Case Study: A Journey Toward CMMC Compliance

j21v3-Journey
Author: Mick Brady
Date Published: 30 April 2021

Peerless Tech Solutions1 is a managed service provider that specializes in support for government contractor clients. As a federal contractor in its own right, Peerless, in late 2019, began an internal project to prepare itself for compliance with Cybersecurity Maturity Model Certification (CMMC), a new US Department of Defense (DoD) standard for handling Controlled Unclassified Information (CUI).2

One of the major challenges Peerless faced was lack of a road map. Since few enterprises had begun working toward CMMC compliance, it was nearly impossible to find one willing to share information. Also, there was limited support from vendors supplying related security and data management services. Peerless had in-house engineering support, but it wanted to expand its understanding of how the technologies it was already using might fit into the compliance regulations.

Peerless undertook an internal gap assessment to establish a baseline and then implemented a phased project, evaluating internal and external applications and selecting the best options to address the gaps. As a result, Peerless is currently meeting 101/130 (77.7 percent) of the controls required for CMMC Maturity Level 3. It is on track to complete the remaining requirements by the end of 2021. Its compliance project resulted in improved internal security and education of its staff on the new US federal regulations for handling sensitive information, and it has prepared Peerless to be ready to assist clients in preparing for CMMC assessments when they begin.

All About Compliance

Peerless’s Federal Services Division has been a part of the enterprise since its beginning. The knowledge Peerless gained as it supported the DoD through its prime contractors led it to tailor its services for the compliance vertical. It later expanded to offer managed security services. As a managed security services provider (MSSP), it currently supports all levels of compliance, providing clients with initial assessments, remediation efforts, and ongoing support and maintenance services.

Among Peerless’s responsibilities as a US federal contractor is ensuring that sensitive data are handled appropriately. All US federal contractors are subject to regulations governing CUI.

CUI is “information that requires safeguarding or dissemination [of] controls pursuant to and consistent with laws, regulations, and government-wide policies…,” according to the DoD-approved CMMC framework document.3

Vendors must protect their supply chains if they want to qualify for US federal government contracts, securing data destined for eventual purchase and possible classification.

In 2016, the DoD mandated adherence to a new set of regulations in the US Defense Federal Acquisition Regulation Supplement (DFARS). Paragraph 70124 specifies the requirement to comply with US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-1715 when handling CUI.

“NIST, for all its worth, is a great baseline—but it allows companies to create a base System Security Plan (SSP) and then a plan of action and milestones (POA&M) to push remediation efforts down the road,” noted Peerless Managing Partner Brian Seeling. “This was planned, as it gave companies time to implement these new security standards internally.”

An unintended consequence, however, was that four years later, few organizations actually had carried out their plans of action or hit their milestones. Many had not even created a POA&M, said Seeling. Those circumstances led to the birth of CMMC.

CMMC Framework

The US Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD[A&S]) developed CMMC as a consolidated cybersecurity standard to ensure that DoD contractors would have adequate controls in place to protect CUI and other sensitive data.

Following months of delay due to the coronavirus pandemic, DoD announced the new interim rule in the Federal Register on 29 September 2020.6 It was published on 30 November and took effect on 1 December of the same year, following a 60-day comment period.7 Going forward, CMMC will be mandatory for any entity doing business with the DoD, with verification of compliance required via a third-party assessment from a certified auditor.8

THE CMMC FRAMEWORK INCLUDES PROCESSES AND BEST PRACTICES DRAWN FROM MULTIPLE CYBERSECURITY STANDARDS AND FRAMEWORKS.

The CMMC framework includes processes and best practices drawn from multiple cybersecurity standards and frameworks. It incorporates inputs from Defense Industrial Base (DIB) and DoD stakeholders. The processes and practices are organized into a set of domains and mapped across five levels. Within each domain, practices are aligned with specific capabilities (figure 1).

Figure 1
Source: This publication incorporates Figure 1. CMMC Model Framework (Simplified Hierarchical View). © 2020 Carnegie Mellon University and The John Hopkins University Applied Physics Laboratory LLC, with special permission from its Software Engineering Institute. This publication has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute or Johns Hopkins University Applied Physics Laboratory LLC. Carnegie Mellon is a registered trademark of Carnegie Mellon University.

