CMMC is scheduled to take effect in a few short weeks. One of the underlying sentiments I feel is burning underneath by the Defense Contracting community is that “we will just need to get our cert and continue on with work…” Well. CMMC is not just a certification program – though that is primarily what it is about. CMMC, and NIST 800-171 is setting up a framework to increase the “Maturity” of cybersecurity posture and practices in the Defense Contracting community. Implementing the 110 controls that make up the framework is just the first step. CMMC places a continuous and on-going requirement to maintain the cybersecurity practices that will initially be certified. One of the primary parts of the program – beyond the certification assessment – is an annual attestation by a senior member of the company to confirm the CMMC practices that have been certified by a C3PAO are continuing to be followed…
Attest: the act of confirming or testifying that something is authentic, genuine, or true.
If you have any doubts about how important this step is, just look into the Department of Justice’s Civil Cyber-Fraud Initiative. Information submitted during attestation could likely be used by the DoJ to prosecute companies should the DoD find reason to believe a company falsely attested the status of their companies’ certified processes.
Here are some (but not all inclusive) of processes and procedures that NIST 800-171 requires, CMMC will certify, and you will attest are being done regularly and continuously:
- Ongoing Assessment of Security Controls: Regularly validate that security controls are functioning as intended. This includes checking if policies are enforced and if controls meet the requirements of NIST SP 800-171. (3.12.1)
- Risk Management: Define and follow a schedule for assessing risks to operations, assets, and individuals regularly and upon significant changes in the system or environment. (3.11.1)
- System Component Inventory Management: Keeping an up-to-date inventory of all system components, which helps in identifying unauthorized devices and ensuring all assets are accounted for and patched appropriately. (3.4.1)
- Vulnerability Management: Identify potential system flaws through automated tools like vulnerability scans or by monitoring updates from manufacturers. The process includes timely reporting and patching of these vulnerabilities, within a specified (3.11.2, 3.11.3)
- Audit Log Review: Regular review of logs to monitor access to systems and facilities, ensuring that only authorized personnel and entities are accessing controlled areas or data. (3.3.3)
- Incident Response and Event Analysis: Analyzing security alerts from various sources to respond to potential incidents promptly. This includes looking into anomalies detected by security tools, understanding the context of alerts, and taking appropriate actions. (3.6.1, 3.6.3)
- Change Management: Track, review, approve and log system changes (like software upgrades) and external changes (like new regulations or threats) that might affect the security posture. (3.4.3)
- Continuous Auditing: Continuously audit controls to help reduce business losses and audit costs by monitoring controls in real-time or near real-time. (3.12.3)
- Reporting: Providing stakeholders with reports that offer insights into the organization’s security status, compliance with CMMC levels, and areas needing attention or improvement. (3.12.2)
- Documentation and Evidence Gathering: Continuous collection of evidence showing that controls are in place and functioning correctly. (3.12.4)
Continuous Monitoring in CMMC is not just about compliance but also about maintaining an effective cybersecurity posture over time, adapting to new threats, and ensuring that the security measures continue to protect the DoD’s Controlled Unclassified Information (CUI) adequately. These requires are designed to ensure that your cybersecurity program remains robust, responsive, and aligned with CMMC and NIST 800-171 requirements.
