shared widely across digital supply chains, offering criminals a major opportunity to steal it.
Cyber thieves, whether they are large criminal organizations or foreign adversarial governments, try to be efficient. Attacking a large, well-defended organization can be a frustrating and costly endeavor. Rather than targeting the organization directly, they have found that it is far easier and cheaper to go after contractors and partners, which are often less secure and can be used to gain a foothold in the main target’s networks.
This method has been used very successfully against a number of large corporations and has been responsible for many of the largest cybersecurity breaches. Take the example of Target. In 2013, the US retailer lost the credit and debit card information of more than 40 million shoppers who had visited the store during the holiday season. The total cost of the data breach, according to Target, was $202 million.3
The criminals did not directly attack Target, instead targeting a vendor to gain access. A simple Google search of Target’s supplier portal provided the hackers with a wealth of information about vendors and suppliers, including how to interact with the company, submit invoices, etc. They used this list to surveil contractors and, using a simple phishing email, managed to trick an employee of refrigeration contractor Fazio Mechanical into downloading malware. Once installed, it was simply a matter of time before the criminals were able to gain access to Target’s customer database.
Target is not alone; “The average enterprise connects to 1,586 partners via the cloud”,4 but often vastly underestimates the risk from these partners, which can include vendors, suppliers, agencies, consultants, and any company with which it does business. While larger enterprises tend to have extensive security infrastructure, smaller companies in the supply chain often have fewer measures in place, leaving them open to breaches. This allows the criminal to gain a foothold in a partner’s network, and from there infiltrate bigger targets.
The problem with the DoD is infinitely larger. It connects with partners all over the world, each of which represents a major security risk for the keeper of the US’s most precious secrets.
To address the issue, in 2015 the DoD wrote a regulation: 48 CFR § 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting. Its purpose was to codify contractors’ cybersecurity responsibilities and procedures by altering the contractual requirements implemented through the Federal Acquisition Regulation (FAR) and Defense FAR Supplement (DFARS).
The regulation, generally referred to as DFARS 252.204-7012 or DFARS 7012, requires all DoD contractors to “provide adequate security on all covered contractor information systems.”5 It defines ‘adequate security’ as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.”6 Furthermore, covered contractor information systems that are not part of an IT service or system operated on behalf of the US government “shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.7
NIST SP 800-171 is a codification of the requirements that any non-federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems. This document is based on the Federal Information Security Management Act of 2002 (FISMA) Moderate-level requirements. The first version was promulgated in 2015. Revision 2 came out in February 2020.
NIST SP 800-171 is a list of controls taken from NIST SP 800-53 Rev. 4. It includes 110 controls in 14 security families. It is generally considered a condensed version of NIST SP 800-53, which is a catalog of security and privacy controls for federal information systems and organizations to protect organizational operations, organizational assets, individuals, other organizations, and the nation from a diverse set of threats, including hostile cyber attacks, natural disasters, structural failures, and human errors. In short, everything.
In contrast NIST SP 800-171 is more focused. It is meant to protect the confidentiality of CUI if the CUI is resident in non-federal (private) information systems organizations. CUI includes numerous categories. It may not be considered classified, but it is still exceptionally important and can be very sensitive. CUI categories include:
Critical infrastructure
Government financial information
Immigration information
Intelligence information
Law enforcement information
Criminal records
Nuclear information
Patent applications
Health information
Taxpayer information, and many others8
DFARS 252.204-7012 required contractors to implement NIST SP 800-171 as soon as practical, but they had to demonstrate implementation by December 31, 2017. However, despite potential penalties such as contract revocation, this requirement was largely ignored and many contractors did not adopt NIST SP 800-171.
The DoD tried to incentivize them, with contractors that adopted NIST SP 800-171 considered to have a competitive advantage within the contract awards process. Nevertheless, many chose to put off compliance. Worse, there are even reported cases of DoD contractors falsely stating that they were NIST SP 800-171 compliant on DoD contracts.

The Cybersecurity Maturity Model Certification (CMMC)

Published in January 2020, the CMMC verifies that contractors have adopted the NIST SP 800-171 framework and are meeting essential cybersecurity requirements before the contract is awarded. The CMMC is not a self-certification program; instead, all companies conducting business with the DoD, including subcontractors, must be certified by an independent third-party commercial certification organization.
To create the CMMC program, the DoD (specifically the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) partnered with Carnegie Mellon University Software Engineering Institute (SEI), John Hopkins University Applied Physics Laboratory (APL) and the CMMC Center of Excellence (CMMC-COE)/IT Acquisition Advisory Council (IT-AAC).
The CMMC program relies on several other cybersecurity models such as the NIST Cybersecurity Framework, ISO 27001 and the Payment Card Industry Data Security Standard (PCI DSS). Government agencies are already subject to the Federal Information Security Management Act (FISMA), which outlines mandatory guidelines to strengthen the security of government information systems. The Act requires each federal agency to develop, document, and implement an agency-wide program to secure the information and information systems that support the agency’s operations and assets.
FISMA is a certification and accreditation process. It is the source of the annual Federal Computer Security Report Card, which is a measure used to determine how well US agencies perform. The process is similar to the Federal Risk and Authorization Management Program (FedRAMP) in that both were developed as a framework for assessing agency security to give Authority to Operate (ATO), and both depend on the NIST guidelines. The frameworks have four similar phases:
1.Initiation: Includes preparation, resource identification, and system analysis, including initial risk assessment, independent audit, and system testing. In the FedRAMP process this phase is called ‘Initiating’, and also involves applying for the assessment.
2.Security Certification: Includes security control assessment and certification documentation. Under FISMA, entities must verify that system controls are properly implemented as outlined in the initiation phase. In contrast, under FedRAMP the assessment has to be made by an independent third-party assessment organization (3PAO).
3.Security Accreditation: Includes accreditation decision and documentation. During this phase, entities must examine if the remaining risk, after implementing security controls in the previous phase, is acceptable. Under FISMA, the accreditation decision is made by an authorizing official (AO) who is a senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations. In FedRAMP, this decision is made by the FedRAMP Joint Authorization Board (JAB) or another certified agency.
4.Continuous Monitoring: Includes system configuration, security management, monitoring, and reporting. This phase focuses on maintaining a high level of security by monitoring security controls, documenting any updates, and determining if any new vulnerabilities develop.
FedRAMP is reserved only for agencies or Cloud service providers that currently use or plan...

Table of contents

  1. Cover
  2. Title
  3. Copyright
  4. Contents
  5. About the Author
  6. Chapter 1: An introduction to the US Department of Defense digital supply chain
  7. Chapter 2: Terms and definitions
  8. Chapter 3: Who needs to comply with the CMMC?
  9. Chapter 4: CMMC implementation
  10. Chapter 5: The road to certification
  11. Chapter 6: CMMC implications
  12. Further reading