For example, an enterprise working on meeting the controls in, say, the security awareness domain might establish a process for staff training that would include development of policies for documentation of CUI. It might acquire additional training capabilities via a video training module supplied by a third-party provider. Practices could include tracking progress by monitoring when staff take those trainings and how they score on a test at the end. The enterprise’s maturity with respect to the relevant processes, capabilities and practices for any given domain would be assessed in terms of levels of achievement (figure 2).

Figure 2
Source: This publication incorporates Figure 2. CMMC Levels and Descriptions on page 4 from “Cybersecurity Maturity Model Certification (CMMC) Version 1.02”. © 2020 Carnegie Mellon University and The John Hopkins University Applied Physics Laboratory LLC, with special permission from its Software Engineering Institute. This publication has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute or Johns Hopkins University Applied Physics Laboratory LLC. Carnegie Mellon is a registered trademark of Carnegie Mellon University.

OUSD(A&S) built CMMC not only with the goal of protecting sensitive data, but also to provide enterprises with a pathway to improving their own overall cybersecurity postures, Seeling pointed out. “This is why it was designed to have levels—to give orgs a starting point, then work toward the next level.”

CMMC is meant to be used as a federal contract award prerequisite. Its multiple maturity levels range from “Basic Cyber Hygiene” to “Advanced/Progressive.”

‘Process maturity or process institutionalization characterizes the extent to which an activity is embedded or ingrained in the operations of an organization,’ states the framework documentation. ‘The more deeply ingrained an activity, the more likely it is that:

  • An organization will continue to perform the activity—including under times of stress, and
  • The outcomes will be consistent, repeatable and of high quality.9

The levels, processes and practices are cumulative. An enterprise must demonstrate achievement of all lower levels before advancing to a higher one. By advancing through the levels itself, Peerless gained valuable insights that it can share with clients when CMMC assessments begin.

Peerless’s experience enables it to conduct what Seeling referred to as “a pre-assessment assessment.” Once the official assessments begin, enterprises will be under pressure to make sure they have met all the controls required for the maturity level they are seeking. The assessors may grant some additional time for enterprises to fix controls they missed, but a pre-assessment would help avoid that problem.

“We’d hate for people to waste money on assessment, because it’s going to cost money,” Seeling said. “If they’re not ready or even close to being ready, there are guidelines around how to achieve each control.”

Sights Set on Maturity Level 3

“After watching CMMC develop and how the process would work, we saw a tremendous opportunity to gain market share if we prepped to be first in line for the CMMC audits once they became available,” Seeling said.

Based on DoD estimates, there are “approximately 350,000 known defense contractors at all levels of the supply chain,” noted Adam Burke, director of marketing at Peerless. “This number will ebb and flow depending on the ever-changing state of the DIB.”

There were two major factors driving Peerless’s decision to achieve CMMC compliance internally. The first was its need to fulfill prime contracts in support of its customers’ missions to service the DoD. The second factor was speculation that if a contractor wanted to outsource managed service provider (MSP)/managed security service provider (MSSP) services to Peerless, then Peerless would have to be certified at the same level.

“So if we want to support Level 3 CMMC contractors, then we will have to be Level 3 CMMC as well,” said Seeling. “This has not been written into law yet, but the assumption is it will be once things become final.”

CMMC is an iterative process, starting at Maturity Level 1 and advancing through the five established levels. Achieving Maturity Level 3 compliance is the initial target for Peerless, “because that will be the highest level most of our market will be targeting,” said Burke.

“Levels 4 and 5 are not coming into play yet, but will be in the future,” noted Seeling. “Once that happens, we will determine if moving up makes sense.”

Gap Analysis Revelations

Since the CMMC framework was not yet finalized at the onset of its project, Peerless’s goal of achieving Maturity Level 3 compliance was “like trying to hit a moving target,” Seeling remarked.

Searching for a vendor that had gone through the process and was willing to share information turned out to be unproductive. “Based on our internal data, looking at the pool of clients and prospects we communicated with from 2016, we encountered only about 8 percent who were actively compliant,” noted Burke.

“Not many support the level of security that is required,” added Seeling. “We decided to focus on what we know—which is NIST 800-171 and the additional paragraphs C-G in 7012—to use as a baseline.”

Peerless had already achieved compliance with NIST 800-171 and was working toward checking off items on its POA&M, incorporating them into its own cyber program, before the emergence of CMMC, he pointed out. “Later, it came out that CMMC would follow all 110 controls from NIST plus 20 additional.”

Peerless’s project team began by creating its own road map. The first step was to conduct an internal gap analysis—a comparison of the time, money and labor invested in the enterprise’s current performance with requirements for its target performance to determine how to optimally use available resources. In this case, Peerless wanted to find out how far or close it was to meeting minimum CMMC requirements.

The internal team that conducted the analysis was the same team that performs assessments for Peerless’s clients. Team members closely examined the enterprise’s network and procedures for any system setup that would not meet the CMMC criteria.

PEERLESS WAS CONFIDENT IN ITS INTERNAL EXPERTISE TO HANDLE MOST SITUATIONS, BUT IT HAD NOT CREATED WRITTEN POLICIES FOR MOST OF THE CONTROL REQUIREMENTS.

Their purview included information access, relevant capabilities of information system administrators and managers, data storage, security controls, and incident response planning. The goal was to identify any shortfalls that might necessitate changes to meet Maturity Level 3 CMMC requirements.

It was essential to understand the questions asked of the 110 US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 controls and how to correct them. The team reviewed the NIST SP 800-171 DoD Assessment Methodology10 guide for assessing SP 800-171 CUI requirements. It ensured that evidence was provided for controls that were fully met.

Those that were not met, or only partially met, were moved to Peerless’s POA&M, and realistic timelines were set for completion. The team then identified the changes that would be necessary to move Peerless closer to its goal of Maturity Level 3 compliance (figure 3).

Figure 3

Documentation of policies was found to be one area that would require substantial effort. Peerless was confident in its internal expertise to handle most situations, but it had not created written policies for most of the control requirements.

At the time of its internal assessment, Peerless had no clear mobile strategy. Development of a mobile device management plan and associated policies would be necessary.

The gap assessment team found that clear boundaries were not in place for accessing CUI or potential CUI data. Its access control would need to be redefined and corrected. Further, staff were not fully trained to understand how to recognize potential CUI, or how to respond if an incident should pose an exposure risk. Another issue the gap analysis uncovered was the inconsistent use of two-factor authentication (2FA). It was deployed only when convenient to implement, rather than across the enterprise.

Figure 4Finally, the gap analysis enabled Peerless to home in on the biggest question it needed to resolve: whether to migrate to Microsoft’s Government Community Cloud High (GCC High) environment, or to stay within its Government Community Cloud (GCC) or commercial cloud. Starting in the correct cloud would save time and money down the road.

Road Map to Compliance

Before crafting its action plan, Peerless sought to gain an understanding of how everyone involved would be affected by the changes. It had determined that its goals would be served best by moving to GCC High, which would become the new base for its internal environment. It presented its GCC High migration plan to stakeholders for initial review. Once all the parties bought in, Peerless finalized its road map (figure 4):

  • Phase 1 was the gap assessment, the first step in any compliance road map.
  • Phase 2 was deployment of 2FA across all systems of access and migration to GCC High.
    Phase 3 (one week) was mobile device management deployment, which was not as intense or dilutive, because Microsoft’s InTune product made the process relatively easy, Burke said. Peerless purchased company-owned devices for its senior staff and developed two mobile device management policies.
  • Phase 4 (three weeks) was staff retraining. Peerless conducted staff training throughout each phase, but once the migrations were completed, it retrained again to incorporate how to identify CUI and handle it moving forward.
  • Phase 5 (two weeks) was documentation of changes and the introduction of security policies. These changes were implemented last because making them first would have doubled the work. Peerless wanted to understand what its needs were before developing any new policies, as its needs were sure to change during the course of the project.
  • Phase 6 (two weeks) was testing to ensure that changes were in place and functioning properly, and conducting a final assessment to validate the results.

Figure 5“With us already being a solution provider, understanding our own internal infrastructure and dedicating resources to the project, we were able to have an aggressive timeline,” noted Seeling (figure 5). “Unless you have the expertise in house, this will not be a common occurrence.”

An enterprise seeking certification as a DoD contractor needs to provide CMMC auditors with documentation showing implementation of the necessary controls. A good documentation tool is key. Also important is a scanning tool that reports back cybergaps within the systems, said Seeling.

The team evaluated internal and external applications for alignment with Peerless’s approach to doing business—”Things like a SIEM [security information and event management] tool, 2FA vendors, and even who to use for background checks when we have new hires,” noted Burke.

Peerless selected the options that made operational sense. “Because where the data resides is a big point of emphasis, typically tools or applications that meet the security requirements are less functional with other applications,” explained Burke. “For example, Microsoft’s GCC cloud is not as compatible with third parties as the MS commercial cloud, making it difficult to connect other business applications, like customer relationship management (CRM) and accounting or human resources (HR) software.”

The gap assessment took about four to six weeks, Seeling recalled. “The biggest gaps were written policies and procedures. We had most of the technology points covered, but the documentation was lacking.”

Key Challenges

Peerless encountered its most daunting challenges during the third and fourth phases of its Maturity Level 3 compliance journey, as it sought to retrain its employees and to deploy stricter security measures.

Staff retraining turned out to be a significant hurdle for Peerless to clear. Changes needed to be made in data and information processing methods—“for one, how to identify potential CUI, and then how to handle it once it was identified,” said Burke.

Potential CUI can reside almost anywhere in an enterprise—in electronic files, emails, email attachments, proprietary information, blueprints and paper files. For example, the design of a widget sold to the military for use in an aircraft could be CUI. “While seemingly insignificant compared to the specifications for a weapons system, it is not something you would want falling into the wrong hands, and it should be protected,” according to Peerless.11

For some employees, a change in mindset was necessary for them to see the CUI crossing their desks and computer screens. Staff “had to start asking themselves better questions around the data they were handling,” Seeling said.

STAFF RETRAINING TURNED OUT TO BE A SIGNIFICANT HURDLE FOR PEERLESS TO CLEAR.

For example, Burke suggested, “If this information were to get out, would it be damaging to the customer, Peerless or a DoD agency?”

Another major challenge for Peerless was meeting the CMMC requirement—which was implicit if not stated outright—to implement a SIEM system. A SIEM is a central repository for system logs (e.g., operating system logs, network device logs, firewall logs). It analyzes them, sends out alerts and enables the creation of reports.12

For enterprises lacking a deep understanding of the workings of risk management, incident response, and systems and communication protection tools, meeting the requirements set out in the CMMC framework would be difficult, observed Seeling, and achieving compliance in those areas likely would require the biggest resource investments.

How Key Challenges Were Met

The retraining effort involved communicating to staff an “understanding of what and why,” said Seeling. “We need to protect this data, as it is a matter of national security.”

Some employees did not have a clear understanding of the gravity of the enterprise’s operations and the critical nature of the services it provides.

“Most of those online training sources do not have a specific course about CUI—sensitive data maybe, but not CUI,” noted Seeling. A further consideration is that CUI is specific to every enterprise.

“Things coming from the government are easy to identify, but things that we create in house aren’t as easily identified. So, we needed to have a review session with our staff working on those projects so they could understand what could be potential CUI. We erred on the side of caution and labeled specific programs as such, with all data pertaining to that program being considered CUI,” he explained.

“Giving them a clear definition helped, which then gave us buy-in from the staff,” recalled Seeling. For training purposes, Peerless defined CUI as “information that’s unclassified and not strictly regulated by the federal government but is sensitive and needs safeguarding.”13

Peerless provided training on the changes to all staff, and additional training to those handling CUI, including an internal written document and online training, noted Burke.

Security awareness training is a control group outlined in CMMC. Peerless’s training covered phishing scams in emails, how to report incidents, how to determine which information was CUI and how to handle it.

CMMC COMPLIANCE COMES WITH A COST THAT GOVERNMENT CONTRACTORS CANNOT AVOID, AS COMPLIANCE WILL BE MANDATORY.

Another CMMC requirement is to have a SIEM system in place. “There are additional controls about reporting and logging an incident, which a SIEM helps to centralize," Burke said.

To implement SIEM, a chain of processes needs to be deployed. “First you have to identify the data ingestion sources. Then, once the data are pointed to the tool, you then have to fine-tune and test alerting so that you are not inundated with false positives. This part takes time and is specific to each organization. Then a plan of acting on those alerts needs to be identified and documented,” Burke explained.

Ready for Assessments

Peerless has achieved the goals it set for preparing to meet CMMC Maturity Level 3 requirements.

“The assessments have not started yet,” Seeling pointed out, “so, technically, we are not CMMC-compliant, but we are prepared for when the assessments take place.”

CMMC is already turning up in contract language, noted Seeling. “In fact, the US Veteran’s Administration (VA) has a handful of new contracts that have CMMC language in them. It will start to appear in new requests for proposals (RFPs) starting now and, as the old bids expire, the rebids will include such language.”

Further, Peerless’s staff now have a better understanding of how they should handle sensitive information, Seeling added, and what conduct is appropriate when working for a US federal contracting firm.

CMMC Compliance Costs and Benefits

Figure 6Despite the nascent state of the CMMC rule, Peerless can already see concrete benefits that balance the costs it incurred as a result of the steps it took toward achieving Maturity Level 3 compliance (figure 6).

Perhaps the greatest advantage that accompanies preparation for CMMC compliance is reducing an enterprise’s risk of data breaches, including those resulting from nation-state threats and those carried out by insiders.

Safeguarding data is the ultimate purpose of CMMC, because the data and network of any government contractor, including Peerless, can have direct consequences for personnel in military and other government service roles.

CMMC is not “just a regulation,” said Burke. If sensitive data “were to fall into foreign adversaries’ hands, it can have real-world impact—negative impact—against people with boots on the ground.”

CMMC compliance comes with a cost that government contractors cannot avoid, as compliance will be mandatory.

“We actually lost some efficiencies along the way to increase security,” Seeling noted. In some ways, “It actually was a negative to our business.” For example, “We had to move to a cloud that has less features, that is more secure, that is less robust, less convenient.”

However, having faced the financial and, in some cases, operational burdens that came with its quest for compliance has given Peerless the ability to support its clients on a deeper level.

“From a commercial perspective, this allows us to show that we ‘eat our own cooking’ and know what we are selling,” Burke said.

Understanding the heartburn clients are likely to experience and the level of effort that will be required to meet their goals is a business benefit in Peerless’s view.

“Until you experience something, it’s hard to explain it,” said Seeling. “It’s hard to articulate it. But now we’ve been through it, so we can very easily have a very good idea of what to expect. And that information can be disseminated to our customers as we support them in the future.”

Meeting CMMC also helps enterprises achieve compliance with other regulations, including NIST, the International Organization for Standardization (ISO), the US Healthcare Insurance Portability and Accountability Act (HIPAA), the US Federal Information Security Management Act of 2002 (FISMA), and the US Sarbanes-Oxley Act of 2002 (SOX).

Contractors who can respond to RFPs and requests for information (RFIs) with evidence of CMMC certification will have a competitive advantage, gaining a position near the front of the line for new DoD contracts.

“It allows us to bid on contracts that would otherwise be unobtainable under the current regulations,” said Burke. DoD contracts typically run five years. That means potentially gaining five years of recurring revenue while market competitors play catch-up. By meeting the requirements, “we can provide direct examples of how we are able to help our clients gain a competitive advantage and win new contracts.”

Endnotes

1 Peerless Tech Solutions, www.getpeerless.com/
2 US Department of Defense, “Defense Acquisition Regulations System,” Federal Register, 29 September 2020, www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf
3 Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory LLC, Cybersecurity Maturity Model Certification (CMMC), Version 1.02, 18 March 2020, www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf
4 Office of the Under Secretary of Defense for Acquisition and Sustainment, Safeguarding Covered Defense Information and Cyber Incident Reporting, USA, December 2019, www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
5 Ross, R.; P. Viscuso; G. Guissanie; K. Dempsey; M. Riddle; “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” National Institute of Standards and Technology, USA, June 2015 (updated 14 January 2016), http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf
6 National Archives, “Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041),” Federal Register, USA, 29 September 2020, www.federalregister.gov/documents/2020/09/29/2020-21123/defensefederal-acquisition-regulation-supplement-assessing-contractor-implementation-of
7 Barnett, J.; “Final CMMC acquisition Rule Goes Into Effect,” FedScoop, 1 December 2020, www.fedscoop.com/cmmc-rule-change-goes-effect/
8 Peerless, “The Complete Guide to Cybersecurity Maturity Model Certification,” www.getpeerless.com/guide-to-cybersecurity-maturity-model-certification
9 Op cit Carnegie Mellon University
10 US Department of Defense, “NIST SP 800-171 DoD Assessment Methodology, Version 1.2,” 10 June 2020, www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2%20%206.24.2020.pdf
11 Ibid.
12 Salmans, B.; “Does CMMC Require a SIEM?” Nugget Blog, 1 October 2020, www.cbtnuggets.com/blog/cert-news/does-cmmc-require-a-siem
13 Peerless, “What Is CUI?” www.getpeerless.com/complete-guide-nist-800-171#section2

Mick Brady

Is a freelance technology communicator with more than 20 years of experience editing and writing for technology-focused publications.